Hardware key checkbox not disabled while keys are being refreshed

[The00Dustin]

Overview

Starting with version 2.7.7, where the dropdown for hardware keys and key files were replaced with a refresh icon to detect hardware keys and a link to add a file, while it seems that the intent was to make this process smoother by automatically remembering the previous selection (at least for HMAC challenges), it is no longer obvious the authentication isn't ready unless one knows where to look.

Steps to Reproduce

1. Click the hardware key refresh icon to detect the hardware key.
2. Check the box for the hardware key serial number used with the database to be unlocked.
3. Unlock the database.
4. Lock the database, note that the hardware key serial number is still shown and selected, and quickly attempt to unlock the database again. *At least in 2.7.8, this step triggers reproduction and one can see that the refresh button is greyed out when the issue will trigger.
5. Receive error "Error while reading the database:Unable to calculate the database key: General: Colud not find interface for hardware key with serial number 0. Please connect it to continue."

Expected Behavior

It should be obvious when glancing where the hardware key is listed and shown as selected that it is unavailable prior to attempting to unlock.

Actual Behavior

One has to know to look at the little hardware key refresh button and understand that it is refreshing and therefore not ready if it is greyed out.

Context

Prior to 2.7.7, it was obvious that a key refresh was needed because the dropdown would be blank. I do not know if automatic refresh existed in 2.2.7 or is new for 2.7.8, but I have been manually refreshing after there error in both versions when encountering this in real life scenarios (vs lock-unlock reproduction) because it took coming up with reproduction steps to bring the behavior to my attention.

My intermittent experience with this behavior has occurred on both Windows and macOS for databases with passwords when the key has not been removed. In these scenarios, all databases are locked and KeePassXC has usually been minimized to tray for some period of time. I am not sure if the automatic refresh discussed above doesn't always trigger/work when the database has been locked for an extended period of time without the key being removed or if I am frequently quicker than automatic refresh under these circumstances. In either case, it may be noteworthy that, while it will cause an additional prompt before the error, this is easier to reproduce using the steps above if you create a database that doesn't have a password (so it only requires the HMAC challenge).

KeePassXC - Version 2.7.8
Revision: f6757d3

[phoerious]

Unless you use an NFC token or something's not quite right with your system, there is no need at all to use the refresh button. The YubiKey is detected automatically as soon as you plug it in.

[The00Dustin]

I use a Yubikey. I leave it plugged in. The issue is reproducible following the steps provided in the submission. Prior to 2.7.7, when the drop down would go blank while the key was left in the USB, I would hit the refresh button because it was obvious the key was no longer showing. After 2.7.7, it is not obvious because the serial number is still shown even though whatever is going on. I haven't checked to see if it disappears when I unplug the Yubikey, but the prior behavior has been consistent for years across multiple Yubikeys and multiple workstations (of Windows and Apple varieties), and the new behavior is also consistent, with a poorer experience.

[michaelk83]

To add, if the only indication that a hardware key is detected or not is the color of a small icon, that is also an accessibility issue for people with certain vision problems.

[phoerious]

I have no idea what you are talking about. The entire checkbox (dropdown if multiple keys are inserted) including the serial number(s) appear only if you insert the key and while it's being detected, a large wait indicator is shown. There is no icon colour change.

[The00Dustin]

I would post screenshots, but when I try, I get the window behind KeePassXC. Here is what I think is happening now:

KeePassXC is refreshing to check and see if the hardware key is still plugged in when it is brought back from being minimized to the tray. During this refresh, the refresh button (tiny icon) is disabled (changes color). There is no other visual indicator on my Windows or macOS installations.

The problem here is that you can see the hardware key serial number and checkmark selecting that hardware key even though it isn't ready. I haven't ever seen a large wait indicator.

[phoerious]

You have to disable screenshot protection before you can make screenshots.

There is an indefinite progress bar below the password field indicating we are redetecting hardware keys. Do I understand correctly that you problem is that the button itself is disabled while the refresh is running (as it should be), but the checkbox + serial is not?

[The00Dustin]

Do I understand correctly that you problem is that the button itself is disabled while the refresh is running (as it should be), but the checkbox + serial is not?

Yes, I believe this sums up what I was trying to report. Because the checkbox + serial is not disabled, it looks like it is ready at a glance when it isn't. With regard to the progress bar, I think I saw it when I looked for it just now, but it isn't incredibly obvious that it exists; I only think I saw it disappear, but likely wouldn't have noticed it if I wasn't specifically looking for it. I'm not sure if that experience is due to theme (dark), size (of progress bar), proximity (to the password entry field), or color vision deficiency.

[phoerious]

It will pop up only very shortly, because the hardware key detection doesn't take more than a second or two usually. Entering your password will take a lot longer.

I agree that the checkbox should be disabled while keys are being detected, but so should the Unlock button.