Handle macOS keychain access failures explicitly

Author: justinvforvendetta

src/App.vue

@@ -56,6 +56,8 @@ export default {
           trapFocus: true
         })
       }
+    }).catch(error => {
+      this.$authManager.showKeychainAccessError(error, 'Keychain Access Needed')
     })
 
     ipcRenderer.on('open-settings', () => {

src/authentication/index.ts

@@ -24,6 +24,19 @@ class AuthManager {
     this.$buefy = vue.$buefy
   }
 
+  public showKeychainAccessError (error: any, title: string = Keytar.accessErrorTitle): void {
+    const details = error && error.originalMessage ? `<br/><br/><small>${error.originalMessage}</small>` : ''
+
+    this.$buefy.dialog.alert({
+      title,
+      message: `${Keytar.accessErrorMessage}${details}`,
+      type: 'is-danger',
+      hasIcon: true,
+      ariaRole: 'alertdialog',
+      ariaModal: true
+    })
+  }
+
   public async authenticate (pin: string): Promise<boolean> {
     this.authenticated = await this.validateAuthentication(pin)
 
@@ -134,7 +147,7 @@ class AuthManager {
   }
 
   public async changePin (pin: string): Promise<boolean> {
-    Keytar.setCredentials(Keytar.appService, 'application', pin)
+    await Keytar.setCredentials(Keytar.appService, 'application', pin)
 
     this.authenticated = true
 

src/utils/keytar/index.ts

@@ -4,22 +4,42 @@ import Log from 'electron-log'
 export default class Keytar {
   static readonly appService: string = 'MyVergies'
   static readonly walletService: string = 'MyVergies Wallet'
+  static readonly accessErrorTitle: string = 'Keychain Access Needed'
+  static readonly accessErrorMessage: string = 'MyVergies could not access the macOS Keychain. Enter your Mac login password and choose "Always Allow" if prompted, then try again. If you denied access earlier, restart MyVergies and retry.'
 
-  static setCredentials (service: string, account: string, credentials: string) {
+  static async setCredentials (service: string, account: string, credentials: string) {
     Log.info(`set credentials for service "${service}" and account "${account}"`)
 
-    return electron.ipcRenderer.sendSync('set-password', service, account, credentials)
+    return await this.request('set-password', service, account, credentials)
   }
 
-  static getCredentials (service: string, account: string) {
+  static async getCredentials (service: string, account: string) {
     Log.info(`get credentials for service "${service}" and account "${account}"`)
 
-    return electron.ipcRenderer.sendSync('get-password', service, account)
+    return await this.request('get-password', service, account)
   }
 
-  static deleteCredentials (service: string, account: string) {
+  static async deleteCredentials (service: string, account: string) {
     Log.info(`delete credentials for service "${service}" and account "${account}"`)
 
-    return electron.ipcRenderer.sendSync('delete-password', service, account)
+    return await this.request('delete-password', service, account)
+  }
+
+  static isAccessError (error: any): boolean {
+    return Boolean(error && error.isKeytarAccessError)
+  }
+
+  protected static async request (channel: string, ...args: any[]) {
+    try {
+      return await electron.ipcRenderer.invoke(channel, ...args)
+    } catch (error) {
+      Log.error(`keychain request "${channel}" failed: ${error instanceof Error ? error.message : String(error)}`)
+
+      const wrappedError: any = new Error(Keytar.accessErrorMessage)
+      wrappedError.isKeytarAccessError = true
+      wrappedError.originalMessage = error instanceof Error ? error.message : String(error)
+
+      throw wrappedError
+    }
   }
 }

src/utils/keytar/main.ts

@@ -2,20 +2,39 @@ import keytar from 'keytar'
 import electron from 'electron'
 import Log from 'electron-log'
 
-electron.ipcMain.on('get-password', async (event, service: string, wallet: string) => {
+const logKeytarError = (action: string, service: string, wallet: string, error: any) => {
+  Log.error(`keychain ${action} failed for service "${service}" and wallet "${wallet}": ${error instanceof Error ? error.message : String(error)}`)
+}
+
+electron.ipcMain.handle('get-password', async (event, service: string, wallet: string) => {
   Log.info(`request password for service "${service}" and wallet "${wallet}"`)
 
-  event.returnValue = await keytar.getPassword(service, wallet)
+  try {
+    return await keytar.getPassword(service, wallet)
+  } catch (error) {
+    logKeytarError('read', service, wallet, error)
+    throw error
+  }
 })
 
-electron.ipcMain.on('set-password', async (event, service: string, wallet: string, credentials: string) => {
+electron.ipcMain.handle('set-password', async (event, service: string, wallet: string, credentials: string) => {
   Log.info(`request set password for service "${service}" and wallet "${wallet}"`)
 
-  event.returnValue = await keytar.setPassword(service, wallet, credentials)
+  try {
+    return await keytar.setPassword(service, wallet, credentials)
+  } catch (error) {
+    logKeytarError('write', service, wallet, error)
+    throw error
+  }
 })
 
-electron.ipcMain.on('delete-password', async (event, service: string, wallet: string) => {
+electron.ipcMain.handle('delete-password', async (event, service: string, wallet: string) => {
   Log.info(`request delete password for service "${service}" and wallet "${wallet}"`)
 
-  event.returnValue = await keytar.deletePassword(service, wallet)
+  try {
+    return await keytar.deletePassword(service, wallet)
+  } catch (error) {
+    logKeytarError('delete', service, wallet, error)
+    throw error
+  }
 })

src/views/Authentication/AuthenticationModal.vue

@@ -79,6 +79,8 @@ export default {
         } else {
           this.$emit('authenticated')
         }
+      }).catch(error => {
+        this.$authManager.showKeychainAccessError(error, 'Could Not Unlock Wallet')
       })
     },
 

src/views/Settings/AddPinModal.vue

@@ -98,6 +98,8 @@ export default {
           message: this.$i18n.t('settings.pinAdded'),
           type: 'is-success'
         })
+      }).catch(error => {
+        this.$authManager.showKeychainAccessError(error, 'Could Not Save PIN')
       })
     },
 

src/views/Settings/ChangePinModal.vue

@@ -125,6 +125,8 @@ export default {
           message: this.$i18n.t('settings.pinChanged'),
           type: 'is-success'
         })
+      }).catch(error => {
+        this.$authManager.showKeychainAccessError(error, 'Could Not Change PIN')
       })
     },
 
@@ -135,6 +137,8 @@ export default {
         } else {
           this.stage = 1
         }
+      }).catch(error => {
+        this.$authManager.showKeychainAccessError(error, 'Could Not Read PIN')
       })
     },
 

src/views/Wallet/Create/WalletSetupView.vue

@@ -90,6 +90,12 @@ export default {
 
         this.createdWallet = wallet
       }).catch(error => {
+        if (this.$authManager && this.$authManager.showKeychainAccessError && error && error.isKeytarAccessError) {
+          this.$authManager.showKeychainAccessError(error, 'Could Not Save Wallet')
+
+          return
+        }
+
         this.$buefy.dialog.alert({
           message: error.toString(),
           onConfirm: () => {

src/walletManager/index.ts

@@ -9,6 +9,26 @@ const walletManager: PluginFunction<any> = function (vue: typeof Vue, options: a
 
   loadWallets(options.store).then((wallets: WalletConfigItem[]) => {
     vue.prototype.$walletManager.boot(new ManagerConfig(wallets))
+  }).catch((error: any) => {
+    if (Keytar.isAccessError(error)) {
+      const details = error && error.originalMessage ? `<br/><br/><small>${error.originalMessage}</small>` : ''
+
+      vue.prototype.$buefy.dialog.alert({
+        title: 'Could Not Load Wallets',
+        message: `${Keytar.accessErrorMessage}${details}`,
+        type: 'is-danger',
+        hasIcon: true
+      })
+
+      return
+    }
+
+    vue.prototype.$buefy.dialog.alert({
+      title: 'Could Not Load Wallets',
+      message: error.toString(),
+      type: 'is-danger',
+      hasIcon: true
+    })
   })
 }