From 59f5c0cb124097dae24a2b7a7e2c8551e8e9b857 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 9 May 2023 17:09:49 +0200
Subject: [PATCH 01/81] started new unlock workflow using user-specific private
 key

---
 .../ui/keyloading/hub/AuthFlowController.java |   4 +-
 .../keyloading/hub/HubKeyLoadingModule.java   |   2 +-
 .../keyloading/hub/HubKeyLoadingStrategy.java |   6 +-
 .../ui/keyloading/hub/JWEHelper.java          |  42 +++++--
 .../keyloading/hub/ReceiveKeyController.java  | 118 ++++++++++++++++--
 .../ui/keyloading/hub/ReceivedKey.java        |  24 ++++
 .../hub/RegisterDeviceController.java         |  10 +-
 .../hub/RegisterFailedController.java         |   4 +-
 .../hub/UnauthorizedDeviceController.java     |   4 +-
 .../ui/keyloading/hub/JWEHelperTest.java      |  53 ++++++--
 10 files changed, 226 insertions(+), 41 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
index 5765f56e0..06e488581 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
@@ -35,13 +35,13 @@ public class AuthFlowController implements FxController {
 	private final String deviceId;
 	private final HubConfig hubConfig;
 	private final AtomicReference<String> tokenRef;
-	private final CompletableFuture<JWEObject> result;
+	private final CompletableFuture<ReceivedKey> result;
 	private final Lazy<Scene> receiveKeyScene;
 	private final ObjectProperty<URI> authUri;
 	private AuthFlowTask task;
 
 	@Inject
-	public AuthFlowController(Application application, @KeyLoading Stage window, ExecutorService executor, @Named("deviceId") String deviceId, HubConfig hubConfig, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<JWEObject> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene) {
+	public AuthFlowController(Application application, @KeyLoading Stage window, ExecutorService executor, @Named("deviceId") String deviceId, HubConfig hubConfig, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<ReceivedKey> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene) {
 		this.application = application;
 		this.window = window;
 		this.executor = executor;
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index 7b8aae875..ad4ea9408 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -69,7 +69,7 @@ public abstract class HubKeyLoadingModule {
 
 	@Provides
 	@KeyLoadingScoped
-	static CompletableFuture<JWEObject> provideResult() {
+	static CompletableFuture<ReceivedKey> provideResult() {
 		return new CompletableFuture<>();
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index cc5edfcb4..9ea5e7735 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -36,11 +36,11 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	private final KeychainManager keychainManager;
 	private final Lazy<Scene> authFlowScene;
 	private final Lazy<Scene> noKeychainScene;
-	private final CompletableFuture<JWEObject> result;
+	private final CompletableFuture<ReceivedKey> result;
 	private final DeviceKey deviceKey;
 
 	@Inject
-	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, @FxmlScene(FxmlFile.HUB_NO_KEYCHAIN) Lazy<Scene> noKeychainScene, CompletableFuture<JWEObject> result, DeviceKey deviceKey, KeychainManager keychainManager, @Named("windowTitle") String windowTitle) {
+	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, @FxmlScene(FxmlFile.HUB_NO_KEYCHAIN) Lazy<Scene> noKeychainScene, CompletableFuture<ReceivedKey> result, DeviceKey deviceKey, KeychainManager keychainManager, @Named("windowTitle") String windowTitle) {
 		this.window = window;
 		this.keychainManager = keychainManager;
 		window.setTitle(windowTitle);
@@ -60,7 +60,7 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 			var keypair = deviceKey.get();
 			showWindow(authFlowScene);
 			var jwe = result.get();
-			return JWEHelper.decrypt(jwe, keypair.getPrivate());
+			return jwe.decryptMasterkey(keypair.getPrivate());
 		} catch (NoKeychainAccessProviderException e) {
 			showWindow(noKeychainScene);
 			throw new UnlockCancelledException("Unlock canceled due to missing prerequisites", e);
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
index 2c2b9baa4..29bc7a98f 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
@@ -10,27 +10,55 @@ import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.ECPrivateKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Arrays;
+import java.util.function.Function;
 
 class JWEHelper {
 
 	private static final Logger LOG = LoggerFactory.getLogger(JWEHelper.class);
-	private static final String JWE_PAYLOAD_MASTERKEY_FIELD = "key";
+	private static final String JWE_PAYLOAD_KEY_FIELD = "key";
+	private static final String EC_ALG = "EC";
 
 	private JWEHelper(){}
 
-	public static Masterkey decrypt(JWEObject jwe, ECPrivateKey privateKey) throws MasterkeyLoadingFailedException {
+	public static ECPrivateKey decryptUserKey(JWEObject jwe, ECPrivateKey deviceKey) {
+		try {
+			jwe.decrypt(new ECDHDecrypter(deviceKey));
+			var keySpec = readKey(jwe, JWE_PAYLOAD_KEY_FIELD, PKCS8EncodedKeySpec::new);
+			var factory = KeyFactory.getInstance(EC_ALG);
+			var privateKey = factory.generatePrivate(keySpec);
+			if (privateKey instanceof ECPrivateKey ecPrivateKey) {
+				return ecPrivateKey;
+			} else {
+				throw new IllegalStateException(EC_ALG + " key factory not generating ECPrivateKeys");
+			}
+		} catch (JOSEException e) {
+			LOG.warn("Failed to decrypt JWE: {}", jwe);
+			throw new MasterkeyLoadingFailedException("Failed to decrypt JWE", e);
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException(EC_ALG + " not supported");
+		} catch (InvalidKeySpecException e) {
+			LOG.warn("Unexpected JWE payload: {}", jwe.getPayload());
+			throw new MasterkeyLoadingFailedException("Unexpected JWE payload", e);
+		}
+	}
+
+	public static Masterkey decryptVaultKey(JWEObject jwe, ECPrivateKey privateKey) throws MasterkeyLoadingFailedException {
 		try {
 			jwe.decrypt(new ECDHDecrypter(privateKey));
-			return readKey(jwe);
+			return readKey(jwe, JWE_PAYLOAD_KEY_FIELD, Masterkey::new);
 		} catch (JOSEException e) {
 			LOG.warn("Failed to decrypt JWE: {}", jwe);
 			throw new MasterkeyLoadingFailedException("Failed to decrypt JWE", e);
 		}
 	}
 
