fix(trezor): persist password and login in HD mode

[takenagain]

• Fixes Trezor coin activation by using Trezor for the priv_key_policy field in UTXO coin activation
• Persists Trezor hidden/background wallet password with flutter_secure_storage

Screen.Recording.2025-06-06.at.14.26.20.mov

@smk762 I did notice some jank with disappearing transactions when scrolling as it loads, but not sure if it's an existing issue or specific to Trezor.

Address creation appears to work fine as well with the current non-task-based method, although scanning only picks up the first address. I have to manually add to get the second DOC address

Package Dependency changes Summary

Patch files: https://drive.google.com/drive/folders/1ho4HGpIliHUBT0bnpQvMRqwU1zQ7nbc7?usp=drive_link

Package	Status	Old version	New version	Dependency	Old sha256	New sha256
flutter_bloc	Updated	9.1.0	9.1.1	direct main	pub:1046d719fbdf230330d3443187cc33cc11963d15c9089f6cc56faa42a4c5f0cc	pub:cf51747952201a455a1c840f8171d273be009b932c75093020f9af64f2123e38
http	Updated	1.3.0	1.4.0	direct main	pub:fe7ab022b76f3034adc518fb6ea04a82387620e19977665ea18d30a1cf43442f	pub:2c11f3f94c687ee9bad77c171151672986360b2b001d109814ee7140b2cf261b
komodo_cex_market_data	Updated	0.0.1	0.0.1	direct main	git:41b554d08ed3f42f9f784a488cedf9ab4b3b3313	git:f63bebb0288db26f2a369579109e1fcc93e19b67
komodo_coins	Updated	0.2.0+0	0.2.0+0	transitive	git:41b554d08ed3f42f9f784a488cedf9ab4b3b3313	git:f63bebb0288db26f2a369579109e1fcc93e19b67
komodo_defi_framework	Updated	0.2.0	0.2.0	transitive	git:41b554d08ed3f42f9f784a488cedf9ab4b3b3313	git:f63bebb0288db26f2a369579109e1fcc93e19b67
komodo_defi_local_auth	Updated	0.2.0+0	0.2.0+0	transitive	git:41b554d08ed3f42f9f784a488cedf9ab4b3b3313	git:f63bebb0288db26f2a369579109e1fcc93e19b67
komodo_defi_rpc_methods	Updated	0.2.0+0	0.2.0+0	transitive	git:41b554d08ed3f42f9f784a488cedf9ab4b3b3313	git:f63bebb0288db26f2a369579109e1fcc93e19b67
komodo_defi_sdk	Updated	0.2.0+0	0.2.0+0	direct main	git:41b554d08ed3f42f9f784a488cedf9ab4b3b3313	git:f63bebb0288db26f2a369579109e1fcc93e19b67
komodo_defi_types	Updated	0.2.0+0	0.2.0+0	direct main	git:41b554d08ed3f42f9f784a488cedf9ab4b3b3313	git:f63bebb0288db26f2a369579109e1fcc93e19b67
komodo_ui	Updated	0.2.0+0	0.2.0+0	direct main	git:41b554d08ed3f42f9f784a488cedf9ab4b3b3313	git:f63bebb0288db26f2a369579109e1fcc93e19b67
komodo_wallet_build_transformer	Updated	0.2.0+0	0.2.0+0	transitive	git:41b554d08ed3f42f9f784a488cedf9ab4b3b3313	git:f63bebb0288db26f2a369579109e1fcc93e19b67
mobile_scanner	Updated	6.0.7	7.0.1	transitive	pub:9cb9e371ee9b5b548714f9ab5fd33b530d799745c83d5729ecd1e8ab2935dbd1	pub:54005bdea7052d792d35b4fef0f84ec5ddc3a844b250ecd48dc192fb9b4ebc95

Summary by CodeRabbit

• New Features

  • Improved Trezor wallet login by securely storing and reusing the wallet password for future logins.

• Refactor

  • Updated the wallet derivation method to enhance compatibility and security.

• Chores

  • Updated the HTTP package dependency to the latest version for improved performance and security.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The Trezor wallet login process now uses secure storage to manage the wallet password. Instead of generating a new password each time, the system checks for an existing password in secure storage and only creates and stores a new one if none exists. The derivation method was updated from iguana to hdWallet. Activation of coins was moved to occur after successful sign-in or registration.

