Skip to content

fix: resolve master password prompt issues for new and returning users#1

Merged
typelets merged 1 commit intomainfrom
fix/master-password-prompt
Sep 6, 2025
Merged

fix: resolve master password prompt issues for new and returning users#1
typelets merged 1 commit intomainfrom
fix/master-password-prompt

Conversation

@typelets
Copy link
Copy Markdown
Owner

@typelets typelets commented Sep 6, 2025

Problem

The master password system had critical flaws that allowed users to bypass encryption entirely:

  • New users were never prompted to create a master password
  • Returning users weren't prompted to unlock after sign-out/sign-in
  • API 500 errors occurred during user initialization
  • Users could access encrypted notes without any password protection

This defeated the purpose of having end-to-end encryption, as the security was completely optional.

Solution

Fixed the master password flow to ensure all users must set up and use master password protection:

Key Changes:

  1. Fixed useMasterPassword hook logic: 
    - setNeedsUnlock(hasPassword && !isUnlocked);
+ setNeedsUnlock(!hasPassword || (hasPassword && !isUnlocked));
Now prompts for both new users (no password) and returning users (locked)
  2. Fixed API initialization order:
    - Only call api.getCurrentUser() after master password is properly set up
    - Prevents 500 errors from premature API calls
  3. Added proper data reloading:
    - New reinitialize() function to reload data after password setup
    - Ensures smooth transition from password setup to app usage

🔒 Security Impact

  • Before: Users could bypass master password (weak auto-generated keys)
  • After: Master password required for ALL users (true end-to-end encryption)
  • Before: Keys stored in plain text localStorage
  • After: Password-derived keys with proper validation

🧪 Testing

  • ✅ New users prompted to create master password
  • ✅ Returning users prompted to unlock existing password
  • ✅ No more API 500 errors during initialization
  • ✅ Data loads correctly after password setup/unlock
  • ✅ Cannot bypass master password requirement

📝 Files Changed

  • src/hooks/useMasterPassword.ts - Fixed prompt logic for all users
  • src/hooks/useNotes.ts - Fixed API initialization order + added reinitialize
  • src/components/layout/MainLayout.tsx - Improved unlock flow handling

This ensures the master password system works as designed - providing true end-to-end encryption that cannot be bypassed.

@batalabs
fix: resolve master password prompt issues for new and returning users
e006899 
  - Fix useMasterPassword hook to prompt new users without master password
  - Fix returning users not being prompted after sign-out/sign-in
  - Fix API initialization order to prevent 500 errors
  - Add reinitialize function to properly reload data after password setup
  - Update MainLayout to handle password unlock flow correctly

  This ensures all users are prompted for master password as expected:
  - New users: prompted to create master password
  - Returning users: prompted to unlock with existing password
  - No more API 500 errors during user initialization
@typelets typelets self-assigned this Sep 6, 2025
@typelets typelets merged commit 00f8a9b into main Sep 6, 2025
3 checks passed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Sep 6, 2025

🎉 This PR is included in version 1.10.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@typelets typelets

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@typelets @batalabs