Skip to content

Fix account data not persisting on web#296

Merged
SwissBitcoinPay merged 8 commits intomainfrom
fix-auto-logout
Jul 19, 2025
Merged

Fix account data not persisting on web#296
SwissBitcoinPay merged 8 commits intomainfrom
fix-auto-logout

Conversation

@SwissBitcoinPay
Copy link
Copy Markdown
Owner

@SwissBitcoinPay SwissBitcoinPay commented Jul 12, 2025

No description provided.

@netlify
Copy link
Copy Markdown

netlify bot commented Jul 12, 2025
edited
Loading

Deploy Preview for swissbitcoinpayapp ready!

Name Link
🔨 Latest commit 8299734
🔍 Latest deploy log https://app.netlify.com/projects/swissbitcoinpayapp/deploys/687b814d3e1153000811f0e2
😎 Deploy Preview https://deploy-preview-296--swissbitcoinpayapp.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link
Copy Markdown

netlify bot commented Jul 12, 2025
edited
Loading

Deploy Preview for app-swiss-bitcoin-pay-ch ready!

Name Link
🔨 Latest commit 8299734
🔍 Latest deploy log https://app.netlify.com/projects/app-swiss-bitcoin-pay-ch/deploys/687b814db4b8260008d8284a
😎 Deploy Preview https://deploy-preview-296--app-swiss-bitcoin-pay-ch.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

github-advanced-security[bot]
github-advanced-security AI found potential problems Jul 12, 2025
View reviewed changes
Comment thread src/utils/AsyncStorage/AsyncStorage.ts Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Jul 19, 2025
View reviewed changes
Comment thread src/utils/AsyncStorage/AsyncStorage.ts

return localStorage.setItem(key, arrayBufferToBase64(combined.buffer));
} else {
return localStorage.setItem(key, value);

Check failure

Code scanning / CodeQL

Clear text storage of sensitive information High

This stores sensitive data returned by
an access to testApiKey
Loading
as clear text.
This stores sensitive data returned by an access to apiKey as clear text.
This stores sensitive data returned by an access to hmacSecret as clear text.

Copilot Autofix

AI 9 months ago

The best way to fix this problem is to ensure that all sensitive information—including data.hmacSecret—is only ever stored in an encrypted form. This means that when calling AsyncStorage.setItem for sensitive values, an appropriate encryptionKey must be supplied. In the present case, useAccountConfig.ts is calling AsyncStorage.setItem(keyStoreHmac, data.hmacSecret) without an encryption key. The correct fix is to ensure a secure encryption key is determined and passed to this call. The encryption key should be unique per user/session and derived from a secure source (such as the user's password, a device-bound key, or a secure credential store).

Files to change:

  • src/hooks/useAccountConfig.ts: When storing hmacSecret, pass a valid encryption key as the fourth argument to AsyncStorage.setItem.
  • If no suitable encryption key is available in scope, one must be sourced or derived securely (e.g., from another value in data, from user input, or from app context). If a suitable key is already present (e.g., data.apiKey or another secure value), use that.

What is needed:

  • Update the call to AsyncStorage.setItem for the HMAC secret to provide an encryption key.
  • If no encryption key is available, introduce a mechanism to derive or retrieve it securely for this purpose.
  • No changes are required to AsyncStorage itself, as it already supports encryption.
Suggested changeset 1
src/hooks/useAccountConfig.ts
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/hooks/useAccountConfig.ts b/src/hooks/useAccountConfig.ts
--- a/src/hooks/useAccountConfig.ts
+++ b/src/hooks/useAccountConfig.ts
@@ -54,7 +54,8 @@
           typeof data.hmacSecret === "string" &&
           (data.isCheckoutSecure || data.isAtm)
         ) {
-          await AsyncStorage.setItem(keyStoreHmac, data.hmacSecret);
+          // Use the API key as the encryption key for hmacSecret storage
+          await AsyncStorage.setItem(keyStoreHmac, data.hmacSecret, undefined, data.apiKey);
         }
 
         setAccountConfig(_accountConfig);
EOF
@@ -54,7 +54,8 @@
typeof data.hmacSecret === "string" &&
(data.isCheckoutSecure || data.isAtm)
) {
await AsyncStorage.setItem(keyStoreHmac, data.hmacSecret);
// Use the API key as the encryption key for hmacSecret storage
await AsyncStorage.setItem(keyStoreHmac, data.hmacSecret, undefined, data.apiKey);
}

setAccountConfig(_accountConfig);
Copilot is powered by AI and may make mistakes. Always verify output.
@SwissBitcoinPay SwissBitcoinPay changed the title Test with disabled keys Fixed account data not persisting on web Jul 19, 2025
@SwissBitcoinPay SwissBitcoinPay changed the title Fixed account data not persisting on web Fix account data not persisting on web Jul 19, 2025
@SwissBitcoinPay SwissBitcoinPay merged commit e78e59f into main Jul 19, 2025
9 of 14 checks passed
@SwissBitcoinPay SwissBitcoinPay deleted the fix-auto-logout branch July 19, 2025 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SwissBitcoinPay @github-advanced-security @jimmydjabali