Skip to content

fix: add vault sentinel to prevent passphrase bypass on empty credential vault#848

Open
711nishtha wants to merge 4 commits into
shouri123:mainfrom
711nishtha:fix-add-vault-sentinel-to-prevent-passphrase-bypass-on-empty-credential-vault
Open

fix: add vault sentinel to prevent passphrase bypass on empty credential vault#848
711nishtha wants to merge 4 commits into
shouri123:mainfrom
711nishtha:fix-add-vault-sentinel-to-prevent-passphrase-bypass-on-empty-credential-vault

Conversation

@711nishtha

@711nishtha 711nishtha commented Jun 27, 2026

Copy link
Copy Markdown

Problem

unlockCredentials() verified the passphrase by decrypting a sample
API credential. When the vault had been initialized (salt stored) but
no credentials saved yet, the verification block was skipped and any
passphrase was accepted as valid.

A user who mistyped their passphrase on this "empty window" would
silently encrypt their subsequent API keys with the wrong-passphrase-
derived key, making them unrecoverable with the correct passphrase.

Fix

Writes an encrypted vault sentinel (late-meet-vault-v1) to
chrome.storage.local on every first-time vault setup. All subsequent
unlockCredentials() calls verify the passphrase by decrypting the
sentinel — no API credentials needed for verification.

Backward compatible: existing vaults without a sentinel fall back to
credential-based verification and write the sentinel for migration.

Files changed

  • src/utils/credentials.ts — sentinel constants + revised unlockCredentials()
  • src/utils/credentials.test.ts — 4 regression tests

Closes #837

Summary by CodeRabbit

  • Bug Fixes
    • Improved credential unlocking for accounts with no saved API keys yet.
    • Passphrase checks are now more reliable after restart, including first-time setup.
    • Saved credentials can now be unlocked and recovered consistently after a restart with the correct passphrase.
    • Wrong passphrases are correctly rejected in empty-vault and populated-vault scenarios.

Added vault sentinel for passphrase verification during credential unlocking. Enhanced security by implementing a fallback strategy for legacy vaults.
@711nishtha 711nishtha requested a review from shouri123 as a code owner June 27, 2026 04:13
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Thank You for Contributing to Late-Meet

Please ensure that:

  • the issue was assigned to you before opening this PR
  • the PR references the related issue
  • your changes follow repository contribution guidelines
  • the project builds successfully before submission

Unassigned, duplicate, or low-quality PRs may be closed.

Thank you for contributing 💙

@github-actions github-actions Bot added gssoc Official GSSoC contribution issue gssoc:approved GSSoC: PR approved and scored bug Something isn't working size/M type:code Type: Code change type:test Type: Test files security-review Requires security review before merge and removed bug Something isn't working size/M labels Jun 27, 2026
@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@711nishtha, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 16 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 25f313ce-b0ae-4ace-8449-931941c702ac

📥 Commits

Reviewing files that changed from the base of the PR and between c8a715a and 2e0313f.

📒 Files selected for processing (2)
  • src/utils/credentials.test.ts
  • src/utils/credentials.ts
📝 Walkthrough

Walkthrough

unlockCredentials now uses a stored vault sentinel to verify passphrases for initialized vaults, including vaults with no saved API credentials. The tests add coverage for empty-vault unlocks, sentinel encryption, and credential recovery after restart.

Changes

Vault sentinel verification

Layer / File(s) Summary
Unlock verification and sentinel persistence
src/utils/credentials.ts
Adds the sentinel key/plaintext constants and updates unlockCredentials to verify stored sentinels, fall back to existing encrypted credentials, and write the sentinel during first-time setup and empty-vault unlocks.
Unlock regression coverage
src/utils/credentials.test.ts
Keeps the restart regression test and adds coverage for empty-vault passphrase rejection, sentinel creation, encrypted sentinel storage, and recovery after restart.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • shouri123/Late-Meet#214: Also changes src/utils/credentials.ts and src/utils/credentials.test.ts around unlockCredentials passphrase validation.
  • shouri123/Late-Meet#562: Updates onboarding to require unlocking before saving API keys, which depends on the unlock flow changed here.
  • shouri123/Late-Meet#692: Modifies the first-time vault setup flow in src/utils/credentials.ts, adjacent to the sentinel-based unlock changes here.

Suggested labels

bug, size/M

Suggested reviewers

  • shouri123

Poem

🐰 I hid a tiny sentinel in the vault tonight,
With carrot-bright keys and a passphrase just right.
Wrong hops now bounce, the true hop sings through,
And saved little secrets come back fresh and new.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: adding a vault sentinel to stop passphrase bypass on empty credential vaults.
Linked Issues check ✅ Passed The code and tests implement sentinel-based passphrase verification, including empty-vault handling and legacy fallback migration.
Out of Scope Changes check ✅ Passed Changes stay focused on credential unlocking logic and regression tests; no unrelated functionality appears.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown
Contributor

👋 Thank you @711nishtha for your contribution to Late-Meet!

✅ Verified: You are assigned to the linked issue #837.

Please review any automated suggestions or code review comments that may appear below! We will review your PR as soon as possible!


Please consider starring the repository ⭐ to show your support!

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/utils/credentials.test.ts`:
- Around line 201-284: The test declarations in credentials.test.ts are using
escaped quote delimiters, which breaks TypeScript parsing and prevents the test
file from loading. Update the affected test() calls in the credentials
regression section to use normal string quotes, and keep the rest of the
assertions and helper usage unchanged so the suite can compile and run.

In `@src/utils/credentials.ts`:
- Around line 179-188: The credential verification flow in the
encrypted-credentials branch is incorrectly skipping malformed values like
"enc:" because the sample lookup in credentials.ts only checks truthy entries.
Update the verification logic around the encryptedCreds/CREDENTIAL_KEYS path so
legacy encrypted entries are still validated even when the ciphertext payload is
empty or malformed, and ensure a decryption attempt (or explicit failure)
happens before any sentinel write or true return. Focus on the sampleKey
selection and the crypto.subtle.decrypt path in the credential verification
routine.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 90b825d5-e195-4d11-88cf-3630e5f36a3a

📥 Commits

Reviewing files that changed from the base of the PR and between 35c28d6 and c8a715a.

📒 Files selected for processing (2)
  • src/utils/credentials.test.ts
  • src/utils/credentials.ts

Comment thread src/utils/credentials.test.ts Outdated
Comment thread src/utils/credentials.ts Outdated
Refactor credential verification to ensure a valid key is present before decryption. Improve comments for clarity on handling empty/malformed ciphertexts.
@sonarqubecloud

Copy link
Copy Markdown

@711nishtha

Copy link
Copy Markdown
Author

@shouri123 suggestions have been addressed. The PR is ready for review and merge. Thank You.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc:approved GSSoC: PR approved and scored gssoc Official GSSoC contribution issue security-review Requires security review before merge type:code Type: Code change type:test Type: Test files

Projects

None yet

1 participant