feat(client): Devices screen + revoke self-wipe (v2.2.0-alpha3 wip)

Part of PR #3. Pairing flow still to come. Devices screen — app/(app)/devices.tsx: * Lists every active device from /api/devices/{self}. * "THIS DEVICE" badge on our own row, Unlink button on every other. * Unlink confirms + submits UNLINK_DEVICE tx, optimistic local removal. * Pull-to-refresh; empty state when balance is too low for auto-link. * Placeholder row for "Link new device" — wired in next commit. Settings → Devices entry row: added under a new "Devices" section. Self-wipe on revoke — lib/storage.ts + app/(app)/_layout.tsx: * New AsyncStorage marker `dchain_device_registered` tracks whether this install ever made it into the on-chain registry. * wipeAllLocalState() zeroes secure-store key + contacts + settings + chats cache + marker. Safe-idempotent. * Bootstrap effect in app layout splits three branches by (our_pub in chain's active list × marker_set): - in list → mark registered, done. - not in list + was registered → REVOKED → wipe + redirect to auth. - not in list + never registered → first boot, LINK_DEVICE. * Network errors never trigger wipe — only an explicit "pub missing from chain response" decides it. Belt-and-suspenders against a misbehaving node spuriously dropping records. Next: pairing flow so a second device (desktop, tablet, new phone) can come online, show a 6-digit code, receive master priv via a one-shot relay envelope encrypted to its fresh device X25519 pub, then self-link.
2026-04-22 16:28:16 +03:00
parent 423d307125
commit 8940b97cc6
4 changed files with 384 additions and 16 deletions
--- a/client-app/app/(app)/_layout.tsx
+++ b/client-app/app/(app)/_layout.tsx
@@ -25,7 +25,10 @@ import { useGlobalInbox } from '@/hooks/useGlobalInbox';
 import { getWSClient } from '@/lib/ws';
 import { NavBar } from '@/components/NavBar';
 import { AnimatedSlot } from '@/components/AnimatedSlot';
-import { saveContact } from '@/lib/storage';
+import {
+  saveContact,
+  isDeviceRegistered, markDeviceRegistered, wipeAllLocalState,
+} from '@/lib/storage';
 import {
  fetchDevices, buildLinkDeviceTx, submitTx,
 } from '@/lib/api';
@@ -76,25 +79,59 @@ export default function AppLayout() {
    else ws.setAuthCreds(null);
  }, [keyFile]);

-  // Multi-device registry bootstrap (v2.2.0). On every sign-in:
-  //   1. Fetch our own device list from chain.
-  //   2. If our local X25519 pub isn't in the active set, submit a
-  //      LINK_DEVICE tx for it — this makes "this device" discoverable
-  //      to senders. No-ops after the first successful submission on
-  //      a given chain + master key pair.
-  // Failures are swallowed: insufficient balance, offline node, or a
-  // chain that hasn't upgraded to v2.2.0 all surface the same way
-  // (our device just isn't registered yet; next sign-in tries again).
+  // Multi-device registry bootstrap + revoke-detection (v2.2.0).
+  //
+  // Three branches, by (chain list × local "was registered" flag):
+  //
+  //   1. Our pub is in the chain's active list →
+  //      mark us registered locally (idempotent), done.
+  //
+  //   2. Our pub is NOT in the active list, AND we've registered before →
+  //      another device issued UNLINK_DEVICE against us. Wipe ALL local
+  //      state (master priv, contacts, chats, marker) and redirect to
+  //      the auth screen. This is the security-critical path: without
+  //      the wipe, a stolen phone after revoke would still decrypt
+  //      historical messages.
+  //
+  //   3. Our pub is NOT in the active list, AND we've NEVER registered →
+  //      first boot on this chain; submit LINK_DEVICE so senders can
+  //      target us. Failures (fee, offline) are swallowed; next launch
+  //      retries.
  useEffect(() => {
    if (!keyFile) return;
    let cancelled = false;
    (async () => {
+      let chainList;
+      try {
+        chainList = await fetchDevices(keyFile.pub_key);
+      } catch {
+        // Network unavailable — leave state unchanged; we'll resync on
+        // the next launch. Do NOT wipe on network error.
+        return;
+      }
+      if (cancelled) return;
+
+      const inActive = chainList.some(d => d.x25519_pub_key === keyFile.x25519_pub);
+      const previouslyRegistered = await isDeviceRegistered();
+      if (cancelled) return;
+
+      if (inActive) {
+        // Branch #1 — ensure the local marker is set.
+        if (!previouslyRegistered) await markDeviceRegistered();
+        return;
+      }
+
+      if (previouslyRegistered) {
+        // Branch #2 — REVOKED. Self-wipe.
+        await wipeAllLocalState();
+        useStore.getState().setKeyFile(null);
+        // The redirect-on-null-keyFile effect below will push the user
+        // back to the welcome screen automatically.
+        return;
+      }
+
+      // Branch #3 — first-boot link. Best-effort.
      try {
-        const devs = await fetchDevices(keyFile.pub_key);
-        if (cancelled) return;
-        if (devs.some(d => d.x25519_pub_key === keyFile.x25519_pub)) {
-          return; // already registered
-        }
        const deviceName = Platform.select({
          ios:     'iPhone',
          android: 'Android phone',
@@ -107,8 +144,9 @@ export default function AppLayout() {
          privKey:    keyFile.priv_key,
        });
        await submitTx(tx);
+        await markDeviceRegistered();
      } catch {
-        /* best-effort — next launch retries */
+        /* next launch retries */
      }
    })();
    return () => { cancelled = true; };