-	private static Masterkey readKey(JWEObject jwe) throws MasterkeyLoadingFailedException {
+	private static <T> T readKey(JWEObject jwe, String keyField, Function<byte[], T> rawKeyFactory) throws MasterkeyLoadingFailedException {
 		Preconditions.checkArgument(jwe.getState() == JWEObject.State.DECRYPTED);
 		var fields = jwe.getPayload().toJSONObject();
 		if (fields == null) {
@@ -39,11 +67,11 @@ class JWEHelper {
 		}
 		var keyBytes = new byte[0];
 		try {
-			if (fields.get(JWE_PAYLOAD_MASTERKEY_FIELD) instanceof String key) {
+			if (fields.get(keyField) instanceof String key) {
 				keyBytes = BaseEncoding.base64().decode(key);
-				return new Masterkey(keyBytes);
+				return rawKeyFactory.apply(keyBytes);
 			} else {
-				throw new IllegalArgumentException("JWE payload doesn't contain field " + JWE_PAYLOAD_MASTERKEY_FIELD);
+				throw new IllegalArgumentException("JWE payload doesn't contain field " + keyField);
 			}
 		} catch (IllegalArgumentException e) {
 			LOG.error("Unexpected JWE payload: {}", jwe.getPayload());
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 6f6e7cb42..630b35e1f 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -8,6 +8,8 @@ import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
 import javax.inject.Named;
@@ -17,13 +19,13 @@ import javafx.scene.Scene;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
 import java.io.IOException;
-import java.io.InputStream;
 import java.io.UncheckedIOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
@@ -33,12 +35,14 @@ import java.util.concurrent.atomic.AtomicReference;
 @KeyLoadingScoped
 public class ReceiveKeyController implements FxController {
 
+	private static final Logger LOG = LoggerFactory.getLogger(ReceiveKeyController.class);
 	private static final String SCHEME_PREFIX = "hub+";
 
 	private final Stage window;
+	private final HubConfig hubConfig;
 	private final String deviceId;
 	private final String bearerToken;
-	private final CompletableFuture<JWEObject> result;
+	private final CompletableFuture<ReceivedKey> result;
 	private final Lazy<Scene> registerDeviceScene;
 	private final Lazy<Scene> unauthorizedScene;
 	private final URI vaultBaseUri;
@@ -46,8 +50,9 @@ public class ReceiveKeyController implements FxController {
 	private final HttpClient httpClient;
 
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<JWEObject> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, @FxmlScene(FxmlFile.HUB_INVALID_LICENSE) Lazy<Scene> invalidLicenseScene) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, HubConfig hubConfig, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<ReceivedKey> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, @FxmlScene(FxmlFile.HUB_INVALID_LICENSE) Lazy<Scene> invalidLicenseScene) {
 		this.window = window;
+		this.hubConfig = hubConfig;
 		this.deviceId = deviceId;
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
 		this.result = result;
@@ -61,20 +66,109 @@ public class ReceiveKeyController implements FxController {
 
 	@FXML
 	public void initialize() {
-		var keyUri = appendPath(vaultBaseUri, "/keys/" + deviceId);
-		var request = HttpRequest.newBuilder(keyUri) //
+		requestUserToken();
+	}
+
+	/**
+	 * STEP 1 (Request): GET user token for this vault
+	 */
+	private void requestUserToken() {
+		var userTokenUri = appendPath(vaultBaseUri, "/user-tokens/me");
+		var request = HttpRequest.newBuilder(userTokenUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
 				.build();
-		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofInputStream()) //
-				.thenAcceptAsync(this::loadedExistingKey, Platform::runLater) //
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.US_ASCII)) //
+				.thenAcceptAsync(this::receivedUserTokenResponse, Platform::runLater) //
 				.exceptionally(this::retrievalFailed);
 	}
 