Changes

File(s)	Change Summary
lib/bloc/trezor_init_bloc/trezor_init_bloc.dart	Added secure password storage, introduced storage key and instance, updated login method signature and logic, changed derivation method, and moved coin activation call.
pubspec.yaml	Updated http package dependency version from 1.3.0 to 1.4.0.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant TrezorInitBloc
    participant SecureStorage

    User->>TrezorInitBloc: Initiate Trezor Wallet Login
    TrezorInitBloc->>SecureStorage: Read password with key
    alt Password exists
        SecureStorage-->>TrezorInitBloc: Return stored password
    else No password
        TrezorInitBloc->>TrezorInitBloc: Generate new password
        TrezorInitBloc->>SecureStorage: Store new password with key
    end
    TrezorInitBloc->>TrezorInitBloc: Sign in or register with hdWallet derivation
    TrezorInitBloc->>TrezorInitBloc: Add activated coins after successful login

Loading

Suggested labels

QA

Suggested reviewers

• AndrewDelaney
• ShantanuSharma9873
• CharlVS

Poem

In the vault where secrets sleep,
A password’s promise we now keep.
No more new keys with every call,
Securely stored, behind a wall.
Trezor’s login, safe and sound—
🐇 Hopping forward, trust is found!

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Visit the preview URL for this PR (updated for commit f8a5ff4):

https://walletrc--pull-2746-merge-87lccey6.web.app

_{(expires Fri, 13 Jun 2025 12:10:44 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: f66a4ff03faa546f12f0ae5a841bd9eff2714dcc}

[takenagain]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d9dfea and 73696cc.

📒 Files selected for processing (1)

• lib/bloc/trezor_init_bloc/trezor_init_bloc.dart (6 hunks)

🧰 Additional context used

🧠 Learnings (1)

lib/bloc/trezor_init_bloc/trezor_init_bloc.dart (1)

Learnt from: takenagain
PR: KomodoPlatform/komodo-wallet#2566
File: lib/bloc/coins_bloc/coins_bloc.dart:10-10
Timestamp: 2025-04-01T15:51:37.060Z
Learning: In the Komodo Wallet project, part files share imports with their parent files. The import for `app_config.dart` in `coins_bloc.dart` is necessary because the part file `coins_state.dart` uses `excludedAssetList` from that package.

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Build Mobile (iOS)
• GitHub Check: Build Mobile (Android)
• GitHub Check: Build Desktop (windows)

🔇 Additional comments (4)

lib/bloc/trezor_init_bloc/trezor_init_bloc.dart (4)

5-5: LGTM: Secure storage import added.

The addition of flutter_secure_storage import supports the new password persistence functionality.

---

27-27: LGTM: Well-defined storage key constant.

Using a constant for the storage key follows good practices and prevents typos in key references.

---

56-56: LGTM: Proper secure storage initialization.

The FlutterSecureStorage instance is correctly initialized with a const constructor.

---

314-314: Consistent derivation method update.

Good consistency updating both the signIn and register operations to use DerivationMethod.hdWallet.

[takenagain]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Copilot]

Pull Request Overview

This PR enhances the Trezor integration by persisting the wallet password in secure storage and switching to HD wallet derivation.

• Bumps the http dependency from 1.3.0 to 1.4.0.
• Adds flutter_secure_storage to store and reuse the Trezor password.
• Updates _loginToTrezorWallet to read/write the password and use HD derivation options.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
pubspec.yaml	Updated http version to 1.4.0
lib/bloc/trezor_init_bloc/trezor_init_bloc.dart	Added secure storage import and logic for password persistence; refactored login flow with HD derivation and moved coin activation calls

Comments suppressed due to low confidence (2)

lib/bloc/trezor_init_bloc/trezor_init_bloc.dart:324

• The logout method currently doesn’t clear the persisted password. You should delete the stored password (_trezorPasswordKey) from secure storage on logout to avoid stale credential reuse.

Future<void> _logout() async {

lib/bloc/trezor_init_bloc/trezor_init_bloc.dart:289

• Add unit tests for the new persistent password logic: verify reading from and writing to secure storage, and ensure _loginToTrezorWallet handles both existing and newly generated passwords correctly.

password ??= await _secureStorage.read(key: _trezorPasswordKey);

[smk762]

• address creation functional.
• address gap (set at 3) is enforced.
• if 3rd address funded, 4th address can be created.

Confirm scanning on initial activation only shows first address, even if subsequent are funded. We can delegate this to a new issue.

[DeckerSU]

LGTM. External dependencies have been reviewed—no malicious components found. However, the scope of this review does not include the komodo-defi-sdk-flutter repo or any related packages. They will be reviewed separately, covering the range from 41b554d08ed3f42f9f784a488cedf9ab4b3b3313 to f63bebb0288db26f2a369579109e1fcc93e19b67 in the komodo-defi-sdk-flutter repository.

[DeckerSU]

p.s. komodo-defi-sdk-flutter is also reviewed till f63bebb0288db26f2a369579109e1fcc93e19b67. LGTM from security point.