// vault.jsx — Password Vault. // // Sections of this file // 1. VaultView — the page itself (search + filters + list). // 2. VaultEntryCard — one row in the list with copy / reveal. // 3. VaultEntryModal — create / edit modal. // 4. VaultShareModal — manage who can see this entry. // 5. VaultAuditModal — read the audit log of reveal events. // 6. VAULT_CSS — single style string emitted once on mount. // // Security notes // - The list never carries decrypted secrets; the server returns // metadata-only. A reveal is an explicit GET /entries/:id/secret // that's audit-logged, even for the owner. // - The reveal button auto-re-masks after AUTO_HIDE_MS so the // password isn't left on screen if the user walks away. // - Clipboard copies clear themselves after CLIPBOARD_CLEAR_MS // when the browser supports it (best-effort; see _scheduleClear). // - Inputs use type=password by default; a small reveal toggle // flips to text only when the user is actively reading. const VAULT_CATEGORIES = [ { id: "login", label: "Login", glyph: "🔑" }, { id: "card", label: "Card", glyph: "💳" }, { id: "note", label: "Secure note", glyph: "📝" }, { id: "api_key", label: "API key", glyph: "🔌" }, { id: "identity", label: "Identity", glyph: "🪪" }, { id: "wifi", label: "Wi-Fi", glyph: "📶" }, { id: "database", label: "Database", glyph: "🗄️" }, ]; const VAULT_CAT_BY_ID = Object.fromEntries(VAULT_CATEGORIES.map(c => [c.id, c])); const AUTO_HIDE_MS = 30_000; const CLIPBOARD_CLEAR_MS = 30_000; function _vaultCat(id) { return VAULT_CAT_BY_ID[id] || VAULT_CATEGORIES[0]; } function _vaultRel(iso) { return typeof fmtRelative === "function" ? fmtRelative(iso) : (iso || ""); } // Best-effort clipboard helper: writes the string, then schedules a // clear on the same value. If the user copies something else in the // meantime, the clear is a no-op. async function _vaultCopy(text, onToast) { let ok = false; try { if (navigator.clipboard && navigator.clipboard.writeText) { await navigator.clipboard.writeText(text); ok = true; } } catch {} if (!ok) { try { const ta = document.createElement("textarea"); ta.value = text; ta.style.position = "fixed"; ta.style.opacity = "0"; document.body.appendChild(ta); ta.select(); ok = document.execCommand("copy"); document.body.removeChild(ta); } catch { ok = false; } } if (ok) { onToast && onToast("Copied · clipboard clears in 30s"); _scheduleClear(text); } else if (onToast) { onToast("Couldn't copy — your browser blocked clipboard access", 4000); } return ok; } function _scheduleClear(value) { setTimeout(async () => { try { if (navigator.clipboard && navigator.clipboard.readText && navigator.clipboard.writeText) { const cur = await navigator.clipboard.readText(); if (cur === value) await navigator.clipboard.writeText(""); } } catch { /* clipboard read often blocked — that's fine */ } }, CLIPBOARD_CLEAR_MS); } // ── Page ──────────────────────────────────────────────────────────── function VaultView({ currentUserId, people, onToast }) { const [entries, setEntries] = React.useState(null); // null = loading const [err, setErr] = React.useState(""); const [q, setQ] = React.useState(""); const [filter, setFilter] = React.useState("all"); // all | mine | shared | favorite const [category, setCategory] = React.useState("any"); const [editing, setEditing] = React.useState(null); // null | {} (new) | entry (edit) const [sharing, setSharing] = React.useState(null); // entry being shared const [auditing, setAuditing] = React.useState(null); // entry whose audit is open const reload = React.useCallback(async () => { try { const list = await api.vault.list(); setEntries(Array.isArray(list) ? list : []); setErr(""); } catch (e) { setErr((e && e.body && (e.body.message || e.body.error)) || (e && e.message) || "Couldn't load vault"); setEntries([]); } }, []); React.useEffect(() => { reload(); }, [reload]); const counts = React.useMemo(() => { const e = entries || []; return { all: e.length, mine: e.filter(x => x.permission === "owner").length, shared: e.filter(x => x.permission !== "owner").length, favorite: e.filter(x => x.favorite).length, }; }, [entries]); const filtered = React.useMemo(() => { const arr = (entries || []).filter(x => { if (filter === "mine" && x.permission !