Fix Security Bypass (#935)

* Hide timeout when it isn't being used.

* Fix #925

* ktlint

app/src/main/java/io/homeassistant/companion/android/settings/SettingsFragment.kt

@@ -65,11 +65,12 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView {
             isValid
         }
 
-        val onChangeBiometricValidator = Preference.OnPreferenceChangeListener { _, newValue ->
+        findPreference<SwitchPreference>("app_lock")?.setOnPreferenceChangeListener { _, newValue ->
             var isValid: Boolean
-            if (newValue == false)
+            if (newValue == false) {
                 isValid = true
-            else {
+                findPreference<EditTextPreference>("session_timeout")?.isVisible = false
+            } else {
                 isValid = true
                 if (BiometricManager.from(requireActivity()).canAuthenticate() == BiometricManager.BIOMETRIC_SUCCESS) {
                     setLock = true
@@ -87,6 +88,13 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView {
             isValid
         }
 
+        findPreference<EditTextPreference>("session_timeout")?.let { pref ->
+            pref.setOnBindEditTextListener {
+                it.inputType = InputType.TYPE_CLASS_NUMBER
+            }
+            pref.isVisible = findPreference<SwitchPreference>("app_lock")?.isChecked == true
+        }
+
         findPreference<Preference>("nfc_tags")?.let {
             it.isVisible = presenter.nfcEnabled()
             it.onPreferenceClickListener = Preference.OnPreferenceClickListener {
@@ -95,10 +103,6 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView {
             }
         }
 
-        findPreference<EditTextPreference>("session_timeout")?.setOnBindEditTextListener {
-            it.inputType = InputType.TYPE_CLASS_NUMBER
-        }
-
         removeSystemFromThemesIfNeeded()
 
         findPreference<EditTextPreference>("connection_internal")?.onPreferenceChangeListener =
@@ -107,9 +111,6 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView {
         findPreference<EditTextPreference>("connection_external")?.onPreferenceChangeListener =
             onChangeUrlValidator
 
-        findPreference<SwitchPreference>("app_lock")?.onPreferenceChangeListener =
-            onChangeBiometricValidator
-
         findPreference<Preference>("sensors")?.setOnPreferenceClickListener {
             parentFragmentManager
                 .beginTransaction()
@@ -171,8 +172,10 @@ class SettingsFragment : PreferenceFragmentCompat(), SettingsView {
     }
 
     private fun authenticationResult(result: Int) {
+        val success = result == Authenticator.SUCCESS
         val switchLock = findPreference<SwitchPreference>("app_lock")
-        switchLock?.isChecked = result == Authenticator.SUCCESS
+        switchLock?.isChecked = success
+        findPreference<EditTextPreference>("session_timeout")?.isVisible = success
     }
 
     private fun removeSystemFromThemesIfNeeded() {

app/src/main/java/io/homeassistant/companion/android/webview/WebViewActivity.kt

@@ -155,8 +155,10 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android.
                 exoToggleMute()
             }
         })
-        if (!presenter.isLockEnabled())
+        if (!presenter.isLockEnabled()) {
             blurView.setBlurEnabled(false)
+            unlocked = true
+        }
 
         authenticator = Authenticator(this, this, ::authenticationResult)
 
@@ -164,6 +166,10 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android.
 
         webView = findViewById(R.id.webview)
         webView.apply {
+            setOnTouchListener { _, _ ->
+                return@setOnTouchListener !unlocked
+            }
+
             settings.javaScriptEnabled = true
             settings.domStorageEnabled = true
             webViewClient = object : WebViewClient() {
@@ -400,6 +406,12 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android.
         }
     }
 
+    override fun onResume() {
+        super.onResume()
+        if (!unlocked && !presenter.isLockEnabled())
+            unlocked = true
+    }
+
     override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {
         super.onActivityResult(requestCode, resultCode, data)
         if (requestCode == NFC_COMPLETE && resultCode != -1) {
@@ -547,7 +559,9 @@ class WebViewActivity : AppCompatActivity(), io.homeassistant.companion.android.
                 if ((System.currentTimeMillis() > presenter.getSessionExpireMillis())) {
                     blurView.setBlurEnabled(true)
                     authenticator.authenticate()
-                } else blurView.setBlurEnabled(false)
+                } else {
+                    blurView.setBlurEnabled(false)
+                }
 
             presenter.onViewReady(intent.getStringExtra(EXTRA_PATH))
             intent.removeExtra(EXTRA_PATH)

app/src/main/res/xml/preferences.xml

@@ -49,6 +49,7 @@
             android:key="session_timeout"
             android:icon="@drawable/ic_timeout"
             android:title="@string/session_timeout_title"
+            app:isPreferenceVisible="false"
             app:useSimpleSummaryProvider="true"/>
     </PreferenceCategory>
     <PreferenceCategory