-	private void loadedExistingKey(HttpResponse<InputStream> response) {
+	/**
+	 * STEP 1 (Response)
+	 *
+	 * @param response Response
+	 */
+	private void receivedUserTokenResponse(HttpResponse<String> response) {
+		LOG.debug("GET {} -> Status Code {}", response.request().uri(), response.statusCode());
 		try {
 			switch (response.statusCode()) {
-				case 200 -> retrievalSucceeded(response);
+				case 200 -> requestDeviceToken(response.body());
+				case 402 -> licenseExceeded();
+				case 403 -> accessNotGranted();
+				case 404 -> requestLegacyAccessToken();
+				default -> throw new IOException("Unexpected response " + response.statusCode());
+			}
+		} catch (IOException e) {
+			throw new UncheckedIOException(e);
+		}
+	}
+
+	/**
+	 * STEP 2 (Request): GET device token for this user
+	 */
+	private void requestDeviceToken(String userToken) {
+		var deviceTokenUri = appendPath(URI.create(hubConfig.devicesResourceUrl), "/%s/device-token".formatted(deviceId));
+		var request = HttpRequest.newBuilder(deviceTokenUri) //
+				.header("Authorization", "Bearer " + bearerToken) //
+				.GET() //
+				.build();
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.US_ASCII)) //
+				.thenAcceptAsync(response -> receivedDeviceTokenResponse(userToken, response), Platform::runLater) //
+				.exceptionally(this::retrievalFailed);
+	}
+
+	/**
+	 * STEP 2 (Response)
+	 *
+	 * @param response Response
+	 */
+	private void receivedDeviceTokenResponse(String userToken, HttpResponse<String> response) {
+		LOG.debug("GET {} -> Status Code {}", response.request().uri(), response.statusCode());
+		try {
+			switch (response.statusCode()) {
+				case 200 -> receivedDeviceTokenSuccess(userToken, response.body());
+				case 403, 404 -> needsDeviceRegistration();
+				default -> throw new IOException("Unexpected response " + response.statusCode());
+			}
+		} catch (IOException e) {
+			throw new UncheckedIOException(e);
+		}
+	}
+
+	private void receivedDeviceTokenSuccess(String rawUserToken, String rawDeviceToken) throws IOException {
+		try {
+			var userToken = JWEObject.parse(rawUserToken);
+			var deviceToken = JWEObject.parse(rawDeviceToken);
+			result.complete(ReceivedKey.userAndDeviceKey(userToken, deviceToken));
+			window.close();
+		} catch (ParseException e) {
+			throw new IOException("Failed to parse JWE", e);
+		}
+	}
+
+	/**
+	 * LEGACY FALLBACK (Request): GET the legacy access token from Hub 1.x
+	 */
+	private void requestLegacyAccessToken() {
+		var legacyAccessTokenUri = appendPath(vaultBaseUri, "/keys/%s".formatted(deviceId));
+		var request = HttpRequest.newBuilder(legacyAccessTokenUri) //
+				.header("Authorization", "Bearer " + bearerToken) //
+				.GET() //
+				.build();
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.US_ASCII)) //
+				.thenAcceptAsync(this::receivedLegacyAccessTokenResponse, Platform::runLater) //
+				.exceptionally(this::retrievalFailed);
+	}
+
+	/**
+	 * LEGACY FALLBACK (Response)
+	 *
+	 * @param response Response
+	 */
+	private void receivedLegacyAccessTokenResponse(HttpResponse<String> response) {
+		try {
+			switch (response.statusCode()) {
+				case 200 -> receivedLegacyAccessTokenSuccess(response.body());
 				case 402 -> licenseExceeded();
 				case 403 -> accessNotGranted();
 				case 404 -> needsDeviceRegistration();
@@ -85,10 +179,10 @@ public class ReceiveKeyController implements FxController {
 		}
 	}
 
-	private void retrievalSucceeded(HttpResponse<InputStream> response) throws IOException {
+	private void receivedLegacyAccessTokenSuccess(String rawToken) throws IOException {
 		try {
-			var string = HttpHelper.readBody(response);
-			result.complete(JWEObject.parse(string));
+			var token = JWEObject.parse(rawToken);
+			result.complete(ReceivedKey.legacyDeviceKey(token));
 			window.close();
 		} catch (ParseException e) {
 			throw new IOException("Failed to parse JWE", e);
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java
new file mode 100644
index 000000000..a6f0ac397
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java
@@ -0,0 +1,24 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.nimbusds.jose.JWEObject;
+import org.cryptomator.cryptolib.api.Masterkey;
+
+import java.security.interfaces.ECPrivateKey;
+
+@FunctionalInterface
+interface ReceivedKey {
+
+	Masterkey decryptMasterkey(ECPrivateKey deviceKey);
+
+	static ReceivedKey userAndDeviceKey(JWEObject userToken, JWEObject deviceToken) {
+		return deviceKey -> {
+			var userKey = JWEHelper.decryptUserKey(deviceToken, deviceKey);
+			return JWEHelper.decryptVaultKey(userToken, userKey);
+		};
+	}
+
+	static ReceivedKey legacyDeviceKey(JWEObject legacyAccessToken) {
+		return deviceKey -> JWEHelper.decryptVaultKey(legacyAccessToken, deviceKey);
+	}
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 4cf2d9fa2..52901287a 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -36,6 +36,7 @@ import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 import java.util.List;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
@@ -56,7 +57,7 @@ public class RegisterDeviceController implements FxController {
 	private final Lazy<Scene> registerFailedScene;
 	private final String deviceId;
 	private final P384KeyPair keyPair;
-	private final CompletableFuture<JWEObject> result;
+	private final CompletableFuture<ReceivedKey> result;
 	private final DecodedJWT jwt;
 	private final HttpClient httpClient;
 	private final BooleanProperty deviceNameAlreadyExists = new SimpleBooleanProperty(false);
@@ -65,7 +66,7 @@ public class RegisterDeviceController implements FxController {
 	public Button registerBtn;
 