== "owner") return false; if (filter === "shared" && x.permission === "owner") return false; if (filter === "favorite" && !x.favorite) return false; if (category !== "any" && x.category !== category) return false; if (q.trim()) { const s = q.trim().toLowerCase(); return ( (x.title || "").toLowerCase().includes(s) || (x.username || "").toLowerCase().includes(s) || (x.url || "").toLowerCase().includes(s) || (x.notes_plain || "").toLowerCase().includes(s) ); } return true; }); arr.sort((a, b) => { if ((b.favorite ? 1 : 0) !== (a.favorite ? 1 : 0)) return (b.favorite ? 1 : 0) - (a.favorite ? 1 : 0); return (a.title || "").localeCompare(b.title || ""); }); return arr; }, [entries, filter, category, q]); function patchInPlace(id, patch) { setEntries(es => (es || []).map(x => x.id === id ? { ...x, ...patch } : x)); } async function toggleFavorite(entry) { const next = !entry.favorite; patchInPlace(entry.id, { favorite: next }); try { await api.vault.patch(entry.id, { favorite: next }); } catch (e) { patchInPlace(entry.id, { favorite: !next }); onToast && onToast("Couldn't update favorite", 4000); } } async function deleteEntry(entry) { if (!window.confirm(`Permanently delete "${entry.title}"?\n\nThis removes the encrypted entry AND every share. There is no undo.`)) return; try { await api.vault.remove(entry.id); setEntries(es => (es || []).filter(x => x.id !== entry.id)); onToast && onToast("Entry deleted"); } catch (e) { onToast && onToast("Couldn't delete: " + (e.message || "network error"), 4000); } } return (

🔒 Password vault

Encrypted at rest with AES-256-GCM · share with teammates one entry at a time
setQ(e.target.value)} />
{[ ["all", "All"], ["mine", "Mine"], ["shared", "Shared"], ["favorite", "★ Favorites"], ].map(([id, label]) => ( ))}
{err &&
{err}
} {entries === null && (
Loading vault…
)} {entries !== null && filtered.length === 0 && (
{q.trim() || filter !== "all" || category !== "any" ? "No entries match — try a different filter" : <>
🔐
Your vault is empty
Save your first password — it's encrypted with AES-256-GCM before it touches the database.
}
)} {entries !== null && filtered.length > 0 && (
{filtered.map(entry => ( setEditing(entry)} onShare={() => setSharing(entry)} onAudit={() => setAuditing(entry)} onDelete={() => deleteEntry(entry)} onToggleFavorite={() => toggleFavorite(entry)} onToast={onToast}/> ))}
)} {editing !== null && ( setEditing(null)} onSaved={(saved, action) => { setEditing(null); if (action === "created") setEntries(es => [...(es || []), saved]); else patchInPlace(saved.id, saved); onToast && onToast(action === "created" ? "Entry saved" : "Entry updated"); }} onError={msg => onToast && onToast(msg, 4500)}/> )} {sharing && ( setSharing(null)} onChanged={(meta) => { // Refresh the entry's shared_with_count + is_private flag. patchInPlace(sharing.id, meta); }} onToast={onToast}/> )} {auditing && ( setAuditing(null)}/> )}
); } // ── Entry card ────────────────────────────────────────────────────── function VaultEntryCard({ entry, currentUserId, onEdit, onShare, onAudit, onDelete, onToggleFavorite, onToast }) { const [revealed, setRevealed] = React.useState(false); const [secret, setSecret] = React.useState(null); const [busy, setBusy] = React.useState(false); const hideTimerRef = React.useRef(null); const isOwner = entry.permission === "owner"; const canEdit = isOwner || entry.permission === "editor"; const cat = _vaultCat(entry.category); React.useEffect(() => () => { if (hideTimerRef.current) clearTimeout(hideTimerRef.current); }, []); async function reveal() { if (revealed) { setRevealed(false); if (hideTimerRef.current) clearTimeout(hideTimerRef.current); return; } if (!secret) { setBusy(true); try { const r = await api.vault.reveal(entry.id); setSecret(r.secret); } catch (e) { const msg = (e && e.body && (e.body.message || e.body.error)) || (e && e.message) || "Couldn't reveal"; onToast && onToast(msg, 4500); setBusy(false); return; } setBusy(false); } setRevealed(true); if (hideTimerRef.current) clearTimeout(hideTimerRef.current); hideTimerRef.current = setTimeout(() => { setRevealed(false); setSecret(null); // forget on auto-hide so re-reveal hits the server again (re-audits) }, AUTO_HIDE_MS); } async function copy() { let value = secret; if (!value) { try { const r = await api.vault.reveal(entry.id); value = r.secret; } catch (e) { const msg = (e && e.body && (e.body.message || e.body.error)) || (e && e.message) || "Couldn't reveal"; onToast && onToast(msg, 4500); return; } } await _vaultCopy(value, onToast); } async function copyUsername() { if (!entry.username) return; await _vaultCopy(entry.username, onToast); } function openURL() { if (!entry.url) return; let u = entry.url.trim(); if (!/^https?:\/\//i.test(u)) u = "https://" + u; try { window.open(u, "_blank", "noopener,noreferrer"); } catch {} } return (
