Fix Zero-Knowledge vaults: set the passphrase at creation + verify on unlock

You could create a ZK space but were never asked to *set* a passphrase: the first
thing typed on entry silently became the key, with no confirmation and no wrong-
passphrase check — a typo encrypted files under a passphrase you couldn't reproduce
('Déchiffrement impossible'). The crypto was correct; the flow wasn't.

- Creating a secured space now prompts for the passphrase twice (confirmation).
- A per-vault 'verifier' (a constant encrypted with the vault key) is stored so
  unlocking can detect a wrong passphrase immediately, and a stale cached key is
  rejected instead of trusted. Legacy vaults (no verifier) behave as before.
- Client now generates the per-vault salt so it can derive the key before the
  round-trip; server falls back to its own salt if absent.
- Schema: Folder.zkVerifier (+ migration); shared create schema accepts zkSalt /
  zkVerifier; serializer/types expose zkVerifier.
- Also bump the GitHub update-check timeout to 12s.

41 tests pass.

Author: softpython2884

apps/api/prisma/migrations/20260620161439_add_zk_verifier/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Folder" ADD COLUMN     "zkVerifier" TEXT;

apps/api/prisma/schema.prisma

@@ -113,6 +113,10 @@ model Folder {
   // Per-vault random salt for the client's PBKDF2 key derivation (ZK folders only).
   // Not secret; storing it per vault defeats cross-vault precomputation. null = legacy.
   zkSalt          String?
+  // Opaque "key check value": a constant encrypted client-side with the vault key when the
+  // vault is created. The client decrypts it on unlock to confirm the passphrase is correct
+  // (so a typo is caught immediately instead of corrupting uploads). null = legacy vault.
+  zkVerifier      String?
   // Soft-delete: when set, the folder is in the Trash (hidden from the Drive) until it is
   // restored or purged. Trashing a folder cascades this timestamp to its whole subtree.
   deletedAt       DateTime?

apps/api/src/lib/serialize.ts

@@ -39,6 +39,7 @@ export function toPublicFolder(f: Folder): PublicFolder {
     parentId: f.parentId,
     isZeroKnowledge: f.isZeroKnowledge,
     zkSalt: f.zkSalt,
+    zkVerifier: f.zkVerifier,
     createdAt: f.createdAt.toISOString(),
   };
 }

apps/api/src/routes/folders.ts

@@ -51,8 +51,11 @@ export const folderRoutes: FastifyPluginAsync = async (app) => {
           parentId: body.parentId ?? null,
           name: body.name,
           isZeroKnowledge: isZk,
-          // Fresh per-vault salt so each vault's passphrase derivation is independent.
-          zkSalt: isZk ? randomToken(16) : null,
+          // Per-vault salt: prefer the client's (so it can derive the key before the round-trip),
+          // else a fresh server one. Independent per vault either way.
+          zkSalt: isZk ? (body.zkSalt ?? randomToken(16)) : null,
+          // Passphrase verifier supplied by the client (so unlock can detect a wrong passphrase).
+          zkVerifier: isZk ? (body.zkVerifier ?? null) : null,
         },
       });
       await audit(req, 'folder.create', { target: folder.id });

apps/api/src/services/version.ts

@@ -102,7 +102,7 @@ export async function getRemoteVersion(env: Env): Promise<RemoteVersion | null>
   try {
     const res = await fetch(
       `https://api.github.com/repos/${env.GITHUB_REPO}/commits/${encodeURIComponent(env.UPDATE_BRANCH)}`,
-      { headers, signal: AbortSignal.timeout(8000) },
+      { headers, signal: AbortSignal.timeout(12000) },
     );
     if (!res.ok) return null;
     const c = (await res.json()) as GithubCommit;
@@ -129,7 +129,7 @@ export async function commitsBehind(env: Env, base: string, head: string): Promi
   try {
     const res = await fetch(
       `https://api.github.com/repos/${env.GITHUB_REPO}/compare/${base}...${head}`,
-      { headers, signal: AbortSignal.timeout(8000) },
+      { headers, signal: AbortSignal.timeout(12000) },
     );
     if (!res.ok) return null;
     const data = (await res.json()) as { ahead_by?: number };

apps/web/src/app/(app)/drive/page.tsx

@@ -39,7 +39,15 @@ import type { PublicFile, PublicFolder } from '@opencoperlock/shared/client';
 import { formatBytes } from '@opencoperlock/shared/client';
 import { api, API_URL, ApiError } from '@/lib/api';
 import { useAuth } from '@/lib/auth';
-import { decryptBlob, decryptName, deriveVaultKey, encryptFile } from '@/lib/zk';
+import {
+  checkVerifier,
+  decryptBlob,
+  decryptName,
+  deriveVaultKey,
+  encryptFile,
+  makeVerifier,
+  randomSalt,
+} from '@/lib/zk';
 import { fileVisual } from '@/lib/fileType';
 import { FileViewer, type ViewerSource } from '@/components/FileViewer';
 import { Menu } from '@/components/ui/Menu';
@@ -78,6 +86,7 @@ export default function EspacesPage() {
   // passphrase prompt
   const [askPass, setAskPass] = useState<PublicFolder | null>(null);
   const [passInput, setPassInput] = useState('');
+  const [passError, setPassError] = useState<string | null>(null);
 
   const spaces = useMemo(() => allFolders.filter((f) => f.parentId === null), [allFolders]);
   const activeSpace = useMemo(
@@ -147,21 +156,33 @@ export default function EspacesPage() {
     if (space.isZeroKnowledge) {
       const cached = sessionStorage.getItem(passKey(space.id));
       if (cached) {
-        setVaultKey(await deriveVaultKey(cached, space.zkSalt));
-      } else {
-        setPassInput('');
-        setAskPass(space);
+        const key = await deriveVaultKey(cached, space.zkSalt);
+        // Trust the cache only if it still matches the vault's verifier (legacy vaults have none).
+        if (!space.zkVerifier || (await checkVerifier(key, space.zkVerifier))) {
+          setVaultKey(key);
+          return;
+        }
+        sessionStorage.removeItem(passKey(space.id));
       }
+      setPassInput('');
+      setPassError(null);
+      setAskPass(space);
     }
   }
 
   async function submitPassphrase() {
     if (!askPass || !passInput) return;
     const key = await deriveVaultKey(passInput, askPass.zkSalt);
+    // Reject a wrong passphrase up-front instead of silently caching a bad key.
+    if (askPass.zkVerifier && !(await checkVerifier(key, askPass.zkVerifier))) {
+      setPassError('Phrase de passe incorrecte.');
+      return;
+    }
     sessionStorage.setItem(passKey(askPass.id), passInput);
     setVaultKey(key);
     setAskPass(null);
     setPassInput('');
+    setPassError(null);
   }
 
   function leaveSpace() {
@@ -184,8 +205,45 @@ export default function EspacesPage() {
       ],
     });
     if (!kind) return;
+
+    if (kind === 'secured') {
+      // Set the vault passphrase now, with confirmation, and store a verifier so a wrong
+      // passphrase is caught on unlock. The passphrase never leaves the browser.
+      const pass = await prompt({
+        title: 'Phrase de passe du coffre',
+        message:
+          'Elle chiffre vos fichiers dans le navigateur et n’est jamais envoyée au serveur. Notez-la précieusement : elle est irrécupérable en cas d’oubli.',
+        label: 'Phrase de passe',
+        password: true,
+      });
+      if (!pass) return;
+      const again = await prompt({ title: 'Confirmez la phrase de passe', label: 'Retapez-la', password: true });
+      if (again === null) return;
+      if (again !== pass) {
+        toast('Les phrases de passe ne correspondent pas.', 'error');
+        return;
+      }
+      try {
+        const salt = randomSalt();
+        const key = await deriveVaultKey(pass, salt);
+        const verifier = await makeVerifier(key);
+        const res = await api.post<{ folder: PublicFolder }>('/folders', {
+          name,
+          isZeroKnowledge: true,
+          zkSalt: salt,
+          zkVerifier: verifier,
+        });
+        sessionStorage.setItem(passKey(res.folder.id), pass);
+        await loadFolders();
+        toast('Espace sécurisé créé', 'success');
+      } catch (err) {
+        setError(err instanceof ApiError ? err.message : 'Création impossible');
+      }
+      return;
+    }
+
     try {
-      await api.post('/folders', { name, isZeroKnowledge: kind === 'secured' });
+      await api.post('/folders', { name, isZeroKnowledge: false });
       await loadFolders();
       toast('Espace créé', 'success');
     } catch (err) {
@@ -665,10 +723,14 @@ export default function EspacesPage() {
                 autoFocus
                 placeholder="Phrase de passe"
                 value={passInput}
-                onChange={(e) => setPassInput(e.target.value)}
+                onChange={(e) => {
+                  setPassInput(e.target.value);
+                  if (passError) setPassError(null);
+                }}
               />
+              {passError && <p className="text-sm text-red-300">{passError}</p>}
               <div className="flex justify-end gap-2">
-                <button type="button" className="btn-ghost" onClick={() => setAskPass(null)}>
+                <button type="button" className="btn-ghost" onClick={() => { setAskPass(null); setPassError(null); }}>
                   Annuler
                 </button>
                 <button type="submit" className="btn-primary" disabled={!passInput}>

