Sam/duress regress

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## Unreleased
 
+- changed: Allow for duress mode setup while in duress mode but only for non-duress accounts.
+- fixed: Fixed regression causing pin disabled for other accounts when disabling PIN login within a duress account
+
 ## 2.30.0 (2025-05-26)
 
 - added: A `transactionsRemoved` event on `EdgeCurrencyWallet`.

src/core/account/account-api.ts

@@ -263,7 +263,8 @@ export function makeAccountApi(ai: ApiInput, accountId: string): EdgeAccount {
         : activeAppId + '.duress'
       // Ensure the duress account exists:
       if (forDuressAccount) {
-        if (ai.props.state.clientInfo.duressEnabled) {
+        // Fake duress mode setup if this is a duress account:
+        if (this.isDuressAccount) {
           fakeDuressModeSetup = opts.enableLogin ?? opts.pin != null
           ai.props.dispatch({ type: 'UPDATE_NEXT' })
           return ''

src/core/context/client-file.ts

@@ -8,11 +8,7 @@ export const CLIENT_FILE_NAME = 'client.json'
 export interface ClientInfo {
   clientId: Uint8Array
   /**
-   * LoginId of the account which is under duress and is being impersonated
-   * by the duress account. It should be the loginId which the duress account
-   * is nested under..
-   * This is only set if duress mode is activated via pin-login with the
-   * duress account's pin.
+   * This is a boolean flag that puts the device into duress mode.
    */
   duressEnabled: boolean
 }

src/core/login/login-reducer.ts

@@ -6,9 +6,9 @@ import { base58 } from '../../util/encoding'
 import { RootAction } from '../actions'
 import { RootState } from '../root-reducer'
 import { searchTree } from './login'
-import { LoginStash } from './login-stash'
+import { findDuressStash, LoginStash } from './login-stash'
 import { WalletInfoFullMap } from './login-types'
-import { findPin2Stash, findPin2StashDuress } from './pin2'
+import { findPin2Stash } from './pin2'
 
 export interface LoginState {
   readonly apiKey: string
@@ -54,14 +54,20 @@ export const login = buildReducer<LoginState, RootAction, RootState>({
         // This allows us to lie about PIN being enabled or disabled while in
         // duress mode!
         const pin2Stash = clientInfo.duressEnabled
-          ? findPin2StashDuress(stashTree, appId)
-          : findPin2Stash(stashTree, appId)
+          ? // Use the duress stash's PIN settings, but fallback for accounts
+            // that don't have duress mode setup
+            findDuressStash(stashTree, appId) ?? findPin2Stash(stashTree, appId)
+          : // If we're not in duress mode, then do a normal search
+            findPin2Stash(stashTree, appId)
+        // If we have found a pin2Stash, or the duress stash we found has
+        // a pin2Key defined:
+        const pinLoginEnabled = pin2Stash?.pin2Key != null
 
         return {
           keyLoginEnabled,
           lastLogin,
           loginId: base58.stringify(loginId),
-          pinLoginEnabled: pin2Stash != null,
+          pinLoginEnabled,
           recovery2Key:
             recovery2Key != null ? base58.stringify(recovery2Key) : undefined,
           username,

src/core/login/login-stash.ts

@@ -26,6 +26,7 @@ import { EdgeLog, EdgePendingVoucher } from '../../types/types'
 import { verifyData } from '../../util/crypto/verify'
 import { base58 } from '../../util/encoding'
 import { ApiInput } from '../root-pixie'
+import { searchTree } from './login'
 
 /**
  * The login data we store on disk.
@@ -195,3 +196,17 @@ export const asLoginStash: Cleaner<LoginStash> = asObject({
 })
 
 export const wasLoginStash = uncleaner(asLoginStash)
+
+/**
+ * Returns the duress stash nested within a given LoginStash tree.
+ * This will return the duress stash even if the stashTree is the duress stash
+ * itself.
+ */
+export function findDuressStash(
+  stashTree: LoginStash,
+  appId: string
+): LoginStash | undefined {
+  const duressAppId = appId.endsWith('.duress') ? appId : appId + '.duress'
+  if (stashTree.appId === duressAppId) return stashTree
+  return searchTree(stashTree, stash => stash.appId === duressAppId)
+}

src/core/login/pin2.ts

@@ -15,7 +15,7 @@ import { ApiInput } from '../root-pixie'
 import { applyKits, searchTree, serverLogin } from './login'
 import { loginFetch } from './login-fetch'
 import { getStashById } from './login-selectors'
-import { LoginStash } from './login-stash'
+import { findDuressStash, LoginStash } from './login-stash'
 import { LoginKit, LoginTree, SessionKey } from './login-types'
 import { getLoginOtp } from './otp'
 
@@ -43,21 +43,6 @@ export function findPin2Stash(
   if (stash?.pin2Key != null) return stash
 }
 
-/**
- * Returns a copy of the PIN login key if one exists on the local device and
- * the app id matches the duress appId.
- */
-export function findPin2StashDuress(
-  stashTree: LoginStash,
-  appId: string
-): LoginStash | undefined {
-  const duressAppId = appId.endsWith('.duress') ? appId : appId + '.duress'
-  if (stashTree.pin2Key != null && duressAppId === stashTree.appId)
-    return stashTree
-  const stash = searchTree(stashTree, stash => stash.appId === duressAppId)
-  if (stash?.pin2Key != null) return stash
-}
-
 /**
  * Logs a user in using their PIN.
  * @return A `Promise` for the new root login.
@@ -190,7 +175,7 @@ export async function checkPin2(
   const { stashTree } = getStashById(ai, loginId)
   const stash =
     forDuressAccount === true
-      ? findPin2StashDuress(stashTree, appId)
+      ? findDuressStash(stashTree, appId)
       : findPin2Stash(stashTree, appId)
   if (stash == null || stash.pin2Key == null) {
     throw new PinDisabledError('No PIN set locally for this account')