jam icon indicating copy to clipboard operation
jam copied to clipboard
verified publisher icon joinmarket-webui

Security feature: Show seed phrase only after entering password

Open ghost opened this issue 1 year ago • 13 comments

Is your feature request related to a problem? Please describe.

When logged into JAM, any user of that computer can easily access the seed phrase by simply selecting "Show seed phrase" as shown in the attached screenshot. This presents a significant security risk, as there is no additional authentication step required to view this sensitive information. This lack of a security barrier could lead to unauthorized access to the wallet if someone else gains temporary access to the browser window. grafik grafik

Describe the solution you'd like

Implement an additional layer of security for displaying the seed phrase. Specifically, when a user attempts to view the seed phrase, they should be prompted to enter their wallet password again. This step would ensure that only the legitimate wallet owner can view the seed phrase, adding an essential security checkpoint.

Describe alternatives you've considered

Timed Access: Allow the seed phrase to be visible for only a short period (e.g., 30 seconds) after successful authentication, after which the user would need to re-authenticate to view it again. Or lock the browser window after a certain amount of time.

Additional context

  • Screenshot: Attached screenshot shows the current "Show seed phrase" option without any security prompt.
  • User Impact: Enhancing this feature would significantly improve the security posture of JAM, protecting users from potential theft or unauthorized access to their cryptocurrency wallets.

ghost avatar Nov 25 '24 08:11 ghost

well, if someone has access to your device they could also send all the money out.

MarnixCroes avatar Nov 25 '24 09:11 MarnixCroes

well, if someone has access to your device they could also send all the money out.

Yes, that is true. However: If they choose not to send money out, but instead they take the seed and wait until the bond is free and then steal all the BTC this is the worst case possible.

If a person cannot extract the seed then it can only either steal from the wallet now or never. Therefore I ask to lock the seed in the UI.

ghost avatar Nov 25 '24 15:11 ghost

Even though @MarnixCroes argument is valid, I think this is a reasonable request. Thanks @oPFGKk9gtuw8nuHkzrQn :pray:

theborakompanioni avatar Nov 25 '24 21:11 theborakompanioni

I would like to work on this @theborakompanioni can you assign me this issue

khadar1020 avatar Dec 17 '24 09:12 khadar1020

https://github.com/user-attachments/assets/dd5b5db8-dfb2-47ed-932f-5a9c736ad667

This is the video @theborakompanioni I have solved this issue if any changes you want I will be doing other changes please tell me other wise I am ready to submit a PR

Thank you

khadar1020 avatar Dec 22 '24 19:12 khadar1020

I have also worked on implementing this feature and have included my changes in the PR. If everything looks good, @theborakompanioni, you can merge this.

If there are any issues or refinements needed, feel free to let me know, and I'd be happy to make the necessary changes. Looking forward to your feedback! 🚀

A sample video->

https://github.com/user-attachments/assets/aa723ead-c3f0-44fc-934f-a52faae28bf6

Thank you!

rushil23451 avatar Mar 12 '25 12:03 rushil23451

I would be interested in working on this. Could you please assign it to me?

parrth20 avatar Apr 05 '25 12:04 parrth20

Hey @parrth20! This is also already worked on and has two PRs open: https://github.com/joinmarket-webui/jam/pull/874 and https://github.com/joinmarket-webui/jam/pull/881.

It seems https://github.com/joinmarket-webui/jam/pull/881 is of higher quality and #874 should be closed. Maybe you can look at the review question and investigate whether this is a problem? 💪

theborakompanioni avatar Apr 06 '25 12:04 theborakompanioni

Hey @theborakompanioni i have looked at the question you asked on the thread and have already started to look at it, will get back to you with a relevant solution shortly, was busy with some work

rushil23451 avatar Apr 06 '25 12:04 rushil23451

@rushil23451 @theborakompanioni , your PR is almost correct; however, you don't need to use that token again, as it could create problems in the long run.

parrth20 avatar Apr 08 '25 18:04 parrth20

@rushil23451 @theborakompanioni , your PR is almost correct; however, you don't need to use that token again, as it could create problems in the long run.

Can you clarify what you mean by that? What can create problems? Using the token? From my point of view it looks like it is a problem not using it.

theborakompanioni avatar Apr 09 '25 09:04 theborakompanioni

@theborakompanioni Yes the session refreshes every 15-30minutes(need to check it again) we need to store the refresh tokens properly so that the user doesn’t get locked out of the system, will implement the change and store the refresh tokens properly

rushil23451 avatar Apr 09 '25 10:04 rushil23451

@theborakompanioni Yes the session refreshes every 15-30minutes(need to check it again) we need to store the refresh tokens properly so that the user doesn’t get locked out of the system, will implement the change and store the refresh tokens properly

Yeah. Please check that 🙏 I don't even know if the current method is working properly in all cases. Some users reported they have been mysteriously logged out. Low severity as any background job still runs, but they have to "log in" again, which is annoying.

theborakompanioni avatar Apr 09 '25 15:04 theborakompanioni