feat(ios): fix QR enrollment + encryption + deep links#76
Merged
Jesssullivan merged 4 commits intomainfrom Mar 10, 2026
Merged
Conversation
QRScannerView.handleScan() was passing all scanned strings directly to
processEnrollmentInvite(), which calls the Rust FFI base64 decoder.
Raw JSON payloads (starting with '{') caused "invalid symbol 123,
offset 0" because ASCII 123 = '{' is not valid base64.
Add explicit type detection before any parsing:
- Raw JSON (starts with '{') -> BootstrapConfig.parse() first
- tcfs://bootstrap deep links -> BootstrapConfig.parse()
- tcfs://enroll deep links -> enrollment invite processing
- Opaque strings -> try bootstrap, then enrollment invite
Thread TCFSViewModel through AuthView -> QRScannerView so bootstrap
configs scanned from the Auth section can be saved to keychain.
gen-bootstrap-qr.sh now reads TCFS_ENCRYPTION_KEY_FILE from sops-nix and optionally includes encryption_passphrase and encryption_salt in the QR JSON payload. Fields are omitted when no passphrase is set (plaintext mode). iOS app already handles these optional fields.
Add CFBundleURLTypes to project.yml so iOS opens the TCFS app when handling tcfs://bootstrap and tcfs://enroll deep links. The onOpenURL handler was added in the previous commit.
- gen-bootstrap-qr.sh now signs the JSON payload with BLAKE3 keyed-MAC using the device master key or derived key from encryption passphrase. Adds created_at and expires_at (1h TTL) timestamps. - New UniFFI export: verify_bootstrap_signature() for iOS-side BLAKE3 signature verification with constant-time comparison. - BootstrapConfig struct gains created_at, expires_at, signature fields. Expired QR codes are rejected. Unsigned configs accepted with warning. - blake3 crate added to tcfs-file-provider (uniffi feature only).
Jesssullivan
added a commit
to tinyland-inc/tummycrypt
that referenced
this pull request
Apr 8, 2026
* fix(ios): route bootstrap QR payloads before base64 decode
QRScannerView.handleScan() was passing all scanned strings directly to
processEnrollmentInvite(), which calls the Rust FFI base64 decoder.
Raw JSON payloads (starting with '{') caused "invalid symbol 123,
offset 0" because ASCII 123 = '{' is not valid base64.
Add explicit type detection before any parsing:
- Raw JSON (starts with '{') -> BootstrapConfig.parse() first
- tcfs://bootstrap deep links -> BootstrapConfig.parse()
- tcfs://enroll deep links -> enrollment invite processing
- Opaque strings -> try bootstrap, then enrollment invite
Thread TCFSViewModel through AuthView -> QRScannerView so bootstrap
configs scanned from the Auth section can be saved to keychain.
* feat(ios): add encryption passphrase + salt to bootstrap QR
gen-bootstrap-qr.sh now reads TCFS_ENCRYPTION_KEY_FILE from sops-nix
and optionally includes encryption_passphrase and encryption_salt in
the QR JSON payload. Fields are omitted when no passphrase is set
(plaintext mode). iOS app already handles these optional fields.
* feat(ios): register tcfs:// URL scheme for deep links
Add CFBundleURLTypes to project.yml so iOS opens the TCFS app when
handling tcfs://bootstrap and tcfs://enroll deep links. The onOpenURL
handler was added in the previous commit.
* feat(ios): add BLAKE3-HMAC signature + expiry to bootstrap QR
- gen-bootstrap-qr.sh now signs the JSON payload with BLAKE3 keyed-MAC
using the device master key or derived key from encryption passphrase.
Adds created_at and expires_at (1h TTL) timestamps.
- New UniFFI export: verify_bootstrap_signature() for iOS-side
BLAKE3 signature verification with constant-time comparison.
- BootstrapConfig struct gains created_at, expires_at, signature fields.
Expired QR codes are rejected. Unsigned configs accepted with warning.
- blake3 crate added to tcfs-file-provider (uniffi feature only).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
{...}was routed toEnrollmentInvite::decode()which expected base64.gen-bootstrap-qr.shreadsTCFS_ENCRYPTION_KEY_FILEfrom sops-nix and includes encryption credentials in the QR payload (optional — omitted for plaintext mode).tcfs://URL scheme: AddedCFBundleURLTypestoproject.ymland.onOpenURLhandler inTCFSAppfortcfs://bootstrapandtcfs://enrolldeep links.Test plan
tcfs://bootstrap?data=<base64>deep link opens app and configurestcfs://enroll?data=<base64>deep link opens app and processes invite🤖 Generated with Claude Code