fix: persist auth state in electron storage (#182)

Author: jonathanlab

apps/array/package.json

@@ -125,6 +125,7 @@
     "file-icon": "^6.0.0",
     "idb-keyval": "^6.2.2",
     "node-addon-api": "^8.5.0",
+    "node-machine-id": "^1.1.12",
     "node-pty": "1.1.0-beta39",
     "posthog-js": "^1.283.0",
     "posthog-node": "^4.18.0",

apps/array/src/main/preload.ts

@@ -42,6 +42,14 @@ contextBridge.exposeInMainWorld("electronAPI", {
     ipcRenderer.invoke("retrieve-api-key", encryptedKey),
   fetchS3Logs: (logUrl: string): Promise<AgentEvent[]> =>
     ipcRenderer.invoke("fetch-s3-logs", logUrl),
+  rendererStore: {
+    getItem: (key: string): Promise<string | null> =>
+      ipcRenderer.invoke("renderer-store:get", key),
+    setItem: (key: string, value: string): Promise<void> =>
+      ipcRenderer.invoke("renderer-store:set", key, value),
+    removeItem: (key: string): Promise<void> =>
+      ipcRenderer.invoke("renderer-store:remove", key),
+  },
   // OAuth API
   oauthStartFlow: (
     region: CloudRegion,

apps/array/src/main/services/store.ts

@@ -1,17 +1,71 @@
+import crypto from "node:crypto";
+import os from "node:os";
 import path from "node:path";
-import { app } from "electron";
+import { app, ipcMain } from "electron";
 import Store from "electron-store";
+import { machineIdSync } from "node-machine-id";
 import type {
   RegisteredFolder,
   TaskFolderAssociation,
 } from "../../shared/types";
 import { deleteWorktreeIfExists } from "./worktreeUtils";
 
+// Key derived from hardware UUID - data only decryptable on this machine
+// No keychain prompts, prevents token theft via cloud sync/backups
+const APP_SALT = "array-v1";
+const ENCRYPTION_VERSION = 1;
+
+function getMachineKey(): Buffer {
+  const machineId = machineIdSync();
+  const identifier = [machineId, os.platform(), os.arch()].join("|");
+  return crypto.scryptSync(identifier, APP_SALT, 32);
+}
+
+function encrypt(plaintext: string): string {
+  const key = getMachineKey();
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final(),
+  ]);
+  const authTag = cipher.getAuthTag();
+
+  return JSON.stringify({
+    v: ENCRYPTION_VERSION,
+    iv: iv.toString("base64"),
+    data: encrypted.toString("base64"),
+    tag: authTag.toString("base64"),
+  });
+}
+
+function decrypt(encryptedJson: string): string | null {
+  try {
+    const { iv, data, tag } = JSON.parse(encryptedJson);
+    const key = getMachineKey();
+    const decipher = crypto.createDecipheriv(
+      "aes-256-gcm",
+      key,
+      Buffer.from(iv, "base64"),
+    );
+    decipher.setAuthTag(Buffer.from(tag, "base64"));
+
+    return decipher.update(data, "base64", "utf8") + decipher.final("utf8");
+  } catch {
+    return null;
+  }
+}
+
 interface FoldersSchema {
   folders: RegisteredFolder[];
   taskAssociations: TaskFolderAssociation[];
 }
 
+interface RendererStoreSchema {
+  [key: string]: string;
+}
+
 const schema = {
   folders: {
     type: "array" as const,
@@ -84,4 +138,30 @@ export async function clearAllStoreData(): Promise<void> {
   }
 
   foldersStore.clear();
+  rendererStore.clear();
 }
+
+export const rendererStore = new Store<RendererStoreSchema>({
+  name: "renderer-storage",
+  cwd: getStorePath(),
+});
+
+// IPC handlers for renderer storage with machine-key encryption
+ipcMain.handle("renderer-store:get", (_event, key: string): string | null => {
+  if (!rendererStore.has(key)) {
+    return null;
+  }
+  const encrypted = rendererStore.get(key) as string;
+  return decrypt(encrypted);
+});
+
+ipcMain.handle(
+  "renderer-store:set",
+  (_event, key: string, value: string): void => {
+    rendererStore.set(key, encrypt(value));
+  },
+);
+
+ipcMain.handle("renderer-store:remove", (_event, key: string): void => {
+  rendererStore.delete(key);
+});

apps/array/src/renderer/features/auth/stores/authStore.ts

@@ -1,5 +1,6 @@
 import { PostHogAPIClient } from "@api/posthogClient";
 import { identifyUser, resetUser, track } from "@renderer/lib/analytics";
+import { electronStorage } from "@renderer/lib/electronStorage";
 import { logger } from "@renderer/lib/logger";
 import { queryClient } from "@renderer/lib/queryClient";
 import type { CloudRegion } from "@shared/types/oauth";
@@ -238,6 +239,13 @@ export const useAuthStore = create<AuthState>()(
       },
 
       initializeOAuth: async () => {
+        // Wait for zustand hydration from async storage
+        if (!useAuthStore.persist.hasHydrated()) {
+          await new Promise<void>((resolve) => {
+            useAuthStore.persist.onFinishHydration(() => resolve());
+          });
+        }
+
         const state = get();
 
         if (state.storedTokens) {
@@ -376,7 +384,8 @@ export const useAuthStore = create<AuthState>()(
       },
     }),
     {
-      name: "mission-control-auth",
+      name: "array-auth",
+      storage: electronStorage,
       partialize: (state) => ({
         cloudRegion: state.cloudRegion,
         storedTokens: state.storedTokens,

apps/array/src/renderer/lib/electronStorage.ts

@@ -0,0 +1,18 @@
+import { createJSONStorage, type StateStorage } from "zustand/middleware";
+
+/**
+ * Raw storage adapter that uses Electron IPC to persist state.
+ */
+const electronStorageRaw: StateStorage = {
+  getItem: async (name: string): Promise<string | null> => {
+    return window.electronAPI.rendererStore.getItem(name);
+  },
+  setItem: async (name: string, value: string): Promise<void> => {
+    await window.electronAPI.rendererStore.setItem(name, value);
+  },
+  removeItem: async (name: string): Promise<void> => {
+    await window.electronAPI.rendererStore.removeItem(name);
+  },
+};
+
+export const electronStorage = createJSONStorage(() => electronStorageRaw);

apps/array/src/renderer/types/electron.d.ts

@@ -1,11 +1,11 @@
-import type { AgentEvent } from "@posthog/agent";
 import type {
   ExternalAppContextMenuResult,
   FolderContextMenuResult,
   SplitContextMenuResult,
   TabContextMenuResult,
   TaskContextMenuResult,
 } from "@main/services/contextMenu.types";
+import type { AgentEvent } from "@posthog/agent";
 import type {
   ChangedFile,
   DetectedApplication,
@@ -22,6 +22,11 @@ declare global {
     storeApiKey: (apiKey: string) => Promise<string>;
     retrieveApiKey: (encryptedKey: string) => Promise<string | null>;
     fetchS3Logs: (logUrl: string) => Promise<AgentEvent[]>;
+    rendererStore: {
+      getItem: (key: string) => Promise<string | null>;
+      setItem: (key: string, value: string) => Promise<void>;
+      removeItem: (key: string) => Promise<void>;
+    };
     // OAuth API
     oauthStartFlow: (region: CloudRegion) => Promise<{
       success: boolean;