{entry.title}
{entry.username && ( {entry.username} )} {entry.url && ( {(() => { try { return new URL(/^https?:\/\//i.test(entry.url) ? entry.url : "https://" + entry.url).hostname; } catch { return entry.url; } })()} )}
{entry.permission === "owner" ? "Mine" : entry.permission === "editor" ? "Editor" : "Viewer"} {entry.permission === "owner" && entry.shared_with_count > 0 && ( Shared · {entry.shared_with_count} )} {entry.permission === "owner" && entry.shared_with_count === 0 && ( Private )} {entry.permission !== "owner" && ( from {entry.owner_name || "—"} )}
{entry.username && ( )} {canEdit && ( )} {isOwner && ( <> )}
); } // ── Entry create/edit modal ───────────────────────────────────────── function VaultEntryModal({ entry, onClose, onSaved, onError }) { const isNew = !entry; const [title, setTitle] = React.useState(entry?.title || ""); const [username, setUsername] = React.useState(entry?.username || ""); const [url, setUrl] = React.useState(entry?.url || ""); const [category, setCategory] = React.useState(entry?.category || "login"); const [notes, setNotes] = React.useState(entry?.notes_plain || ""); const [secret, setSecret] = React.useState(""); const [revealNew, setRevealNew] = React.useState(false); const [busy, setBusy] = React.useState(false); const [loadingSecret, setLoadingSecret] = React.useState(false); const [favorite, setFavorite] = React.useState(!!entry?.favorite); // For edit mode: we DON'T pre-load the secret. The user has to // explicitly reveal it (and accept an audit-log entry) before // editing it. Empty `secret` field on save means "don't change the // password" — only metadata is patched. async function loadCurrentSecret() { if (!entry || !entry.id) return; setLoadingSecret(true); try { const r = await api.vault.reveal(entry.id); setSecret(r.secret || ""); setRevealNew(true); } catch (e) { const msg = (e && e.body && (e.body.message || e.body.error)) || (e && e.message) || "Couldn't reveal"; onError && onError(msg); } finally { setLoadingSecret(false); } } function genPassword() { // Cryptographically-strong default — 20 chars, mixed-case + // digits + symbols. Uses crypto.getRandomValues; falls back to // Math.random only if that's missing (really old browsers). const charset = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789!@#$%^&*-_+="; const len = 20; let out = ""; if (window.crypto && window.crypto.getRandomValues) { const arr = new Uint32Array(len); window.crypto.getRandomValues(arr); for (let i = 0; i < len; i++) out += charset[arr[i] % charset.length]; } else { for (let i = 0; i < len; i++) out += charset[Math.floor(Math.random() * charset.length)]; } setSecret(out); setRevealNew(true); } async function save() { if (!title.trim()) { onError && onError("Title is required"); return; } if (isNew && !secret) { onError && onError("Password / secret is required"); return; } setBusy(true); try { const body = { title: title.trim(), username: username.trim() || null, url: url.trim() || null, category, notes_plain: notes.trim() || null, favorite, }; if (secret) body.secret = secret; let saved; if (isNew) { saved = await api.vault.create(body); onSaved && onSaved(saved, "created"); } else { await api.vault.patch(entry.id, body); saved = { ...entry, ...body, secret: undefined }; // don't keep secret in memory onSaved && onSaved(saved, "updated"); } } catch (e) { const msg = (e && e.body && (e.body.message || e.body.error)) || (e && e.message) || "Couldn't save"; onError && onError(msg); setBusy(false); } } return (
{ if (e.target === e.currentTarget) onClose(); }}>
e.stopPropagation()}>
{isNew ? "New vault entry" : "Edit entry"}
Encrypted with AES-256-GCM before saving
Password / secret {!isNew && (leave blank to keep current)} {!isNew && ( )}
setSecret(e.target.value)} placeholder={isNew ? "Type or click Generate" : "Leave blank to keep the existing password"} />