Add auto-logout timer and warning

[danfinlay]

Probably as a configurable option, a logout timer is a nice added security for when people forget to lock their vault themselves.

[kumavis]

yeah this is a legit feature request
but not relevant until we are on mainnet
we should implement this soon so we can perfect the ux, signalling that its closed, etc

[danfinlay]

MVP is to enable by default, lock out after some time period, with a boolean check in config.

[artemlitch]

Hi I wanted to take a crack at creating a PR for this, I have been using metamask myself for a bit now and would really like an auto lock option as I always forget. Is there a way I can help contribute?

[danfinlay]

In some ways, this is a very simple feature, but it also requires understanding a pretty wide portion of MetaMask's architecture.

Without going into a full lesson/screencast (which I really should maybe do), the key files here would be:

• Preferences Controller, for recording the timeout duration and boolean for disabling.
• MetaMask Controller for exposing the new timer managing methods from the Preferences Controller to the UI.
• ui/app/actions.js for exposing those MetaMask controller api methods as redux actions to the UI.
• ui/app/config.js for creating the timeout UI.

[jonasman]

I would like to suggest the timer to be based on last interaction with Metamask and not based on last login. Eagerly waiting for this feature!

[nyeates]

I think this is a security risk waiting to happen. Auto-logoff is default on most apps and many desktop wallets. I never remember to go log off - especially since its off in a sub menu. My brain is often 3 levels deep into a trade or sending a friend coins - not worried about recalling to see if this particular wallet logs me off (I have like 10 various wallet softwares). I once found Metamask logged in and it had been a weeks!

My opinion is that it should be bumped up for implementation consideration because it effects the security of so many users of your great tool. Default to 30 min auto-logoff... have an advanced setting to change it to any time-frame or off.

Thanks for the superb wallet!

[whymarrh]

@cjeria does this need design? We could simply auto-lock after a certain time period has passed.

cc @bdresser

[bdresser]

relates to #5790

[bdresser]

Let's address this with a drop-down in the "Security and Privacy" portion of settings.

Default behavior remains the same, but allow users to specify a time after which the extension requires unlocking.

[asymmetric]

Is this done, or has it been decided not to implement it?

[danjm]

@asymmetric I "closed" this because the work was done with #6558 and merged to our develop branch. Your comment has prompted myself and @whymarrh to realize that my closing of the issue was incorrect for two reasons:
(1) I should have left a comment to say why I was closing
(2) The PR that I thought completed this was insufficient. There is a little more work needed.

So reopening for now, and will give proper comment before next closing