fix: protect BitBox pairing against stale hash on re-pair#308
Merged
Conversation
`BitboxService` is a DI singleton, so a second pairing attempt in the same app session (re-open from welcome, KYC retry flow, or after an in-flight cancel) hits the same `BitboxManager` instance. Its `getChannelHash()` can still return the previous session's hash before the new `pair()` handshake lands the new one, which would then be shown to the user and not match the code on the device. Snapshot the hash before starting init() and require the polled value to differ from it. While in confirmPairing, drop the `?? Future.value(true)` fallback on `_pendingInit`: the state guard above guarantees it is non-null on this path, and silently substituting "init succeeded" hides any real state inconsistency.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
getChannelHash()before startinginit()and require the polled hash to differ from it_pendingInit ?? Future.value(true)fallback inconfirmPairingand use the bang assertion the state guard already guaranteesWhy
Stale hash on re-pair
BitboxServiceis registered as a DI singleton (lib/setup/di.dart:121), and theBitboxManagerinstance inside it persists across pairings. The connect modal is reachable from at least two entry points (welcome_page.dart,kyc_registration_page.dart), and any second pairing attempt within the same app session goes through that same SDK instance.Before this PR, the polling loop accepted any non-empty hash. If
bitboxManager.getChannelHash()still holds the previous session's hash when polling starts, the app shows the old hash while the BitBox displays the new one — codes don't match, user is stuck.The 500 ms first-iteration delay introduced in #305 (
...so the SDK can finish setting up its Go-side device pointer...) confirms there is a real timing gap during which the SDK is not yet up-to-date for the new session, which is precisely the window where stale hashes surface.The fix records the hash once before
init()runs and ignores any polled hash that matches the snapshot.??fallback in confirmPairing_pendingInit ?? Future.value(true)silently substitutes "init succeeded" if the future is missing. Theis! BitboxCheckHashstate guard at the top ofconfirmPairingalready guarantees thatconnectToBitboxset_pendingInit. The fallback only triggers in an impossible state, and if that state ever became reachable, returningtruewould letchannelHashVerify()run on an unverified channel — exactly the crash #301 set out to prevent.Replacing it with the bang assertion makes the precondition explicit and matches the project's bang usage in similar state-guarded code paths.
Changes
lib/screens/hardware_connect_bitbox/bloc/connect_bitbox_cubit.dart: addpriorHashsnapshot +hash != priorHashcheck in polling; replace??fallback with bang on_pendingInitTest plan
BitboxConnecting(swipe modal down before code appears): noStateError, no orphaned timer (regression check for fix: prevent orphaned timer leak on BitBox modal dismiss #303)