feat(security): implement core crypto and logging hardening

Browse Source

- removed all logging of raw IV, JWK, session tokens, verification codes
  → logs now only include error codes, timestamps and short non-reversible SHA-256 hashes (first 4 bytes)
- replaced global master key storage with PBKDF2-derived non-extractable AES key
  → master key lives only in session memory and is cleared on timeout/focus-out
- added password-based derivation (PBKDF2) for master key initialization
- migrated persistent key storage to AES-GCM wrapped ciphertext in IndexedDB
  → JWK export → encrypt with session master key → store ciphertext + IV + metadata
  → unwrap + import as non-extractable on restore
- removed busy-wait loops and direct `window.gc()` calls
  → replaced with async non-blocking cleanup via setTimeout/Promise/WebWorker

...

This commit is contained in:

lockbitchat

2025-10-02 03:25:38 -04:00

parent 65cc136b99

commit 6bed472e09

7 changed files with 2994 additions and 340 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

1284

dist/app-boot.js vendored

File diff suppressed because it is too large Load Diff

6

dist/app-boot.js.map vendored

File diff suppressed because one or more lines are too long