 	@Inject
-	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<JWEObject> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene, @FxmlScene(FxmlFile.HUB_REGISTER_FAILED) Lazy<Scene> registerFailedScene) {
+	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<ReceivedKey> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene, @FxmlScene(FxmlFile.HUB_REGISTER_FAILED) Lazy<Scene> registerFailedScene) {
 		this.window = window;
 		this.hubConfig = hubConfig;
 		this.deviceId = deviceId;
@@ -104,11 +105,12 @@ public class RegisterDeviceController implements FxController {
 		var dto = new CreateDeviceDto();
 		dto.id = deviceId;
 		dto.name = deviceNameField.getText();
-		dto.publicKey = BaseEncoding.base64Url().omitPadding().encode(deviceKey);
+		dto.publicKey = Base64.getUrlEncoder().withoutPadding().encodeToString(deviceKey);
 		var json = GSON.toJson(dto); // TODO: do we want to keep GSON? doesn't support records -.-
 		var request = HttpRequest.newBuilder(keyUri) //
+				.PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
 				.header("Authorization", "Bearer " + bearerToken) //
-				.header("Content-Type", "application/json").PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
+				.header("Content-Type", "application/json") //
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.discarding()) //
 				.thenApply(response -> {
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterFailedController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterFailedController.java
index 8a4278d72..57150390c 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterFailedController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterFailedController.java
@@ -12,10 +12,10 @@ import java.util.concurrent.CompletableFuture;
 public class RegisterFailedController implements FxController {
 
 	private final Stage window;
-	private final CompletableFuture<JWEObject> result;
+	private final CompletableFuture<ReceivedKey> result;
 
 	@Inject
-	public RegisterFailedController(@KeyLoading Stage window, CompletableFuture<JWEObject> result) {
+	public RegisterFailedController(@KeyLoading Stage window, CompletableFuture<ReceivedKey> result) {
 		this.window = window;
 		this.result = result;
 	}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java
index 1a7cbab02..c42ee1cd7 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java
@@ -15,10 +15,10 @@ import java.util.concurrent.CompletableFuture;
 public class UnauthorizedDeviceController implements FxController {
 
 	private final Stage window;
-	private final CompletableFuture<JWEObject> result;
+	private final CompletableFuture<ReceivedKey> result;
 
 	@Inject
-	public UnauthorizedDeviceController(@KeyLoading Stage window, CompletableFuture<JWEObject> result) {
+	public UnauthorizedDeviceController(@KeyLoading Stage window, CompletableFuture<ReceivedKey> result) {
 		this.window = window;
 		this.result = result;
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java
index 3d495e8c1..cac307add 100644
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java
@@ -3,7 +3,9 @@ package org.cryptomator.ui.keyloading.hub;
 import com.nimbusds.jose.JWEObject;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
 import org.cryptomator.cryptolib.common.P384KeyPair;
+import org.cryptomator.cryptolib.shaded.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.ValueSource;
@@ -17,16 +19,51 @@ import java.util.Base64;
 
 public class JWEHelperTest {
 
-	private static final String JWE = "eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMzg0Iiwia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwieCI6IllUcEY3bGtTc3JvZVVUVFdCb21LNzBTN0FhVTJyc0ptMURpZ1ZzbjRMY2F5eUxFNFBabldkYmFVcE9jQVV5a1ciLCJ5IjoiLU5pS3loUktjSk52Nm02Z0ZJUWc4cy1Xd1VXUW9uT3A5dkQ4cHpoa2tUU3U2RzFlU2FUTVlhZGltQ2Q4V0ExMSJ9LCJhcHUiOiIiLCJhcHYiOiIifQ..BECWGzd9UvhHcTJC.znt4TlS-qiNEjxiu2v-du_E1QOBnyBR6LCt865SHxD-kwRc1JwX_Lq9XVoFj2GnK9-9CgxhCLGurg5Jt9g38qv2brGAzWL7eSVeY1fIqdO_kUhLpGslRTN6h2U0NHJi2-iE.WDVI2kOk9Dy3PWHyIg8gKA";
+	// key pairs from frontend tests (crypto.spec.ts):
+	private static final String USER_PRIV_KEY = "MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDCi4K1Ts3DgTz/ufkLX7EGMHjGpJv+WJmFgyzLwwaDFSfLpDw0Kgf3FKK+LAsV8r+hZANiAARLOtFebIjxVYUmDV09Q1sVxz2Nm+NkR8fu6UojVSRcCW13tEZatx8XGrIY9zC7oBCEdRqDc68PMSvS5RA0Pg9cdBNc/kgMZ1iEmEv5YsqOcaNADDSs0bLlXb35pX7Kx5Y=";
+	private static final String USER_PUB_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW";
+	private static final String DEVICE_PRIV_KEY = "MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB2bmFCWy2p+EbAn8NWS5Om+GA7c5LHhRZb8g2pSMSf0fsd7k7dZDVrnyHFiLdd/YGhZANiAAR6bsjTEdXKWIuu1Bvj6Y8wySlIROy7YpmVZTY128ItovCD8pcR4PnFljvAIb2MshCdr1alX4g6cgDOqcTeREiObcSfucOU9Ry1pJ/GnX6KA0eSljrk6rxjSDos8aiZ6Mg=";
+	private static final String DEVICE_PUB_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEem7I0xHVyliLrtQb4+mPMMkpSETsu2KZlWU2NdvCLaLwg/KXEeD5xZY7wCG9jLIQna9WpV+IOnIAzqnE3kRIjm3En7nDlPUctaSfxp1+igNHkpY65Oq8Y0g6LPGomejI";
+
+	// used for JWE generation in frontend: (jwe.spec.ts):
 	private static final String PRIV_KEY = "ME8CAQAwEAYHKoZIzj0CAQYFK4EEACIEODA2AgEBBDEA6QybmBitf94veD5aCLr7nlkF5EZpaXHCfq1AXm57AKQyGOjTDAF9EQB28fMywTDQ";
 	private static final String PUB_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERxQR+NRN6Wga01370uBBzr2NHDbKIC56tPUEq2HX64RhITGhii8Zzbkb1HnRmdF0aq6uqmUy4jUhuxnKxsv59A6JeK7Unn+mpmm3pQAygjoGc9wrvoH4HWJSQYUlsXDu";
 
 	@Test
-	public void testDecrypt() throws ParseException, InvalidKeySpecException {
-		var jwe = JWEObject.parse(JWE);
-		var keyPair = P384KeyPair.create(new X509EncodedKeySpec(Base64.getDecoder().decode(PUB_KEY)), new PKCS8EncodedKeySpec(Base64.getDecoder().decode(PRIV_KEY)));
+	@DisplayName("decryptUserKey")
+	public void testDecryptUserKey() throws ParseException, InvalidKeySpecException {
+		var jwe = JWEObject.parse("""
+			eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrZXlfb3BzIjpbXSwiZXh0Ijp\
+			0cnVlLCJrdHkiOiJFQyIsIngiOiJoeHpiSWh6SUJza3A5ZkZFUmJSQ2RfOU1fbWYxNElqaDZhcnNoVX\
+			NkcEEyWno5ejZZNUs4NHpZR2I4b2FHemNUIiwieSI6ImJrMGRaNWhpelZ0TF9hN2hNejBjTUduNjhIR\
+			jZFdWlyNHdlclNkTFV5QWd2NWUzVzNYSG5sdHJ2VlRyU3pzUWYiLCJjcnYiOiJQLTM4NCJ9LCJhcHUi\
+			OiIiLCJhcHYiOiIifQ..pu3Q1nR_yvgRAapG.4zW0xm0JPxbcvZ66R-Mn3k841lHelDQfaUvsZZAtWs\
+			L2w4FMi6H_uu6ArAWYLtNREa_zfcPuyuJsFferYPSNRUWt4OW6aWs-l_wfo7G1ceEVxztQXzQiwD30U\
+			TA8OOdPcUuFfEq2-d9217jezrcyO6m6FjyssEZIrnRArUPWKzGdghXccGkkf0LTZcGJoHeKal-RtyP8\
+			PfvEAWTjSOCpBlSdUJ-1JL3tyd97uVFNaVuH3i7vvcMoUP_bdr0XW3rvRgaeC6X4daPLUvR1hK5Msut\
+			QMtM2vpFghS_zZxIQRqz3B2ECxa9Bjxhmn8kLX5heZ8fq3lH-bmJp1DxzZ4V1RkWk.yVwXG9yARa5Ih\
+			q2koh2NbQ""");
+		var deviceKeyPair = P384KeyPair.create(new X509EncodedKeySpec(Base64.getDecoder().decode(DEVICE_PUB_KEY)), new PKCS8EncodedKeySpec(Base64.getDecoder().decode(DEVICE_PRIV_KEY)));
 
-		var masterkey = JWEHelper.decrypt(jwe, keyPair.getPrivate());
+		var userKey = JWEHelper.decryptUserKey(jwe, deviceKeyPair.getPrivate());
+
+		Assertions.assertArrayEquals(Base64.getDecoder().decode(USER_PRIV_KEY), userKey.getEncoded());
+	}
+
+	@Test
+	@DisplayName("decryptVaultKey")
+	public void testDecryptVaultKey() throws ParseException, InvalidKeySpecException {
+		var jwe = JWEObject.parse("""
+			eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlA\
+			tMzg0Iiwia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwieCI6IllUcEY3bGtTc3JvZVVUVFdCb21LNzBTN0\
+			FhVTJyc0ptMURpZ1ZzbjRMY2F5eUxFNFBabldkYmFVcE9jQVV5a1ciLCJ5IjoiLU5pS3loUktjSk52N\
+			m02Z0ZJUWc4cy1Xd1VXUW9uT3A5dkQ4cHpoa2tUU3U2RzFlU2FUTVlhZGltQ2Q4V0ExMSJ9LCJhcHUi\
+			OiIiLCJhcHYiOiIifQ..BECWGzd9UvhHcTJC.znt4TlS-qiNEjxiu2v-du_E1QOBnyBR6LCt865SHxD\
+			-kwRc1JwX_Lq9XVoFj2GnK9-9CgxhCLGurg5Jt9g38qv2brGAzWL7eSVeY1fIqdO_kUhLpGslRTN6h2\
+			U0NHJi2-iE.WDVI2kOk9Dy3PWHyIg8gKA""");
+		var privateKey = P384KeyPair.create(new X509EncodedKeySpec(Base64.getDecoder().decode(PUB_KEY)), new PKCS8EncodedKeySpec(Base64.getDecoder().decode(PRIV_KEY))).getPrivate();
+
+		var masterkey = JWEHelper.decryptVaultKey(jwe, privateKey);
 
