search

zadam / trilium

Build your personal knowledge base with Trilium Notes
GNU Affero General Public License v3.0
27.2k stars 1.9k forks source link

(Bug report) In mobile frontend protected notes titles can be left readable indefinitely. #2847

Closed iliakonnov closed 2 years ago

iliakonnov commented 2 years ago

Trilium Version

0.51.2

What operating system are you using?

Other (specify below)

What is your setup?

Server access only

Operating System Version

Android, Google Chrome

Description

Issue: protected mode never expires completely when using mobile frontend only. More precisely, note titles can be left readable basically forever. Notes content is not affected and always protected.

Steps to reproduce (server access only from now on):

  1. Ensure there is no one connected to the server. I believe I was able to reproduce with clients connected, but it is a bit more tricky.
  2. Open mobile frontend only and start protected session by opening any protected note and entering password.
  3. Before timeout expires, close the Trilium tab.
  4. Open mobile frontend again. This can be done after timeout already expired.
  5. Observe that note titles are now readable (until a new protected session started). Note content is not accessible, though.
  6. Bonus: open Trilium on desktop and see that protected session is still running and notes are completely accessible (until timeout expires).

Important thing is to closing the tab before protected session ends. This can happen very often when timeout is set to high values (10 minutes default) and one uses mobile frontend only for a short time (e.g. to read single password). In my workflow, I only use server installation to access notes using mobile frontend, thus protected session never ends correctly and titles are basically always available when using server installation.

Moreover, I've noticed that protected session state syncs between all devices connected to the same Trilium server. This may accidentally lead to starting protected session on remote device. For example, one may start protected session on his phone while laptop is accidentally left unlocked. Now anyone can simply refresh tab on desktop frontend to gain access to all notes. To make things worse, there is no easy way to immediately end protected session from mobile frontend. This makes encrypted notes basically unusable for me when using phone. Probably this is not very important though since leaving laptop unlocked is always a bad idea.

zadam commented 2 years ago

Hi, thanks for bringing the attention to this. Originally protected session has been handled mostly on the frontend, when user reloaded a tab, the session was lost, it wasn't also shared between browser sessions / devices.

But with time Trilium's architecture changed and more and more things go cached, to the current state where the whole note tree (metadata) stays permanently cached in memory. This cache is global and contains either encrypted titles or decrypted, shared for all clients. I can see how it's not ideal for certain edge cases, but given this is a single user software I think it's a manageable compromise.

So now the protected session has been largely managed in backend, with the exception of this expiration which brought this issue that if you kill the browser session, you can avoid the expiration altogether. So I ported this last forgotten piece to the backend and this "hole" shouldn't work anymore.

I acknowledge that there isn't a button to log out of protected session in the mobile frontend, but with the correct expiration it's hopefully not a show stopper. I created #2850 to cover that.