From 2ea35579d5e27b8a3d4007bf55a1bf7cf6562c07 Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Thu, 28 Aug 2025 15:14:02 +0200
Subject: [PATCH] Re-add biometric unlock on app start to Windows Hello

---
 .../src/app/accounts/settings.component.html  | 13 +++++++++++
 .../src/app/accounts/settings.component.ts    | 23 +++++++++++++++++++
 .../biometrics/desktop.biometrics.service.ts  |  2 ++
 .../main-biometrics-ipc.listener.ts           |  7 ++++++
 .../biometrics/main-biometrics.service.ts     |  8 +++++++
 .../biometrics/renderer-biometrics.service.ts |  8 +++++++
 apps/desktop/src/key-management/preload.ts    | 11 +++++++++
 apps/desktop/src/locales/en/messages.json     |  3 +++
 apps/desktop/src/types/biometric-message.ts   | 13 ++++++++++-
 9 files changed, 87 insertions(+), 1 deletion(-)

diff --git a/apps/desktop/src/app/accounts/settings.component.html b/apps/desktop/src/app/accounts/settings.component.html
index a9fdcd2f088..d2b8bd055a4 100644
--- a/apps/desktop/src/app/accounts/settings.component.html
+++ b/apps/desktop/src/app/accounts/settings.component.html
@@ -80,6 +80,19 @@
                 <small class="help-block" *ngIf="this.form.value.biometric && this.isMac">{{
                   "additionalTouchIdSettings" | i18n
                 }}</small>
+                <!-- Textbox for biometric app start -->
+                <div class="form-group tw-mt-2" *ngIf="this.form.value.biometric && this.isWindows">
+                  <div class="checkbox">
+                    <label for="allowBiometricUnlockOnAppRestart">
+                      <input
+                        id="allowBiometricUnlockOnAppRestart"
+                        type="checkbox"
+                        formControlName="allowBiometricUnlockOnAppRestart"
+                      />
+                      {{ "allowBiometricUnlockOnAppRestart" | i18n }}
+                    </label>
+                  </div>
+                </div>
               </div>
               <div
                 class="form-group"
diff --git a/apps/desktop/src/app/accounts/settings.component.ts b/apps/desktop/src/app/accounts/settings.component.ts
index fd17873a4b1..7bb73ec9e52 100644
--- a/apps/desktop/src/app/accounts/settings.component.ts
+++ b/apps/desktop/src/app/accounts/settings.component.ts
@@ -134,6 +134,7 @@ export class SettingsComponent implements OnInit, OnDestroy {
     vaultTimeoutAction: [VaultTimeoutAction.Lock],
     pin: [null as boolean | null],
     biometric: false,
+    allowBiometricUnlockOnAppRestart: false,
     autoPromptBiometrics: false,
     // Account Preferences
     clearClipboard: [null],
@@ -348,6 +349,9 @@ export class SettingsComponent implements OnInit, OnDestroy {
       ),
       pin: this.userHasPinSet,
       biometric: await this.vaultTimeoutSettingsService.isBiometricLockSet(),
+      allowBiometricUnlockOnAppRestart: await this.biometricsService.hasPersistentKey(
+        activeAccount.id,
+      ),
       autoPromptBiometrics: await firstValueFrom(this.biometricStateService.promptAutomatically$),
       clearClipboard: await firstValueFrom(this.autofillSettingsService.clearClipboardDelay$),
       minimizeOnCopyToClipboard: await firstValueFrom(this.desktopSettingsService.minimizeOnCopy$),
@@ -440,6 +444,25 @@ export class SettingsComponent implements OnInit, OnDestroy {
         takeUntil(this.destroy$),
       )
       .subscribe();
+    this.form.controls.allowBiometricUnlockOnAppRestart.valueChanges
+      .pipe(
+        concatMap(async (enabled) => {
+          const userKey = await firstValueFrom(this.keyService.userKey$(activeAccount.id));
+          if (enabled) {
+            if (!(await this.biometricsService.hasPersistentKey(activeAccount.id))) {
+              await this.biometricsService.enrollPersistent(activeAccount.id, userKey);
+            }
+          } else {
+            await this.biometricsService.deleteBiometricUnlockKeyForUser(activeAccount.id);
+            await this.biometricsService.setBiometricProtectedUnlockKeyForUser(
+              activeAccount.id,
+              userKey,
+            );
+          }
+        }),
+        takeUntil(this.destroy$),
+      )
+      .subscribe();
 
