feat: add encrypted backup with password protection

Implement encrypted export/import with password dialogs and AES encryption for data security. Co-authored-by: Simon <85533298+handsomezhuzhu@users.noreply.github.com>
2026-04-18 22:32:53 +00:00 · 2026-03-21 11:45:34 +00:00
parent 756a0c5be1
commit 2a97c30530
4 changed files with 840 additions and 712 deletions
--- a/app/page.tsx
+++ b/app/page.tsx
@@ -162,7 +162,11 @@ export default function TwoFactorAuth() {
  const [isCameraOpen, setIsCameraOpen] = useState(false)
  const [isSettingsOpen, setIsSettingsOpen] = useState(false)
  const [editingToken, setEditingToken] = useState<TOTPToken | null>(null)
-  const [showAdvanced, setShowAdvanced] = useState(false)
+  const [showExportPassword, setShowExportPassword] = useState(false)
  const [exportPassword, setExportPassword] = useState("")
  const [importPassword, setImportPassword] = useState("")
  const [showImportPassword, setShowImportPassword] = useState(false)
  const [importFile, setImportFile] = useState<File | null>(null)
  const videoRef = useRef<HTMLVideoElement>(null)
  const canvasRef = useRef<HTMLCanvasElement>(null)
  const fileInputRef = useRef<HTMLInputElement>(null)
@@ -560,47 +564,74 @@ export default function TwoFactorAuth() {
    }
  }
-  // Export tokens
+  // Export tokens with password encryption
-  const exportTokens = () => {
+  const exportTokens = async () => {
-    const data = JSON.stringify(tokens, null, 2)
+    try {
-    const blob = new Blob([data], { type: "application/json" })
+      const data = JSON.stringify(tokens)
-    const url = URL.createObjectURL(blob)
+      
-    const a = document.createElement("a")
+      // Dynamic import of crypto-js
-    a.href = url
+      const CryptoJS = (await import("crypto-js")).default
-    a.download = "2fa-tokens-backup.json"
+      
-    a.click()
+      // Encrypt the data with password
-    URL.revokeObjectURL(url)
+      const encrypted = CryptoJS.AES.encrypt(data, exportPassword).toString()
-    toast({
+      
-      title: t.exportSuccess,
+      // Create blob and download
-      description: t.exportedJson,
+      const blob = new Blob([encrypted], { type: "application/octet-stream" })
-    })
+      const url = URL.createObjectURL(blob)
      const a = document.createElement("a")
      a.href = url
      a.download = "2fa-tokens-backup.enc"
      a.click()
      URL.revokeObjectURL(url)
      setExportPassword("")
      setShowExportPassword(false)
      toast({
        title: t.exportSuccess,
        description: t.exportedJson,
      })
    } catch {
      toast({
        title: t.error,
        description: "Failed to export backup",
        variant: "destructive",
      })
    }
  }
-  // Import tokens
+  // Import tokens with password decryption
-  const importTokens = (event: React.ChangeEvent<HTMLInputElement>) => {
+  const importTokens = async (file: File) => {
-    const file = event.target.files?.[0]
+    try {
-    if (!file) return
+      const encryptedData = await file.text()
      const CryptoJS = (await import("crypto-js")).default
-    const reader = new FileReader()
+      // Decrypt the data with password
-    reader.onload = (e) => {
+      const decrypted = CryptoJS.AES.decrypt(encryptedData, importPassword).toString(
-      try {
+        CryptoJS.enc.Utf8
-        const imported = JSON.parse(e.target?.result as string)
+      )
-        if (Array.isArray(imported)) {
+      
-          setTokens([...tokens, ...imported])
+      if (!decrypted) {
-          toast({
+        throw new Error("Invalid password")
-            title: t.importSuccess,
+      }
-            description: `${t.added} ${imported.length} ${t.importedTokens}`,
+      
-          })
+      const imported = JSON.parse(decrypted)
-        }
+      if (Array.isArray(imported)) {
-      } catch {
+        setTokens([...tokens, ...imported])
        setImportPassword("")
        setImportFile(null)
        setShowImportPassword(false)
        toast({
-          title: t.importFailed,
+          title: t.importSuccess,
-          description: t.invalidFormat,
+          description: `${t.added} ${imported.length} ${t.importedTokens}`,
          variant: "destructive",
        })
      }
    } catch {
      toast({
        title: t.importFailed,
        description: "Invalid password or corrupted file",
        variant: "destructive",
      })
    }
    reader.readAsText(file)
  }
  // Filter and sort tokens
@@ -745,17 +776,14 @@ export default function TwoFactorAuth() {
                    <div className="border-t pt-4 space-y-3">
                      <Label>{t.dataManagement}</Label>
                      <div className="flex gap-2">
-                        <Button variant="outline" size="sm" onClick={exportTokens}>
+                  <Button variant="outline" size="sm" onClick={() => setShowExportPassword(true)}>
-                          <Download className="h-4 w-4 mr-2" />
