fix: app lock trigger on navigation

Author: shaunwarman

src-tauri/tauri.conf.json

@@ -63,7 +63,7 @@
     "windows": {
       "certificateThumbprint": null,
       "digestAlgorithm": "sha256",
-      "timestampUrl": "http://timestamp.digicert.com",
+      "timestampUrl": "https://timestamp.digicert.com",
       "webviewInstallMode": {
         "type": "downloadBootstrapper"
       },

src/main.ts

@@ -71,6 +71,7 @@ import {
   isLockEnabled,
   isUnlocked,
   isVaultConfigured,
+  wasUnlockedThisSession,
   lock as lockCryptoStore,
 } from './utils/crypto-store.js';
 import {
@@ -733,14 +734,6 @@ routeStore.subscribe((route) => {
   if (route === 'settings') viewModel.settingsModal.open();
   if (route === 'calendar') viewModel.calendarView.load();
   if (route === 'contacts') contactsApi.reload?.();
-  if (mailboxMode) {
-    if (starfieldDisposer) {
-      starfieldDisposer();
-      starfieldDisposer = null;
-    }
-  } else if (!starfieldDisposer) {
-    starfieldDisposer = initStarfield();
-  }
 });
 
 function initKeyboardShortcuts() {
@@ -1286,7 +1279,11 @@ async function bootstrap() {
     updateRouteVisibility(route);
 
     // ── App Lock: show lock screen if enabled and vault is locked ──
-    if (isLockEnabled() && isVaultConfigured() && !isUnlocked()) {
+    // Skip if the user already unlocked in this tab session (survives page
+    // reloads within the same tab but not new tabs or tab close).  The DEK
+    // is lost on reload but the session flag lets us silently re-prompt via
+    // the inactivity timer path rather than blocking the UI on every navigation.
+    if (isLockEnabled() && isVaultConfigured() && !isUnlocked() && !wasUnlockedThisSession()) {
       await showLockScreen();
     }
 

src/stores/mailboxActions.ts

@@ -1,7 +1,7 @@
 import { writable, derived, get } from 'svelte/store';
 import Dexie from 'dexie';
 import { Remote } from '../utils/remote';
-import { Local, Accounts } from '../utils/storage';
+import { Local, Session, Accounts } from '../utils/storage';
 import { db } from '../utils/db';
 import { mailboxStore } from './mailboxStore';
 import { searchStore } from './searchStore';
@@ -1523,13 +1523,11 @@ export const signOut = async () => {
     // Set a flag for the fallback-recovery.js to delete IndexedDB on next page load
     // (the database may still be blocked by open connections on this page)
     localStorage.setItem('webmail_pending_idb_cleanup', '1');
-    // Clear ALL localStorage (not just webmail_ prefixed keys)
-    // Note: setItem above will be cleared too, but that's fine — the flag
-    // only needs to survive until the page navigates and fallback-recovery.js reads it.
-    // We re-set it after clear() to ensure it persists.
-    localStorage.clear();
+    // Clear only webmail-prefixed keys (preserves third-party localStorage on same origin)
+    Local.clear();
+    Session.clear();
+    // Re-set cleanup flag after clear (Local.clear removes it)
     localStorage.setItem('webmail_pending_idb_cleanup', '1');
-    sessionStorage.clear();
     accounts.set([]);
     currentAccount.set('');
 

src/svelte/LockScreen.svelte

@@ -52,11 +52,10 @@
     const prefs = getLockPrefs();
     maxLength = prefs.pinLength || 6;
 
-    // Check if passkey is available
+    // Check if passkey is available — show the button but don't auto-trigger
+    // the system biometric dialog, which is intrusive on every page load.
     if (prefs.hasPasskey && hasPasskeyCredential() && isWebAuthnAvailable()) {
       showPasskeyOption = true;
-      // Auto-trigger passkey prompt on mount
-      setTimeout(() => handlePasskeyAuth(), 300);
     }
 
     // Restore lockout state from sessionStorage

src/svelte/Mailbox.svelte

@@ -949,25 +949,27 @@ const stopVerticalResize = () => {
    * Outbox items may contain user-composed HTML that has not been
    * server-sanitized, so we must run DOMPurify before rendering.
    */
+  // Create a DOMPurify instance with the hook pre-registered so it isn't
+  // added repeatedly on every call to sanitizeOutboxHtml.
+  const outboxPurify = DOMPurify();
+  outboxPurify.addHook('afterSanitizeAttributes', (node) => {
+    // Strip all on* event handler attributes (covers onerror, onload, onclick, etc.)
+    for (const attr of [...node.attributes]) {
+      if (attr.name.startsWith('on')) node.removeAttribute(attr.name);
+    }
+    // Ensure links open safely in new tab
+    if (node.tagName === 'A') {
+      node.setAttribute('target', '_blank');
+      node.setAttribute('rel', 'noopener noreferrer');
+    }
+  });
+
   const sanitizeOutboxHtml = (html: string): string => {
     if (!html) return '';
-    return DOMPurify.sanitize(html, {
+    return outboxPurify.sanitize(html, {
       USE_PROFILES: { html: true },
       ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto|tel|ftp):|[^a-z]|[a-z+.-]+(?:[^a-z+.-:]|$))/i,
       FORBID_TAGS: ['script', 'style', 'iframe', 'object', 'embed', 'form', 'input', 'textarea', 'select', 'button'],
-      HOOKS: {
-        afterSanitizeAttributes: (node) => {
-          // Strip all on* event handler attributes (covers onerror, onload, onclick, etc.)
-          for (const attr of [...node.attributes]) {
-            if (attr.name.startsWith('on')) node.removeAttribute(attr.name);
-          }
-          // Ensure links open safely in new tab
-          if (node.tagName === 'A') {
-            node.setAttribute('target', '_blank');
-            node.setAttribute('rel', 'noopener noreferrer');
-          }
-        },
-      },
     });
   };
 

src/utils/crypto-store.js

@@ -99,6 +99,8 @@ const isSensitiveLocalKey = (key) => {
   return false;
 };
 
+const SESSION_UNLOCKED_KEY = 'webmail_lock_session_unlocked';
+
 let _sodium = null;
 let _dek = null; // Data Encryption Key - held in memory only while unlocked
 let _initialized = false;
@@ -286,6 +288,11 @@ async function createVault(kek) {
   _dek = dek;
   _enabled = true;
   _initialized = true;
+  try {
+    sessionStorage.setItem(SESSION_UNLOCKED_KEY, '1');
+  } catch {
+    // ignore
+  }
 }
 
 /**
@@ -312,6 +319,13 @@ async function openVault(kek) {
     _dek = dek;
     _enabled = true;
     _initialized = true;
+    // Mark this tab session as unlocked so in-app page reloads
+    // don't re-prompt (cleared on tab close by sessionStorage).
+    try {
+      sessionStorage.setItem(SESSION_UNLOCKED_KEY, '1');
+    } catch {
+      // ignore
+    }
     return true;
   } catch {
     // Wrong PIN / passkey — decryption failed
@@ -359,6 +373,12 @@ function lock() {
     }
     _dek = null;
   }
+  // Clear session unlock flag so the next page load shows the lock screen
+  try {
+    sessionStorage.removeItem(SESSION_UNLOCKED_KEY);
+  } catch {
+    // ignore
+  }
 }
 
 /**
@@ -368,6 +388,20 @@ function isUnlocked() {
   return _dek !== null && _enabled;
 }
 
+/**
+ * Check if this tab session was previously unlocked (survives page reloads
+ * within the same tab but cleared on tab close).  Used by bootstrap to
+ * avoid re-prompting the lock screen on SPA-style page reloads where the
+ * in-memory DEK is lost but the user already authenticated.
+ */
+function wasUnlockedThisSession() {
+  try {
+    return sessionStorage.getItem(SESSION_UNLOCKED_KEY) === '1';
+  } catch {
+    return false;
+  }
+}
+
 /**
  * Check if encryption is enabled and initialized.
  */
@@ -845,6 +879,7 @@ export {
   isVaultConfigured,
   isLockEnabled,
   isUnlocked,
+  wasUnlockedThisSession,
   isEnabled,
   getSodium,
 

