fix: avoid keyless credential path when enabling OneKey Cloud (#10428)

* fix: guard cloud sync invalid-password check during enable flow

* fix: add keyless manual sync entry and split cloud sync last update time

* fix: separate manual sync entries for OneKey ID and Keyless

* fix: avoid keyless credential path when enabling OneKey Cloud

---------

Co-authored-by: Leon <lixiao.dev@gmail.com>

Author: sidmorizon

packages/kit-bg/src/services/ServicePrimeCloudSync/ServicePrimeCloudSync.tsx

@@ -98,6 +98,10 @@ import type { AxiosResponse } from 'axios';
 
 const nonceZero = 0;
 
+// Guard for the first-enable window: server pwdHash can be temporarily empty
+// before initial flush/lock upload finishes.
+let oneKeyIdCloudSyncEnableFlowCount = 0;
+
 @backgroundClass()
 class ServicePrimeCloudSync extends ServiceBase {
   constructor({ backgroundApi }: { backgroundApi: any }) {
@@ -1442,6 +1446,46 @@ class ServicePrimeCloudSync extends ServiceBase {
     );
   }
 
+  async buildSyncCredentialForOneKeyId({
+    password,
+  }: {
+    password: string;
+  }): Promise<ICloudSyncCredential> {
+    const {
+      masterPasswordUUID,
+      // encryptedSecurityPasswordR1
+    } = await primeMasterPasswordPersistAtom.get();
+    // if (!masterPasswordUUID || !encryptedSecurityPasswordR1) {
+    //   void this.showAlertDialogIfLocalPasswordNotSet();
+    //   throw new OneKeyError(
+    //     'No masterPasswordUUID or encryptedSecurityPasswordR1 in atom',
+    //   );
+    // }
+    //
+    const securityPasswordR1Info =
+      await this.backgroundApi.serviceMasterPassword.getSecurityPasswordR1InfoSafe(
+        {
+          passcode: password,
+        },
+      );
+    const securityPasswordR1 = securityPasswordR1Info?.securityPasswordR1;
+    const accountSalt = securityPasswordR1Info?.accountSalt;
+
+    if (!securityPasswordR1) {
+      throw new OneKeyError('Failed to decrypt securityPasswordR1');
+    }
+    if (!accountSalt) {
+      throw new OneKeyError('Failed to get accountSalt');
+    }
+
+    return {
+      primeAccountSalt: accountSalt,
+      securityPasswordR1,
+      masterPasswordUUID,
+      keylessCredential: undefined,
+    };
+  }
+
   // TODO remove cache when logout, lock, change password/passcode, etc.
   getSyncCredentialWithCache = memoizee(
     async (): Promise<ICloudSyncCredential> => {
@@ -1464,39 +1508,7 @@ class ServicePrimeCloudSync extends ServiceBase {
         return this.buildSyncCredentialWithKeylessCredential(keylessCredential);
       }
 
-      const {
-        masterPasswordUUID,
-        // encryptedSecurityPasswordR1
-      } = await primeMasterPasswordPersistAtom.get();
-      // if (!masterPasswordUUID || !encryptedSecurityPasswordR1) {
-      //   void this.showAlertDialogIfLocalPasswordNotSet();
-      //   throw new OneKeyError(
-      //     'No masterPasswordUUID or encryptedSecurityPasswordR1 in atom',
-      //   );
-      // }
-      //
-      const securityPasswordR1Info =
-        await this.backgroundApi.serviceMasterPassword.getSecurityPasswordR1InfoSafe(
-          {
-            passcode: password,
-          },
-        );
-      const securityPasswordR1 = securityPasswordR1Info?.securityPasswordR1;
-      const accountSalt = securityPasswordR1Info?.accountSalt;
-
-      if (!securityPasswordR1) {
-        throw new OneKeyError('Failed to decrypt securityPasswordR1');
-      }
-      if (!accountSalt) {
-        throw new OneKeyError('Failed to get accountSalt');
-      }
-
-      return {
-        primeAccountSalt: accountSalt,
-        securityPasswordR1,
-        masterPasswordUUID,
-        keylessCredential: undefined,
-      };
+      return this.buildSyncCredentialForOneKeyId({ password });
     },
     {
       max: 1,
@@ -1542,6 +1554,10 @@ class ServicePrimeCloudSync extends ServiceBase {
   @backgroundMethod()
   @toastIfError()
   async toggleCloudSync({ enabled }: { enabled: boolean }) {
+    const shouldTrackEnableFlow = enabled;
+    if (shouldTrackEnableFlow) {
+      oneKeyIdCloudSyncEnableFlowCount += 1;
+    }
     try {
       if (enabled) {
         const {
@@ -1581,6 +1597,12 @@ class ServicePrimeCloudSync extends ServiceBase {
       await this.setCloudSyncEnabled(false);
       throw error;
     } finally {
+      if (shouldTrackEnableFlow) {
+        oneKeyIdCloudSyncEnableFlowCount = Math.max(
+          0,
+          oneKeyIdCloudSyncEnableFlowCount - 1,
+        );
+      }
       void this.backgroundApi.servicePrime.apiFetchPrimeUserInfo();
     }
   }
@@ -1609,11 +1631,25 @@ class ServicePrimeCloudSync extends ServiceBase {
   }
 
   @backgroundMethod()
-  async updateLastSyncTime() {
+  async updateLastSyncTime({
+    syncMode,
+  }: {
+    syncMode?: ECloudSyncMode;
+  } = {}) {
+    const activeSyncMode = syncMode ?? (await this.getActiveSyncMode());
+    const now = Date.now();
     await primeCloudSyncPersistAtom.set(
       (v): IPrimeCloudSyncPersistAtomData => ({
         ...v,
-        lastSyncTime: Date.now(),
+        lastSyncTime: now,
+        lastSyncTimeOneKeyId:
+          activeSyncMode === ECloudSyncMode.OnekeyId
+            ? now
+            : v.lastSyncTimeOneKeyId,
+        lastSyncTimeKeyless:
+          activeSyncMode === ECloudSyncMode.Keyless
+            ? now
+            : v.lastSyncTimeKeyless,
       }),
     );
   }
@@ -1680,6 +1716,9 @@ class ServicePrimeCloudSync extends ServiceBase {
   }: {
     serverUserInfo: IPrimeServerUserInfo;
   }) {
+    if (oneKeyIdCloudSyncEnableFlowCount > 0) {
+      return;
+    }
     if (serverUserInfo.pwdHash) {
       return;
     }
@@ -2065,11 +2104,12 @@ class ServicePrimeCloudSync extends ServiceBase {
         }),
       },
       async () => {
-        syncCredential = await this.getSyncCredentialSafe();
-        // verify local password match with server master password
-        if (!syncCredential) {
-          throw new OneKeyError('Master password set failed');
-        }
+        // Force OneKey ID credential here. Enabling OneKey Cloud can start
+        // while Keyless is still enabled, and mode-based credential lookup
+        // would otherwise route to Keyless and fail.
+        syncCredential = await this.buildSyncCredentialForOneKeyId({
+          password,
+        });
         await this.initLocalSyncItemsDB({ password, syncCredential });
         let status:
           | {

packages/kit-bg/src/states/jotai/atoms/prime.ts

@@ -40,6 +40,8 @@ export const {
 export type IPrimeCloudSyncPersistAtomData = {
   isCloudSyncEnabled: boolean;
   lastSyncTime?: number;
+  lastSyncTimeOneKeyId?: number;
+  lastSyncTimeKeyless?: number;
 
   isCloudSyncEnabledKeyless?: boolean;
 };

packages/kit/src/views/Prime/pages/PrimeCloudSync/PagePrimeCloudSync.tsx

@@ -37,6 +37,7 @@ import { EPrimeFeatures, EPrimePages } from '@onekeyhq/shared/src/routes/prime';
 import { formatDistanceToNow } from '@onekeyhq/shared/src/utils/dateUtils';
 import { isNeverLockDuration } from '@onekeyhq/shared/src/utils/passwordUtils';
 import timerUtils from '@onekeyhq/shared/src/utils/timerUtils';
+import { ECloudSyncMode } from '@onekeyhq/shared/types/keylessCloudSync';
 
 import { AppAutoLockSettingsView } from '../../../Setting/pages/AppAutoLock';
 import { usePrimeRequirements } from '../../hooks/usePrimeRequirements';
@@ -45,6 +46,13 @@ function isAutoLockValueNotAllowed(value: number) {
   return isNeverLockDuration(value) || value === Number(ELockDuration.Hour4);
 }
 
+function formatSyncLastUpdateTime(syncTime?: number): string {
+  if (syncTime) {
+    return formatDistanceToNow(new Date(syncTime));
+  }
+  return ' - ';
+}
+
 function AutoLockUpdateDialogContent({
   onContinue,
   onError,
@@ -96,7 +104,13 @@ function AutoLockUpdateDialogContent({
   );
 }
 
-function EnableOneKeyCloudSwitchListItem() {
+function EnableOneKeyCloudSwitchListItem({
+  onManualSyncOneKeyId,
+  onManualSyncKeyless,
+}: {
+  onManualSyncOneKeyId: () => Promise<void>;
+  onManualSyncKeyless: () => Promise<void>;
+}) {
   const [config] = usePrimeCloudSyncPersistAtom();
   const [devSettings] = useDevSettingsPersistAtom();
   const { isPrimeSubscriptionActive } = useOneKeyAuth();
@@ -108,12 +122,29 @@ function EnableOneKeyCloudSwitchListItem() {
 
   const intl = useIntl();
 
-  const lastUpdateTime = useMemo<string>(() => {
-    if (config.lastSyncTime) {
-      return formatDistanceToNow(new Date(config.lastSyncTime));
-    }
-    return ' - ';
-  }, [config.lastSyncTime]);
+  const shouldUseLegacyLastSyncTime =
+    !config.lastSyncTimeOneKeyId && !config.lastSyncTimeKeyless;
+
+  const oneKeyIdLastUpdateTime = useMemo<string>(() => {
+    const syncTime = shouldUseLegacyLastSyncTime
+      ? config.lastSyncTime
+      : config.lastSyncTimeOneKeyId;
+    return formatSyncLastUpdateTime(syncTime);
+  }, [
+    config.lastSyncTime,
+    config.lastSyncTimeOneKeyId,
+    shouldUseLegacyLastSyncTime,
+  ]);
+  const keylessLastUpdateTime = useMemo<string>(() => {
+    const syncTime = shouldUseLegacyLastSyncTime
+      ? config.lastSyncTime
+      : config.lastSyncTimeKeyless;
+    return formatSyncLastUpdateTime(syncTime);
+  }, [
+    config.lastSyncTime,
+    config.lastSyncTimeKeyless,
+    shouldUseLegacyLastSyncTime,
+  ]);
   const { ensurePrimeSubscriptionActive } = usePrimeRequirements();
 
   const [passwordSettings] = usePasswordPersistAtom();
@@ -138,7 +169,7 @@ function EnableOneKeyCloudSwitchListItem() {
       icon="CloudOutline"
       subtitle={`${intl.formatMessage({
         id: ETranslations.prime_last_update,
-      })} : ${lastUpdateTime}`}
+      })} : ${oneKeyIdLastUpdateTime}`}
     >
       {!isPrimeUser ? (
         <Badge badgeSize="sm" badgeType="default">
@@ -238,7 +269,7 @@ function EnableOneKeyCloudSwitchListItem() {
       icon="CloudOutline"
       subtitle={`${intl.formatMessage({
         id: ETranslations.prime_last_update,
-      })} : ${lastUpdateTime}`}
+      })} : ${keylessLastUpdateTime}`}
     >
       <Switch
         disabled={false}
@@ -263,7 +294,27 @@ function EnableOneKeyCloudSwitchListItem() {
   return (
     <>
       {showKeylessCloudSync ? keylessSwitchItem : null}
+      {showKeylessCloudSync && config?.isCloudSyncEnabledKeyless ? (
+        <ListItem
+          title={intl.formatMessage({
+            id: ETranslations.wallet_backup_now,
+          })}
+          icon="RefreshCwOutline"
+          drillIn
+          onPress={onManualSyncKeyless}
+        />
+      ) : null}
       {onekeyIdSwitchItem}
+      {config?.isCloudSyncEnabled ? (
+        <ListItem
+          title={intl.formatMessage({
+            id: ETranslations.wallet_backup_now,
+          })}
+          icon="RefreshCwOutline"
+          drillIn
+          onPress={onManualSyncOneKeyId}
+        />
+      ) : null}
     </>
   );
 }
@@ -316,15 +367,7 @@ function AppDataSection() {
 
   const intl = useIntl();
 
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  const lastUpdateTime = useMemo<string>(() => {
-    if (config.lastSyncTime) {
-      return formatDistanceToNow(new Date(config.lastSyncTime));
-    }
-    return ' - ';
-  }, [config.lastSyncTime]);
-
-  const handleManualSync = useCallback(async () => {
+  const handleManualSyncOneKeyId = useCallback(async () => {
     if (!config.isCloudSyncEnabled) {
       return;
     }
@@ -340,10 +383,12 @@ function AppDataSection() {
         }),
       });
       await backgroundApiProxy.servicePrimeCloudSync.startServerSyncFlow({
-        callerName: 'Manual Cloud Sync',
+        callerName: 'Manual Cloud Sync OneKey ID',
         noDebounceUpload: true,
       });
-      await backgroundApiProxy.servicePrimeCloudSync.updateLastSyncTime();
+      await backgroundApiProxy.servicePrimeCloudSync.updateLastSyncTime({
+        syncMode: ECloudSyncMode.OnekeyId,
+      });
     } finally {
       manualSyncingRef.current = false;
       await timerUtils.wait(1000);
@@ -357,20 +402,47 @@ function AppDataSection() {
     });
   }, [config.isCloudSyncEnabled, intl]);
 
+  const handleManualSyncKeyless = useCallback(async () => {
+    if (!config.isCloudSyncEnabledKeyless) {
+      return;
+    }
+    if (manualSyncingRef.current) {
+      return;
+    }
+    manualSyncingRef.current = true;
+    try {
+      await backgroundApiProxy.servicePassword.promptPasswordVerify();
+      await backgroundApiProxy.serviceApp.showDialogLoading({
+        title: intl.formatMessage({
+          id: ETranslations.global_syncing,
+        }),
+      });
+      await backgroundApiProxy.servicePrimeCloudSync.startServerSyncFlow({
+        callerName: 'Manual Cloud Sync Keyless',
+        noDebounceUpload: true,
+      });
+      await backgroundApiProxy.servicePrimeCloudSync.updateLastSyncTime({
+        syncMode: ECloudSyncMode.Keyless,
+      });
+    } finally {
+      manualSyncingRef.current = false;
+      await timerUtils.wait(1000);
+      await backgroundApiProxy.serviceApp.hideDialogLoading();
+    }
+    void backgroundApiProxy.serviceApp.showToast({
+      method: 'success',
+      title: intl.formatMessage({
+        id: ETranslations.global_sync_successfully,
+      }),
+    });
+  }, [config.isCloudSyncEnabledKeyless, intl]);
+
   return (
     <>
-      <EnableOneKeyCloudSwitchListItem />
-
-      {config?.isCloudSyncEnabled ? (
-        <ListItem
-          title={intl.formatMessage({
-            id: ETranslations.wallet_backup_now,
-          })}
-          icon="RefreshCwOutline"
-          drillIn
-          onPress={handleManualSync}
-        />
-      ) : null}
+      <EnableOneKeyCloudSwitchListItem
+        onManualSyncOneKeyId={handleManualSyncOneKeyId}
+        onManualSyncKeyless={handleManualSyncKeyless}
+      />
 
       {config?.isCloudSyncEnabled || isServerMasterPasswordSet ? (
         <ListItem