+                    <Download className="h-4 w-4 mr-2" />
-                          {t.exportBackup}
+                    {t.exportBackup}
-                        </Button>
+                  </Button>
-                        <Button variant="outline" size="sm" asChild>
+                  <Button variant="outline" size="sm" onClick={() => setShowImportPassword(true)}>
-                          <label>
+                    <Upload className="h-4 w-4 mr-2" />
-                            <Upload className="h-4 w-4 mr-2" />
+                    {t.importBackup}
-                            {t.importBackup}
+                  </Button>
                            <input type="file" accept=".json" className="hidden" onChange={importTokens} />
                          </label>
                        </Button>
                      </div>
                    </div>
                  </div>
@@ -1156,6 +1184,96 @@ export default function TwoFactorAuth() {
        </footer>
      )}
      {/* Export Password Dialog */}
      <Dialog open={showExportPassword} onOpenChange={setShowExportPassword}>
        <DialogContent>
          <DialogHeader>
            <DialogTitle>Set Export Password</DialogTitle>
          </DialogHeader>
          <div className="space-y-4 py-4">
            <div className="space-y-2">
              <Label>Password</Label>
              <Input
                type="password"
                placeholder="Enter a password to protect your backup"
                value={exportPassword}
                onChange={(e) => setExportPassword(e.target.value)}
              />
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => setShowExportPassword(false)}>
              {t.cancel}
            </Button>
            <Button 
              onClick={exportTokens}
              disabled={!exportPassword}
            >
              <Download className="h-4 w-4 mr-2" />
              {t.exportBackup}
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      {/* Import Password Dialog */}
      <Dialog open={showImportPassword} onOpenChange={(open) => {
        if (!open) {
          setShowImportPassword(false)
          setImportFile(null)
          setImportPassword("")
        } else {
          setShowImportPassword(true)
        }
      }}>
        <DialogContent>
          <DialogHeader>
            <DialogTitle>Import Backup</DialogTitle>
          </DialogHeader>
          <div className="space-y-4 py-4">
            <div className="space-y-2">
              <Label>Select File</Label>
              <Input
                type="file"
                accept=".enc"
                onChange={(e) => {
                  setImportFile(e.target.files?.[0] || null)
                }}
              />
            </div>
            <div className="space-y-2">
              <Label>Password</Label>
              <Input
                type="password"
                placeholder="Enter the password for this backup"
                value={importPassword}
                onChange={(e) => setImportPassword(e.target.value)}
              />
            </div>
          </div>
          <DialogFooter>
            <Button variant="outline" onClick={() => {
              setShowImportPassword(false)
              setImportFile(null)
              setImportPassword("")
            }}>
              {t.cancel}
            </Button>
            <Button 
              onClick={() => {
                if (importFile) {
                  importTokens(importFile)
                }
              }}
              disabled={!importPassword || !importFile}
            >
              <Upload className="h-4 w-4 mr-2" />
              {t.importBackup}
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
      <Toaster />
    </div>
  )
--- a/lib/i18n.tsx
+++ b/lib/i18n.tsx
@@ -102,8 +102,8 @@ const translations = {
    extractedInfo: "已从 URI 中提取信息",
    parseFailed: "解析失败",
    invalidUri: "无效的 otpauth URI",
-    exportSuccess: "导出成功",
+  exportSuccess: "导出成功",
-    exportedJson: "令牌已导出为 JSON 文件",
+  exportedJson: "令牌已导出为加密备份文件",
    importSuccess: "导入成功",
    importedTokens: "个令牌",
    importFailed: "导入失败",
@@ -213,8 +213,8 @@ const translations = {
    extractedInfo: "Extracted info from URI",
    parseFailed: "Parse failed",
    invalidUri: "Invalid otpauth URI",
-    exportSuccess: "Export successful",
+  exportSuccess: "Export successful",
-    exportedJson: "Tokens exported as JSON file",
+  exportedJson: "Tokens exported as encrypted backup file",
    importSuccess: "Import successful",
    importedTokens: "tokens",
    importFailed: "Import failed",
--- a/package.json
+++ b/package.json
@@ -42,6 +42,7 @@
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
    "cmdk": "1.0.4",
    "crypto-js": "4.2.0",
    "date-fns": "4.1.0",
    "embla-carousel-react": "8.5.1",
    "input-otp": "1.4.1",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml