Commit 464aa8f
authored
feat(decrypt): add trust-confirmation gate before files reach disk (#258)
* feat(decrypt): add trust-confirmation gate before files reach disk
The download page used to auto-trigger browser downloads the moment
decryption finished. Recipients now see a Confirm panel — same Done
layout (banner + file list + pill chips of verified attributes) plus
two neutral buttons — and decide whether to keep the files. Decline
discards the in-memory blob; accept triggers the download as before.
When the sender disclosed nothing beyond their email, a strong
warning band appears above the buttons. Email alone is a weak claim
(anyone with control of the mailbox could have signed), so the gate
is the right moment to surface that risk.
UX polish that came out of the same round:
- Widen the column to 350px and let the Yivi QR fill it instead of
capping at 330px — the column now visibly wraps the QR.
- New `--pg-success` brand token (light/dark) used only for the
accept button's hover/focus tint; decline tints to the existing
`--pg-input-error`.
- /debug/download-flow: ALL_STATES gains `Confirm` + `Discarded`,
scenarios route through Confirm and pause there for the developer
to click one of the trust buttons, force-state highlight tracks
the live `downloadState` in real time, the page locks to one
viewport height, and the global footer is hidden on `/debug/*`.
Test:
- New `isWeakSenderIdentity` helper alongside `verifiedAttributesFor`,
unit-tested for null, email-only, with-private-attrs, and
empty-value-attribute cases.
* fix(decrypt): address review on trust-confirmation gate
- Confirm gate showed doneMessageComplete ("files have been downloaded
and decrypted") before files reach disk. Add a readyToDownload message
and use it there; the banner no longer contradicts the gate and CTA.
- Migrate the Ready (QR-scan) sender-section to the attr-chips markup. It
still referenced the removed verifiedExtra i18n key and attr-list CSS,
so disclosed attributes rendered as a literal key in an unstyled <dl>.
- Scope isWeakSenderIdentity to senders that actually verified an email.
A missing/unsigned sender no longer triggers the email-only warning,
whose copy does not apply when there is no email to caveat.
* feat(decrypt): warn on unsigned files and time-lock their download
An unsigned file (no verifiable sender at all) is the weakest case of
all, yet it previously showed no caution. Add a dedicated, stronger
warning for it and force the recipient to read before they can accept:
- isUnsignedSender() helper (sender has no verified email) + unit tests.
- Confirm gate now branches: unsigned => louder trustWarnUnsigned band
(thicker border, more saturated fill); email-only keeps the existing
trustWarnEmailOnly band; verified senders show none.
- For the unsigned case only, the download button starts disabled and
fills left-to-right over 5s (TRUST_UNLOCK_MS) before activating, so the
user cannot click through without pausing on the warning. Decline stays
enabled throughout. Other cases remain instantly clickable.
- New i18n key trustWarnUnsigned (en + nl).
- debug/download-flow: replace the email-only toggle with a three-way
sender-identity selector (strong / email-only / unsigned) and mirror
the warning branch + time-locked button so the preview stays faithful;
also sync its Confirm banner to readyToDownload and hide sender
sections when there is no email.
* refactor(decrypt): replace unsigned time-lock with a confirmation modal
The 5s greyed/progress-bar download button read as broken UI. Replace it
with an explicit confirmation step, and refine the warnings per review:
- New shared UnsignedConfirmModal: on an unsigned file, "Download files"
opens a modal (red warning, Cancel / Download anyway, Esc + click-
outside to close, Cancel focused on open) instead of a single click.
Signed files still download on one click. Used by both the download
page and the debug preview.
- Remove the time-lock state/effect/timer and the locked-button CSS.
- Email-only warning is now orange (new --pg-warning token); unsigned
stays red but is no longer bold, so severity reads through colour.
- Strip em-dashes from both warning messages (en + nl).
- New i18n keys: trustConfirmHeader / trustConfirmAccept /
trustConfirmCancel.1 parent 8d1f5dd commit 464aa8f
9 files changed
Lines changed: 1095 additions & 162 deletions
File tree
- src
- lib
- components/filesharing
- locales
- routes/(app)
- debug/download-flow
- download
Lines changed: 197 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
Lines changed: 104 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | | - | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
3 | 7 | | |
4 | 8 | | |
5 | 9 | | |
| |||
91 | 95 | | |
92 | 96 | | |
93 | 97 | | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
23 | 23 | | |
24 | 24 | | |
25 | 25 | | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
70 | 70 | | |
71 | 71 | | |
72 | 72 | | |
| 73 | + | |
| 74 | + | |
73 | 75 | | |
74 | 76 | | |
75 | 77 | | |
| |||
93 | 95 | | |
94 | 96 | | |
95 | 97 | | |
| 98 | + | |
| 99 | + | |
96 | 100 | | |
97 | 101 | | |
98 | 102 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
170 | 170 | | |
171 | 171 | | |
172 | 172 | | |
| 173 | + | |
173 | 174 | | |
174 | | - | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
175 | 185 | | |
176 | 186 | | |
177 | 187 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
170 | 170 | | |
171 | 171 | | |
172 | 172 | | |
| 173 | + | |
173 | 174 | | |
174 | | - | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
175 | 185 | | |
176 | 186 | | |
177 | 187 | | |
| |||
0 commit comments