sneak/AutistMask
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: sneak:b799686cd43ceb674c0b8cd741da8c383f890ae7
Branches Tags
sneak:main sneak:feat/issue-144-settings-about sneak:feat/issue-131-transaction-view-layout sneak:fix/116-timestamps-include-timezone sneak:feature/expanded-warnings sneak:fix/cross-wallet-duplicate-detection sneak:feature/copy-flash-feedback sneak:feature/issue-82-new-address-warning sneak:feature/82-warn-new-address sneak:issue-99-block-number-external-link sneak:issue-99-block-number-styling sneak:feature/82-zero-history-warning sneak:fix/issue-99-block-number-link-copy sneak:fix/99-block-number-clickable sneak:fix/87-consistent-error-display-v2 sneak:fix/87-consistent-error-display sneak:fix/consistent-error-display sneak:fix/77-confirm-tx-persist sneak:fix/issue-72-address-token-tx-history sneak:fix/70-confirm-tx-contract-display sneak:fix/issue-58-receive-address-consistency sneak:fix/59-transaction-view-ui-policies sneak:fix/55-swap-show-own-address sneak:feature/show-private-key sneak:feat/message-signing
sneak:v0.1.0
...
compare: sneak:feature/show-private-key
Branches Tags
sneak:feat/issue-144-settings-about sneak:main sneak:feat/issue-131-transaction-view-layout sneak:fix/116-timestamps-include-timezone sneak:feature/expanded-warnings sneak:fix/cross-wallet-duplicate-detection sneak:feature/copy-flash-feedback sneak:feature/issue-82-new-address-warning sneak:feature/82-warn-new-address sneak:issue-99-block-number-external-link sneak:issue-99-block-number-styling sneak:feature/82-zero-history-warning sneak:fix/issue-99-block-number-link-copy sneak:fix/99-block-number-clickable sneak:fix/87-consistent-error-display-v2 sneak:fix/87-consistent-error-display sneak:fix/consistent-error-display sneak:fix/77-confirm-tx-persist sneak:fix/issue-72-address-token-tx-history sneak:fix/70-confirm-tx-contract-display sneak:fix/issue-58-receive-address-consistency sneak:fix/59-transaction-view-ui-policies sneak:fix/55-swap-show-own-address sneak:feature/show-private-key sneak:feat/message-signing
sneak:v0.1.0

1 Commits
b799686cd4 ... feature/sh

Author SHA1 Message Date
user
78c050e1fa feat: add private key viewing for addresses
All checks were successful
check / check (push) Successful in 22s
Details 
Add a 'Show private key' button on the address detail view that opens
a dedicated password-prompt screen with a clear warning about key
sensitivity. After correct password entry, the derived private key is
displayed in a read-only well with a copy button.

- Add getPrivateKeyForAddress() to wallet.js
- Add showPrivateKey view with password verification
- Add clipboard policy section to README explaining why we never
  auto-clear the clipboard
- Register new view in helpers.js VIEWS array and wire up in index.js

Closes #19
 2026-02-28 07:40:25 -08:00
7 changed files with 215 additions and 0 deletions
Expand all files Collapse all files

35
README.md
View File

@@ -213,6 +213,22 @@ create an address with the same visible characters and trick the user into
sending funds to it. Showing the complete identifier defeats this class of sending funds to it. Showing the complete identifier defeats this class of
attack. attack.
#### Clipboard Policy
AutistMask never clears or overwrites the user's clipboard. When sensitive data
such as a private key is copied, it is the user's responsibility to manage their
clipboard afterwards. We deliberately avoid auto-clearing the clipboard for two
reasons:
1. **User expectations**: silently modifying the clipboard violates the
principle of least surprise. The user initiated the copy and knows the
content is sensitive.
2. **Data safety**: the user may have copied something else important in the
intervening time. A timed clipboard clear would destroy that unrelated data.
The warning shown before revealing a private key makes it clear that the key is
sensitive and that clipboard management is the user's responsibility.
#### Data Model #### Data Model
The core hierarchy is **Wallets → Addresses**: The core hierarchy is **Wallets → Addresses**:
@@ -316,15 +332,34 @@ transitions.
- Balance list: ETH + tracked ERC-20 tokens (4 decimal places, USD inline). - Balance list: ETH + tracked ERC-20 tokens (4 decimal places, USD inline).
Each balance row is clickable → **AddressToken** Each balance row is clickable → **AddressToken**
- Send / Receive / + Token buttons - Send / Receive / + Token buttons
- "Show private key" button
- Transaction list (with ENS resolution for counterparties) - Transaction list (with ENS resolution for counterparties)
- **Transitions**: - **Transitions**:
- Tap balance row → **AddressToken** (for that token) - Tap balance row → **AddressToken** (for that token)
- "Send" → **Send** - "Send" → **Send**
- "Receive" → **Receive** - "Receive" → **Receive**
- "+ Token" → **AddToken** - "+ Token" → **AddToken**
- "Show private key" → **ShowPrivateKey**
- Tap transaction row → **TransactionDetail** - Tap transaction row → **TransactionDetail**
- "Back" → **Home** - "Back" → **Home**
#### ShowPrivateKey
- **When**: User clicked "Show private key" on AddressDetail.
- **Elements**:
- "Back" button
- Title: "Display Private Key"
- Warning box (lock + money icons) explaining the key controls funds and
that the user is responsible for clipboard management
- Password input
- "Display Private Key" button (with lock + money icons)
- After reveal: private key in a read-only well (monospace, select-all),
Copy button, Done button
- **Transitions**:
- "Display Private Key" (correct password) → reveals key in-place
- "Copy" → copies key to clipboard
- "Done" / "Back" → **AddressDetail** (key cleared from DOM)
#### AddressToken #### AddressToken
- **When**: User clicked a specific token balance on AddressDetail. - **When**: User clicked a specific token balance on AddressDetail.

80
src/popup/index.html
View File

@@ -307,6 +307,15 @@
</button> </button>
</div> </div>
<div class="mb-3">
<button
id="btn-show-private-key"
class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer text-xs"
>
&#128274; Show private key
</button>
</div>
<!-- transactions --> <!-- transactions -->
<div class="mt-3"> <div class="mt-3">
<div class="border-b border-border pb-1 mb-1"> <div class="border-b border-border pb-1 mb-1">
@@ -318,6 +327,77 @@
</div> </div>
</div> </div>
<!-- ============ SHOW PRIVATE KEY ============ -->
<div id="view-show-private-key" class="view hidden">
<button
id="btn-show-pk-back"
class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer mb-2"
>
&lt; Back
</button>
<h2 class="font-bold mb-2">Display Private Key</h2>
<!-- password prompt section -->
<div id="show-pk-prompt">
<div
class="border border-border border-dashed p-3 mb-3 text-xs"
>
<p class="mb-1">
&#128274;&#128176; Your private key controls this
address and all its funds. Anyone who has it can
spend your tokens.
</p>
<p>
Do not share it. Do not paste it into websites. If
you copy it, you are responsible for clearing your
clipboard when you are done.
</p>
</div>
<div class="mb-2">
<label class="block mb-1">Password</label>
<input
type="password"
id="show-pk-password"
class="border border-border p-1 w-full font-mono text-sm bg-bg text-fg"
placeholder="Enter your password"
/>
</div>
<div
id="show-pk-error"
class="text-xs mb-2 border border-border border-dashed p-1 hidden"
></div>
<button
id="btn-show-pk-reveal"
class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer"
>
&#128274;&#128176; Display Private Key
</button>
</div>
<!-- revealed key section -->
<div id="show-pk-key-well" class="hidden">
<div
class="bg-well p-3 mx-1 mb-3 break-all font-mono text-xs select-all"
>
<span id="show-pk-key-value"></span>
</div>
<div class="flex gap-2">
<button
id="btn-show-pk-copy"
class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer"
>
Copy
</button>
<button
id="btn-show-pk-done"
class="border border-border px-2 py-1 hover:bg-fg hover:text-bg cursor-pointer"
>
Done
</button>
</div>
</div>
</div>
<!-- ============ ADDRESS-TOKEN DETAIL VIEW ============ --> <!-- ============ ADDRESS-TOKEN DETAIL VIEW ============ -->
<div id="view-address-token" class="view hidden"> <div id="view-address-token" class="view hidden">
<button <button

3
src/popup/index.js
View File

@@ -19,6 +19,7 @@ const txStatus = require("./views/txStatus");
const transactionDetail = require("./views/transactionDetail"); const transactionDetail = require("./views/transactionDetail");
const receive = require("./views/receive"); const receive = require("./views/receive");
const addToken = require("./views/addToken"); const addToken = require("./views/addToken");
const showPrivateKey = require("./views/showPrivateKey");
const settings = require("./views/settings"); const settings = require("./views/settings");
const settingsAddToken = require("./views/settingsAddToken"); const settingsAddToken = require("./views/settingsAddToken");
const approval = require("./views/approval"); const approval = require("./views/approval");
@@ -56,6 +57,7 @@ const ctx = {
showAddWalletView: () => addWallet.show(), showAddWalletView: () => addWallet.show(),
showImportKeyView: () => importKey.show(), showImportKeyView: () => importKey.show(),
showAddressDetail: () => addressDetail.show(), showAddressDetail: () => addressDetail.show(),
showPrivateKey: () => showPrivateKey.show(),
showAddressToken: () => addressToken.show(), showAddressToken: () => addressToken.show(),
showAddTokenView: () => addToken.show(), showAddTokenView: () => addToken.show(),
showConfirmTx: (txInfo) => confirmTx.show(txInfo), showConfirmTx: (txInfo) => confirmTx.show(txInfo),
@@ -212,6 +214,7 @@ async function init() {
importKey.init(ctx); importKey.init(ctx);
home.init(ctx); home.init(ctx);
addressDetail.init(ctx); addressDetail.init(ctx);
showPrivateKey.init(ctx);
addressToken.init(ctx); addressToken.init(ctx);
send.init(ctx); send.init(ctx);
confirmTx.init(ctx); confirmTx.init(ctx);

