Device management: list, key status, session revocation, naming, suspicious-login warnings, recovery escalation#772
Open
Timrossid wants to merge 21 commits into
Open
Conversation
…CI checks - Add useFocusTrap hook for focus trapping and restoration across all dialogs - Add jsx-a11y ESLint plugin and axe-core Playwright for CI checks - Fix primary flows keyboard completeness (arrow nav, escape handlers) - Fix focus restoration after overlays close (ShortcutOverlay, CommandPalette, ProofInspectorModal, SenderConversionDialog, SnoozeDialog, SettingsModal, Compose) - Add live region announcements (aria-live) for proof inspector and app root - Fix ARIA roles: dialog attributes on SettingsModal, Compose, provenance modal - Fix EmailList invalid listbox role (changed to list) - Add aria-labels to icon-only buttons in EmailView, Sidebar collapsed state - Add aria-current to sidebar navigation, aria-label to nav landmarks - Add Escape key handlers to Topbar dropdown menus - Add data-shortcuts-disabled attribute support for WCAG 2.1.4 compliance - Add screen-reader live regions to root layout for status/alert announcements - Add accessibility E2E spec with axe-core violation checks
…cation, naming, suspicious-login warnings, and recovery escalation - Add Device and Session domain models, repository methods, and in-memory store - Create device service: register, rename, revoke, flag compromised, suspicious login detection - Add TanStack Start API routes: GET /devices, GET /devices/recovery, GET /devices/:deviceId, PUT /devices/:deviceId/name, POST /devices/:deviceId/revoke, POST /devices/:deviceId/compromised, POST /sessions/:sessionId/revoke - Expand audit log with device.registered, device.renamed, device.revoked, device.trust_toggled, device.key_rotated, device.recovery_activated, device.suspicious_login events (all security category, no sensitive body content) - Build device management UI in Security settings tab: - Current device identification banner - Device list with key status badges (active/compromised/revoked/rotated) - Relative time formatting for last activity - Inline device renaming - Revoke with detailed consequence explanation - Compromised device flagging with immediate session invalidation - Suspicious login alert banner for compromised devices - Revocation consequences info panel - Account recovery status with device/trusted counts - Encryption key display with rotation confirmation dialog - Confirmation dialog with contextual styling (danger/warning/info) - Audit history explicitly excludes message body content
3fb8294 to
d586129
Compare
…, key rotation, trust toggling, and API integration Backend improvements: - Add RecoveryMethod domain model, repository, service, and API routes (CRUD) - Add device registration endpoint (POST /devices/register) - Add key rotation endpoint (POST /devices/rotate-keys) - Add trust toggling endpoint (POST /devices/:id/trust) - Expand device service with: toggleDeviceTrust, rotateDeviceKeys, createRecoveryMethod, deleteRecoveryMethod - Improve registerDevice to reject revoked/compromised device re-registration - Add OpenAPI documentation for all 11 new device/session endpoints - Add 19 comprehensive unit tests covering all device service functions Frontend overhaul: - Wire up useDevices hook to real API calls via apiFetch helper - Add error banner, toast notifications (sonner), and dismissable errors - Add security alert banner with pulsing icon for compromised devices - Add warning banner for revoked devices - Add recovery methods management UI (add with type-selector form, list with icons, remove with confirmation) - Add inline trust toggling button for each device (visual feedback) - Add key rotation with confirmation dialog and loading state - Add device registration prompt when no devices exist - Add spinner and disabled state during confirmation actions - Show active key count, device status info on revoked/compromised cards - Update RecoveryStatus type to include recoveryMethods array
…issing shortcuts variable)
- AudienceSegmentEditor: add htmlFor + id to associate labels with controls - PersonaPicker: add Escape key handler to dialog backdrop - policy-editor/route: change <label> to <span> (not form controls) - DealLeadMailTracker: remove unnecessary tabIndex on li items - SharedDraftList/WatchlistList: remove redundant role='list'/'listitem' - payment-approval-form: add eslint-disable for form keydown handler - payment-approval-list: move aria-sort from button to th - migrations: remove unused eslint-disable directive
Collaborator
|
@Timrossid \fix \cl |
…ement - Fix prettier syntax error in Sidebar.tsx (removed duplicate nested <nav>) - Add missing IdempotencyRecord interface to domain.ts - Add missing idempotency Map field to MemoryApiRepository - Add IdempotencyRecord import to repository.ts and memory-repository.ts - Fix undefined hasUnread reference in SettingsModal (import useChangelog) - Clear idempotency map in memory repository reset() These fixes resolve the failing CI checks for the device management feature.
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why this matters
Users need visibility and control over which devices can decrypt mail or authorize protocol actions.
What's implemented
Backend API (11 endpoints)
Domain Model
Device Service
Audit Log (7 new event kinds)
All security-category, no message body content:
Frontend UI (Security tab in Settings)
Tests
19 comprehensive unit tests covering all device service functions.
OpenAPI Documentation
All 11 device/session endpoints documented with schemas for Device and RecoveryMethod.
Acceptance Criteria
Success Signal
A user revokes a lost device and confirms future access denial in under two minutes.
Closes #73