     this.form.controls.enableBrowserIntegration.valueChanges
       .pipe(takeUntil(this.destroy$))
diff --git a/apps/desktop/src/key-management/biometrics/desktop.biometrics.service.ts b/apps/desktop/src/key-management/biometrics/desktop.biometrics.service.ts
index 97e1d322a0e..e3be5b289d0 100644
--- a/apps/desktop/src/key-management/biometrics/desktop.biometrics.service.ts
+++ b/apps/desktop/src/key-management/biometrics/desktop.biometrics.service.ts
@@ -13,4 +13,6 @@ export abstract class DesktopBiometricsService extends BiometricsService {
   ): Promise<void>;
   abstract deleteBiometricUnlockKeyForUser(userId: UserId): Promise<void>;
   abstract setupBiometrics(): Promise<void>;
+  abstract enrollPersistent(userId: UserId, key: SymmetricCryptoKey): Promise<void>;
+  abstract hasPersistentKey(userId: UserId): Promise<boolean>;
 }
diff --git a/apps/desktop/src/key-management/biometrics/main-biometrics-ipc.listener.ts b/apps/desktop/src/key-management/biometrics/main-biometrics-ipc.listener.ts
index d4ce01f53f4..91f61c2e7c1 100644
--- a/apps/desktop/src/key-management/biometrics/main-biometrics-ipc.listener.ts
+++ b/apps/desktop/src/key-management/biometrics/main-biometrics-ipc.listener.ts
@@ -51,6 +51,13 @@ export class MainBiometricsIPCListener {
             return await this.biometricService.setShouldAutopromptNow(message.data as boolean);
           case BiometricAction.GetShouldAutoprompt:
             return await this.biometricService.getShouldAutopromptNow();
+          case BiometricAction.HasPersistentKey:
+            return await this.biometricService.hasPersistentKey(message.userId as UserId);
+          case BiometricAction.EnrollPersistent:
+            return await this.biometricService.enrollPersistent(
+              message.userId as UserId,
+              SymmetricCryptoKey.fromString(message.key as string),
+            );
           default:
             return;
         }
diff --git a/apps/desktop/src/key-management/biometrics/main-biometrics.service.ts b/apps/desktop/src/key-management/biometrics/main-biometrics.service.ts
index f6747d9ea5e..4c820fd67da 100644
--- a/apps/desktop/src/key-management/biometrics/main-biometrics.service.ts
+++ b/apps/desktop/src/key-management/biometrics/main-biometrics.service.ts
@@ -128,4 +128,12 @@ export class MainBiometricsService extends DesktopBiometricsService {
   async canEnableBiometricUnlock(): Promise<boolean> {
     return true;
   }
+
+  async enrollPersistent(userId: UserId, key: SymmetricCryptoKey): Promise<void> {
+    return await this.osBiometricsService.enrollPersistent(userId, key);
+  }
+
+  async hasPersistentKey(userId: UserId): Promise<boolean> {
+    return await this.osBiometricsService.hasPersistentKey(userId);
+  }
 }
diff --git a/apps/desktop/src/key-management/biometrics/renderer-biometrics.service.ts b/apps/desktop/src/key-management/biometrics/renderer-biometrics.service.ts
index c7ed88d390f..0edd7308b45 100644
--- a/apps/desktop/src/key-management/biometrics/renderer-biometrics.service.ts
+++ b/apps/desktop/src/key-management/biometrics/renderer-biometrics.service.ts
@@ -68,4 +68,12 @@ export class RendererBiometricsService extends DesktopBiometricsService {
       BiometricsStatus.ManualSetupNeeded,
     ].includes(biometricStatus);
   }
+
+  async enrollPersistent(userId: UserId, key: SymmetricCryptoKey): Promise<void> {
+    return await ipc.keyManagement.biometric.enrollPersistent(userId, key.toBase64());
+  }
+
+  async hasPersistentKey(userId: UserId): Promise<boolean> {
+    return await ipc.keyManagement.biometric.hasPersistentKey(userId);
+  }
 }
diff --git a/apps/desktop/src/key-management/preload.ts b/apps/desktop/src/key-management/preload.ts
index 7f8576b8472..255c2c26270 100644
--- a/apps/desktop/src/key-management/preload.ts
+++ b/apps/desktop/src/key-management/preload.ts
@@ -50,6 +50,17 @@ const biometric = {
       action: BiometricAction.SetShouldAutoprompt,
       data: should,
     } satisfies BiometricMessage),
+  enrollPersistent: (userId: string, keyB64: string): Promise<void> =>
+    ipcRenderer.invoke("biometric", {
+      action: BiometricAction.EnrollPersistent,
+      userId: userId,
+      key: keyB64,
+    } satisfies BiometricMessage),
+  hasPersistentKey: (userId: string): Promise<boolean> =>
+    ipcRenderer.invoke("biometric", {
+      action: BiometricAction.HasPersistentKey,
+      userId: userId,
+    } satisfies BiometricMessage),
 };
 
 export default {
diff --git a/apps/desktop/src/locales/en/messages.json b/apps/desktop/src/locales/en/messages.json
index eaa5f7f0f1e..e1b2f5e309f 100644
--- a/apps/desktop/src/locales/en/messages.json
+++ b/apps/desktop/src/locales/en/messages.json
@@ -1849,6 +1849,9 @@
   "lockWithMasterPassOnRestart1": {
     "message": "Lock with master password on restart"
   },
+  "allowBiometricUnlockOnAppRestart": {
+    "message": "Allow biometric unlock on app restart"
+  },
   "deleteAccount": {
     "message": "Delete account"
   },
diff --git a/apps/desktop/src/types/biometric-message.ts b/apps/desktop/src/types/biometric-message.ts
index 9711b49496d..52224a17736 100644
--- a/apps/desktop/src/types/biometric-message.ts
+++ b/apps/desktop/src/types/biometric-message.ts
@@ -13,6 +13,9 @@ export enum BiometricAction {
 
   GetShouldAutoprompt = "getShouldAutoprompt",
   SetShouldAutoprompt = "setShouldAutoprompt",
+
+  EnrollPersistent = "enrollPersistent",
+  HasPersistentKey = "hasPersistentKey",
 }
 
 export type BiometricMessage =
@@ -22,7 +25,15 @@ export type BiometricMessage =
       key: string;
     }
   | {
-      action: Exclude<BiometricAction, BiometricAction.SetKeyForUser>;
+      action: BiometricAction.EnrollPersistent;
+      userId: string;
+      key: string;
+    }
+  | {
+      action: Exclude<
+        BiometricAction,
+        BiometricAction.SetKeyForUser | BiometricAction.EnrollPersistent
+      >;
       userId?: string;
       data?: any;
     };