 		var expectedEncKey = new byte[32];
 		var expectedMacKey = new byte[32];
@@ -44,12 +81,12 @@ public class JWEHelperTest {
 			"eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMzg0Iiwia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwieCI6IkJyYm9UQkl5Y0NDUEdJQlBUekU2RjBnbTRzRjRCamZPN1I0a2x0aWlCaThKZkxxcVdXNVdUSVBLN01yMXV5QVUiLCJ5IjoiNUpGVUI0WVJiYjM2RUZpN2Y0TUxMcFFyZXd2UV9Tc3dKNHRVbFd1a2c1ZU04X1ZyM2pkeml2QXI2WThRczVYbSJ9LCJhcHUiOiIiLCJhcHYiOiIifQ..QEq4Z2m6iwBx2ioS.IBo8TbKJTS4pug.61Z-agIIXgP8bX10O_yEMA", // json payload field "key" not a string
 			"eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMzg0Iiwia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwieCI6ImNZdlVFZm9LYkJjenZySE5zQjUxOGpycUxPMGJDOW5lZjR4NzFFMUQ5dk95MXRqd1piZzV3cFI0OE5nU1RQdHgiLCJ5IjoiaWRJekhCWERzSzR2NTZEeU9yczJOcDZsSG1zb29fMXV0VTlzX3JNdVVkbkxuVXIzUXdLZkhYMWdaVXREM1RKayJ9LCJhcHUiOiIiLCJhcHYiOiIifQ..0VZqu5ei9U3blGtq.eDvhU6drw7mIwvXu6Q.f05QnhI7JWG3IYHvexwdFQ" // json payload field "key" invalid base64 data
 	})
-	public void testDecryptInvalid(String malformed) throws ParseException, InvalidKeySpecException {
+	public void testDecryptInvalidVaultKey(String malformed) throws ParseException, InvalidKeySpecException {
 		var jwe = JWEObject.parse(malformed);
-		var keyPair = P384KeyPair.create(new X509EncodedKeySpec(Base64.getDecoder().decode(PUB_KEY)), new PKCS8EncodedKeySpec(Base64.getDecoder().decode(PRIV_KEY)));
+		var privateKey = P384KeyPair.create(new X509EncodedKeySpec(Base64.getDecoder().decode(PUB_KEY)), new PKCS8EncodedKeySpec(Base64.getDecoder().decode(PRIV_KEY))).getPrivate();
 
 		Assertions.assertThrows(MasterkeyLoadingFailedException.class, () -> {
-			JWEHelper.decrypt(jwe, keyPair.getPrivate());
+			JWEHelper.decryptVaultKey(jwe, privateKey);
 		});
 	}
 

From fe733967dc8d0e5ab330f858ef2f4dd318cc2f49 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 1 Jun 2023 15:06:21 +0200
Subject: [PATCH 02/81] send device type in device registration request

---
 .../org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java    | 1 +
 .../ui/keyloading/hub/RegisterDeviceController.java           | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java b/src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java
index 71377a318..dcf9b6458 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java
@@ -4,6 +4,7 @@ class CreateDeviceDto {
 
 	public String id;
 	public String name;
+	public final String type = "DESKTOP";
 	public String publicKey;
 
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 52901287a..8e204719e 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -100,14 +100,14 @@ public class RegisterDeviceController implements FxController {
 		registerBtn.setContentDisplay(ContentDisplay.LEFT);
 		registerBtn.setDisable(true);
 
-		var keyUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
+		var deviceUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
 		var deviceKey = keyPair.getPublic().getEncoded();
 		var dto = new CreateDeviceDto();
 		dto.id = deviceId;
 		dto.name = deviceNameField.getText();
 		dto.publicKey = Base64.getUrlEncoder().withoutPadding().encodeToString(deviceKey);
 		var json = GSON.toJson(dto); // TODO: do we want to keep GSON? doesn't support records -.-
-		var request = HttpRequest.newBuilder(keyUri) //
+		var request = HttpRequest.newBuilder(deviceUri) //
 				.PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.header("Content-Type", "application/json") //

From 5a18d086e0873855fa48ae349672adbf0cc58964 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 22 Jun 2023 17:16:00 +0200
Subject: [PATCH 03/81] register device using a setup code

---
 .../org/cryptomator/ui/common/FxmlFile.java   |   3 +-
 .../ui/keyloading/hub/CreateDeviceDto.java    |   5 +
 .../keyloading/hub/HubKeyLoadingModule.java   |  12 +
 .../ui/keyloading/hub/JWEHelper.java          |  52 ++++-
 .../keyloading/hub/ReceiveKeyController.java  |  14 +-
 .../keyloading/hub/SetupDeviceController.java | 208 ++++++++++++++++++
 src/main/resources/fxml/hub_setup_device.fxml |  83 +++++++
 .../ui/keyloading/hub/JWEHelperTest.java      |   1 -
 8 files changed, 367 insertions(+), 11 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
 create mode 100644 src/main/resources/fxml/hub_setup_device.fxml

diff --git a/src/main/java/org/cryptomator/ui/common/FxmlFile.java b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
index 3bec75899..15df40e2d 100644
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -22,7 +22,8 @@ public enum FxmlFile {
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
 	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
 	HUB_REGISTER_SUCCESS("/fxml/hub_register_success.fxml"), //
-	HUB_REGISTER_FAILED("/fxml/hub_register_failed.fxml"),
+	HUB_REGISTER_FAILED("/fxml/hub_register_failed.fxml"), //
+	HUB_SETUP_DEVICE("/fxml/hub_setup_device.fxml"), //
 	HUB_UNAUTHORIZED_DEVICE("/fxml/hub_unauthorized_device.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java b/src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java
index dcf9b6458..cf8ffdeec 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java
@@ -1,10 +1,15 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import java.time.Instant;
+
 class CreateDeviceDto {
 
 	public String id;
 	public String name;
 	public final String type = "DESKTOP";
 	public String publicKey;
+	public String userKey;
+	public String creationTime;
+	public String lastSeenTime;
 
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index ad4ea9408..d6d2087dc 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -134,6 +134,13 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_FAILED);
 	}
 
+	@Provides
+	@FxmlScene(FxmlFile.HUB_SETUP_DEVICE)
+	@KeyLoadingScoped
+	static Scene provideHubSetupDeviceScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_SETUP_DEVICE);
+	}
+
 	@Provides
 	@FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE)
 	@KeyLoadingScoped
@@ -176,6 +183,11 @@ public abstract class HubKeyLoadingModule {
 	@FxControllerKey(RegisterFailedController.class)
 	abstract FxController bindRegisterFailedController(RegisterFailedController controller);
 
+	@Binds
+	@IntoMap
+	@FxControllerKey(SetupDeviceController.class)
+	abstract FxController bindSetupDeviceController(SetupDeviceController controller);
+
 	@Binds
 	@IntoMap
 	@FxControllerKey(UnauthorizedDeviceController.class)
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
index 29bc7a98f..233f2a6df 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
@@ -2,20 +2,33 @@ package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
 import com.google.common.io.BaseEncoding;
+import com.nimbusds.jose.EncryptionMethod;
 import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWEAlgorithm;
+import com.nimbusds.jose.JWEHeader;
 import com.nimbusds.jose.JWEObject;
+import com.nimbusds.jose.Payload;
 import com.nimbusds.jose.crypto.ECDHDecrypter;
+import com.nimbusds.jose.crypto.ECDHEncrypter;
+import com.nimbusds.jose.crypto.PasswordBasedDecrypter;
+import com.nimbusds.jose.jwk.Curve;
+import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
+import com.nimbusds.jose.jwk.gen.JWKGenerator;
 import org.cryptomator.cryptolib.api.Masterkey;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.security.KeyFactory;
+import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Arrays;
+import java.util.Base64;
+import java.util.Map;
 import java.util.function.Function;
 
 class JWEHelper {
@@ -25,11 +38,43 @@ class JWEHelper {
 	private static final String EC_ALG = "EC";
 
 	private JWEHelper(){}
+	public static JWEObject encryptUserKey(ECPrivateKey userKey, ECPublicKey deviceKey) {
+		try {
+			var encodedUserKey = Base64.getEncoder().encodeToString(userKey.getEncoded());
+			var keyGen = new ECKeyGenerator(Curve.P_384);
+			var ephemeralKeyPair = keyGen.generate();
+			var header = new JWEHeader.Builder(JWEAlgorithm.ECDH_ES, EncryptionMethod.A256GCM).ephemeralPublicKey(ephemeralKeyPair.toPublicJWK()).build();
+			var payload = new Payload(Map.of(JWE_PAYLOAD_KEY_FIELD, encodedUserKey));
+			var jwe = new JWEObject(header, payload);
+			jwe.encrypt(new ECDHEncrypter(deviceKey));
+			return jwe;
+		} catch (JOSEException e) {
+			throw new RuntimeException(e);
+		}
+	}
+
+	public static ECPrivateKey decryptUserKey(JWEObject jwe, String setupCode) {
+		try {
+			jwe.decrypt(new PasswordBasedDecrypter(setupCode));
+			return decodeUserKey(jwe);
+		} catch (JOSEException e) {
+			throw new MasterkeyLoadingFailedException("Failed to decrypt JWE", e);
+		}
+	}
 
 	public static ECPrivateKey decryptUserKey(JWEObject jwe, ECPrivateKey deviceKey) {
 		try {
 			jwe.decrypt(new ECDHDecrypter(deviceKey));
-			var keySpec = readKey(jwe, JWE_PAYLOAD_KEY_FIELD, PKCS8EncodedKeySpec::new);
+			return decodeUserKey(jwe);
+		} catch (JOSEException e) {
+			LOG.warn("Failed to decrypt JWE: {}", jwe);
+			throw new MasterkeyLoadingFailedException("Failed to decrypt JWE", e);
+		}
+	}
+
+	private static ECPrivateKey decodeUserKey(JWEObject decryptedJwe) {
+		try {
+			var keySpec = readKey(decryptedJwe, JWE_PAYLOAD_KEY_FIELD, PKCS8EncodedKeySpec::new);
 			var factory = KeyFactory.getInstance(EC_ALG);
 			var privateKey = factory.generatePrivate(keySpec);
 			if (privateKey instanceof ECPrivateKey ecPrivateKey) {
@@ -37,13 +82,10 @@ class JWEHelper {
 			} else {
 				throw new IllegalStateException(EC_ALG + " key factory not generating ECPrivateKeys");
 			}
-		} catch (JOSEException e) {
-			LOG.warn("Failed to decrypt JWE: {}", jwe);
-			throw new MasterkeyLoadingFailedException("Failed to decrypt JWE", e);
 		} catch (NoSuchAlgorithmException e) {
 			throw new IllegalStateException(EC_ALG + " not supported");
 		} catch (InvalidKeySpecException e) {
-			LOG.warn("Unexpected JWE payload: {}", jwe.getPayload());
+			LOG.warn("Unexpected JWE payload: {}", decryptedJwe.getPayload());
 			throw new MasterkeyLoadingFailedException("Unexpected JWE payload", e);
 		}
 	}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 630b35e1f..1bb08c44c 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -43,6 +43,7 @@ public class ReceiveKeyController implements FxController {
 	private final String deviceId;
 	private final String bearerToken;
 	private final CompletableFuture<ReceivedKey> result;
+	private final Lazy<Scene> setupDeviceScene;
 	private final Lazy<Scene> registerDeviceScene;
 	private final Lazy<Scene> unauthorizedScene;
 	private final URI vaultBaseUri;
@@ -50,12 +51,13 @@ public class ReceiveKeyController implements FxController {
 	private final HttpClient httpClient;
 