4
src/popup/views/addressDetail.js
View File

@@ -261,6 +261,10 @@ function init(_ctx) {
}); });
$("btn-add-token").addEventListener("click", ctx.showAddTokenView); $("btn-add-token").addEventListener("click", ctx.showAddTokenView);
$("btn-show-private-key").addEventListener("click", () => {
ctx.showPrivateKey();
});
} }
module.exports = { init, show }; module.exports = { init, show };

1
src/popup/views/helpers.js
View File

@@ -16,6 +16,7 @@ const VIEWS = [
"import-key", "import-key",
"main", "main",
"address", "address",
"show-private-key",
"address-token", "address-token",
"send", "send",
"confirm-tx", "confirm-tx",

79
src/popup/views/showPrivateKey.js Normal file
View File

@@ -0,0 +1,79 @@
const { $, showView, showFlash, showError, hideError } = require("./helpers");
const { state } = require("../../shared/state");
const { decryptWithPassword } = require("../../shared/vault");
const { getPrivateKeyForAddress } = require("../../shared/wallet");
let ctx;
let revealed = false;
function show() {
revealed = false;
$("show-pk-password").value = "";
$("show-pk-key-well").classList.add("hidden");
$("show-pk-key-value").textContent = "";
$("show-pk-prompt").classList.remove("hidden");
hideError("show-pk-error");
showView("show-private-key");
}
function init(_ctx) {
ctx = _ctx;
$("btn-show-pk-back").addEventListener("click", () => {
clearKey();
ctx.showAddressDetail();
});
$("btn-show-pk-reveal").addEventListener("click", async () => {
const pw = $("show-pk-password").value;
if (!pw) {
showError("show-pk-error", "Please enter your password.");
return;
}
const wallet = state.wallets[state.selectedWallet];
let decryptedSecret;
try {
decryptedSecret = await decryptWithPassword(
wallet.encryptedSecret,
pw,
);
} catch (_e) {
showError("show-pk-error", "Wrong password.");
return;
}
const privateKey = getPrivateKeyForAddress(
wallet,
state.selectedAddress,
decryptedSecret,
);
revealed = true;
$("show-pk-prompt").classList.add("hidden");
$("show-pk-key-well").classList.remove("hidden");
$("show-pk-key-value").textContent = privateKey;
hideError("show-pk-error");
});
$("btn-show-pk-copy").addEventListener("click", () => {
const key = $("show-pk-key-value").textContent;
if (key) {
navigator.clipboard.writeText(key);
showFlash("Copied!");
}
});
$("btn-show-pk-done").addEventListener("click", () => {
clearKey();
ctx.showAddressDetail();
});
}
function clearKey() {
revealed = false;
$("show-pk-key-value").textContent = "";
$("show-pk-password").value = "";
}
module.exports = { init, show };

13
src/shared/wallet.js
View File

@@ -41,6 +41,18 @@ function getSignerForAddress(walletData, addrIndex, decryptedSecret) {
return new Wallet(decryptedSecret); return new Wallet(decryptedSecret);
} }
function getPrivateKeyForAddress(walletData, addrIndex, decryptedSecret) {
if (walletData.type === "hd") {
const node = HDNodeWallet.fromPhrase(
decryptedSecret,
"",
BIP44_ETH_PATH,
);
return node.deriveChild(addrIndex).privateKey;
}
return decryptedSecret;
}
function isValidMnemonic(mnemonic) { function isValidMnemonic(mnemonic) {
return Mnemonic.isValidMnemonic(mnemonic); return Mnemonic.isValidMnemonic(mnemonic);
} }
@@ -51,5 +63,6 @@ module.exports = {
hdWalletFromMnemonic, hdWalletFromMnemonic,
addressFromPrivateKey, addressFromPrivateKey,
getSignerForAddress, getSignerForAddress,
getPrivateKeyForAddress,
isValidMnemonic, isValidMnemonic,
}; };