src/utils/sync-bridge.js

@@ -143,9 +143,13 @@ export async function destroySyncBridge() {
 function _sendViaSW(payload) {
   if (!navigator.serviceWorker?.controller) {
     // SW not yet active — queue for when it is
-    navigator.serviceWorker?.ready?.then((reg) => {
-      reg.active?.postMessage(payload);
-    });
+    navigator.serviceWorker?.ready
+      ?.then((reg) => {
+        reg.active?.postMessage(payload);
+      })
+      .catch((err) => {
+        console.warn('[sync-bridge] SW ready failed:', err);
+      });
     return;
   }
 

src/utils/websocket-client.js

@@ -29,7 +29,6 @@ import { config } from '../config';
 let unpack = null;
 let pack = null;
 let msgpackrAvailable = false;
-let msgpackrInitialized = false;
 let _initPromise = null;
 
 /**
@@ -297,9 +296,8 @@ export function createWebSocketClient(opts = {}) {
     cancelReconnect();
 
     // Ensure msgpackr is initialized (once) if the client wants it
-    if (wantsMsgpackr && !msgpackrInitialized) {
+    if (wantsMsgpackr) {
       await initMsgpackr();
-      msgpackrInitialized = true;
     }
 
     const url = buildURL();
@@ -311,15 +309,18 @@ export function createWebSocketClient(opts = {}) {
     console.info('[ws] Connecting...');
 
     try {
-      // Browser WebSocket doesn't support custom headers.
-      // For Basic Auth, we encode credentials in the URL (user:pass@host).
-      let connectURL = url;
-      if (opts.email && opts.password) {
-        const parsed = new URL(url);
-        parsed.username = encodeURIComponent(opts.email);
-        parsed.password = encodeURIComponent(opts.password);
-        connectURL = parsed.toString();
-      }
+      // NOTE: Browser WebSocket API does not support custom headers, and
+      // modern browsers no longer send an Authorization header from URL
+      // userinfo (user:pass@host) on WebSocket upgrade requests.
+      // The server's _authenticate() exclusively reads basicAuth(request)
+      // from the Authorization header, so browser clients cannot currently
+      // authenticate.  Until the server is updated to accept query-param
+      // or token-based auth for WebSocket upgrades, the connection will
+      // fall through to broadcastOnly mode.
+      // TODO: Update server _authenticate() to read query.username /
+      // query.password when Authorization header is absent, then pass
+      // credentials here via searchParams.
+      const connectURL = url;
 
       socket = new WebSocket(connectURL);
       if (wantsMsgpackr && msgpackrAvailable) {

src/utils/websocket-updater.js

@@ -25,7 +25,7 @@ import { mailboxStore } from '../stores/mailboxStore';
 import { Local } from './storage';
 import { startInitialSync } from './sync-controller';
 import { createWebSocketClient, createReleaseWatcher, WS_EVENTS } from './websocket-client';
-import { connectNotifications, requestNotificationPermission } from './notification-manager';
+import { connectNotifications } from './notification-manager';
 
 // ── Constants ──────────────────────────────────────────────────────────────
 const FALLBACK_POLL_INTERVAL_MS = 300_000; // 5 min fallback — WebSocket handles real-time
@@ -128,9 +128,12 @@ function createWebSocketUpdater() {
       if (destroyed || started) return;
       started = true;
 
-      // Read credentials at connect time only — never store them
+      // Read credentials at connect time only — never store them.
+      // The app stores alias_auth as "email:password" (password may contain colons).
       const email = Local.get('email');
-      const password = Local.get('password');
+      const aliasAuth = Local.get('alias_auth') || '';
+      const colonIdx = aliasAuth.indexOf(':');
+      const password = colonIdx !== -1 ? aliasAuth.slice(colonIdx + 1) : '';
 
       // Always start the release watcher (no auth needed)
       releaseWatcher = createReleaseWatcher();
@@ -264,14 +267,14 @@ function createWebSocketUpdater() {
         // Connect notification manager
         notifCleanup = connectNotifications(wsClient);
 
-        // Request notification permission
-        requestNotificationPermission();
-
         wsClient.connect();
       }
 
-      // Start fallback polling only when WS client exists
-      if (wsClient) startFallbackPoll();
+      // Start fallback polling whenever we have credentials,
+      // even if the WebSocket connection fails to establish.
+      if (isNonEmptyString(email) && isNonEmptyString(password)) {
+        startFallbackPoll();
+      }
     },
 
     stop() {