apps/web/src/lib/zk.ts

@@ -57,6 +57,34 @@ export async function deriveVaultKey(passphrase: string, zkSalt: string | null):
   );
 }
 
+/** A fresh, non-secret per-vault salt (hex) generated client-side at vault creation. */
+export function randomSalt(): string {
+  const bytes = crypto.getRandomValues(new Uint8Array(16));
+  return Array.from(bytes, (b) => b.toString(16).padStart(2, '0')).join('');
+}
+
+// A constant encrypted under the vault key to form a "key check value": decrypting it back
+// to this exact string proves the passphrase is correct, without revealing anything.
+const VERIFIER_TOKEN = 'opencoperlock.zk.verify.v1';
+
+/** Build the passphrase verifier stored with a new vault (iv.ciphertext, base64). */
+export async function makeVerifier(vaultKey: CryptoKey): Promise<string> {
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, vaultKey, enc.encode(VERIFIER_TOKEN));
+  return `${toB64(iv.buffer)}.${toB64(ct)}`;
+}
+
+/** True when `vaultKey` correctly decrypts the stored verifier (i.e. the passphrase matches). */
+export async function checkVerifier(vaultKey: CryptoKey, verifier: string): Promise<boolean> {
+  try {
+    const [ivB64, ctB64] = verifier.split('.');
+    const plain = await crypto.subtle.decrypt({ name: 'AES-GCM', iv: fromB64(ivB64!) }, vaultKey, fromB64(ctB64!));
+    return dec.decode(plain) === VERIFIER_TOKEN;
+  } catch {
+    return false;
+  }
+}
+
 export interface EncryptedUpload {
   blob: Blob;
   encryptedName: string;

packages/shared/src/schemas.ts

@@ -57,6 +57,11 @@ export const createFolderSchema = z.object({
   name: folderNameSchema,
   parentId: cuidSchema.nullable().optional(),
   isZeroKnowledge: z.boolean().optional().default(false),
+  // Client-generated per-vault salt (hex) for a new ZK vault; the server falls back to its
+  // own random salt if omitted. Ignored for normal folders.
+  zkSalt: z.string().min(8).max(128).optional(),
+  // Opaque passphrase verifier (iv.ciphertext) for a new ZK vault; ignored for normal folders.
+  zkVerifier: z.string().max(1024).optional(),
 });
 export type CreateFolderInput = z.infer<typeof createFolderSchema>;
 

packages/shared/src/types.ts

@@ -28,6 +28,8 @@ export interface PublicFolder {
   isZeroKnowledge: boolean;
   /** Per-vault PBKDF2 salt for ZK folders (null for normal folders / legacy vaults). */
   zkSalt: string | null;
+  /** Opaque passphrase verifier for ZK vaults (null for normal folders / legacy vaults). */
+  zkVerifier: string | null;
   createdAt: string;
 }