Closed iliakonnov closed 2 years ago
Hi, thanks for bringing the attention to this. Originally protected session has been handled mostly on the frontend, when user reloaded a tab, the session was lost, it wasn't also shared between browser sessions / devices.
But with time Trilium's architecture changed and more and more things go cached, to the current state where the whole note tree (metadata) stays permanently cached in memory. This cache is global and contains either encrypted titles or decrypted, shared for all clients. I can see how it's not ideal for certain edge cases, but given this is a single user software I think it's a manageable compromise.
So now the protected session has been largely managed in backend, with the exception of this expiration which brought this issue that if you kill the browser session, you can avoid the expiration altogether. So I ported this last forgotten piece to the backend and this "hole" shouldn't work anymore.
I acknowledge that there isn't a button to log out of protected session in the mobile frontend, but with the correct expiration it's hopefully not a show stopper. I created #2850 to cover that.
Trilium Version
0.51.2
What operating system are you using?
Other (specify below)
What is your setup?
Server access only
Operating System Version
Android, Google Chrome
Description
Issue: protected mode never expires completely when using mobile frontend only. More precisely, note titles can be left readable basically forever. Notes content is not affected and always protected.
Steps to reproduce (server access only from now on):
Important thing is to closing the tab before protected session ends. This can happen very often when timeout is set to high values (10 minutes default) and one uses mobile frontend only for a short time (e.g. to read single password). In my workflow, I only use server installation to access notes using mobile frontend, thus protected session never ends correctly and titles are basically always available when using server installation.
Moreover, I've noticed that protected session state syncs between all devices connected to the same Trilium server. This may accidentally lead to starting protected session on remote device. For example, one may start protected session on his phone while laptop is accidentally left unlocked. Now anyone can simply refresh tab on desktop frontend to gain access to all notes. To make things worse, there is no easy way to immediately end protected session from mobile frontend. This makes encrypted notes basically unusable for me when using phone. Probably this is not very important though since leaving laptop unlocked is always a bad idea.