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, HubConfig hubConfig, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<ReceivedKey> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, @FxmlScene(FxmlFile.HUB_INVALID_LICENSE) Lazy<Scene> invalidLicenseScene) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, HubConfig hubConfig, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<ReceivedKey> result, @FxmlScene(FxmlFile.HUB_SETUP_DEVICE) Lazy<Scene> setupDeviceScene, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, @FxmlScene(FxmlFile.HUB_INVALID_LICENSE) Lazy<Scene> invalidLicenseScene) {
 		this.window = window;
 		this.hubConfig = hubConfig;
 		this.deviceId = deviceId;
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
 		this.result = result;
+		this.setupDeviceScene = setupDeviceScene;
 		this.registerDeviceScene = registerDeviceScene;
 		this.unauthorizedScene = unauthorizedScene;
 		this.vaultBaseUri = getVaultBaseUri(vault);
@@ -127,7 +129,7 @@ public class ReceiveKeyController implements FxController {
 		try {
 			switch (response.statusCode()) {
 				case 200 -> receivedDeviceTokenSuccess(userToken, response.body());
-				case 403, 404 -> needsDeviceRegistration();
+				case 403, 404 -> needsDeviceSetup();
 				default -> throw new IOException("Unexpected response " + response.statusCode());
 			}
 		} catch (IOException e) {
@@ -135,6 +137,10 @@ public class ReceiveKeyController implements FxController {
 		}
 	}
 
+	private void needsDeviceSetup() {
+		window.setScene(setupDeviceScene.get());
+	}
+
 	private void receivedDeviceTokenSuccess(String rawUserToken, String rawDeviceToken) throws IOException {
 		try {
 			var userToken = JWEObject.parse(rawUserToken);
@@ -171,7 +177,7 @@ public class ReceiveKeyController implements FxController {
 				case 200 -> receivedLegacyAccessTokenSuccess(response.body());
 				case 402 -> licenseExceeded();
 				case 403 -> accessNotGranted();
-				case 404 -> needsDeviceRegistration();
+				case 404 -> needsLegacyDeviceRegistration();
 				default -> throw new IOException("Unexpected response " + response.statusCode());
 			}
 		} catch (IOException e) {
@@ -193,7 +199,7 @@ public class ReceiveKeyController implements FxController {
 		window.setScene(invalidLicenseScene.get());
 	}
 
-	private void needsDeviceRegistration() {
+	private void needsLegacyDeviceRegistration() {
 		window.setScene(registerDeviceScene.get());
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
new file mode 100644
index 000000000..a43629246
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
@@ -0,0 +1,208 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.nimbusds.jose.JWEObject;
+import dagger.Lazy;
+import org.cryptomator.common.settings.DeviceKey;
+import org.cryptomator.cryptolib.common.P384KeyPair;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.jetbrains.annotations.Nullable;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javafx.application.Platform;
+import javafx.beans.property.BooleanProperty;
+import javafx.beans.property.SimpleBooleanProperty;
+import javafx.fxml.FXML;
+import javafx.scene.Scene;
+import javafx.scene.control.Button;
+import javafx.scene.control.ContentDisplay;
+import javafx.scene.control.TextField;
+import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.text.ParseException;
+import java.time.Instant;
+import java.time.format.DateTimeFormatter;
+import java.util.Base64;
+import java.util.Objects;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.atomic.AtomicReference;
+
+@KeyLoadingScoped
+public class SetupDeviceController implements FxController {
+
+	private static final Logger LOG = LoggerFactory.getLogger(SetupDeviceController.class);
+	private static final Gson GSON = new GsonBuilder().setLenient().create();
+
+	private final Stage window;
+	private final HubConfig hubConfig;
+	private final String bearerToken;
+	private final Lazy<Scene> registerSuccessScene;
+	private final Lazy<Scene> registerFailedScene;
+	private final String deviceId;
+	private final P384KeyPair deviceKeyPair;
+	private final CompletableFuture<ReceivedKey> result;
+	private final DecodedJWT jwt;
+	private final HttpClient httpClient;
+	private final BooleanProperty deviceNameAlreadyExists = new SimpleBooleanProperty(false);
+
+	public TextField setupCodeField;
+	public TextField deviceNameField;
+	public Button registerBtn;
+
+	@Inject
+	public SetupDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<ReceivedKey> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene, @FxmlScene(FxmlFile.HUB_REGISTER_FAILED) Lazy<Scene> registerFailedScene) {
+		this.window = window;
+		this.hubConfig = hubConfig;
+		this.deviceId = deviceId;
+		this.deviceKeyPair = Objects.requireNonNull(deviceKey.get());
+		this.result = result;
+		this.bearerToken = Objects.requireNonNull(bearerToken.get());
+		this.registerSuccessScene = registerSuccessScene;
+		this.registerFailedScene = registerFailedScene;
+		this.jwt = JWT.decode(this.bearerToken);
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+		this.httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).executor(executor).build();
+	}
+
+	public void initialize() {
+		deviceNameField.setText(determineHostname());
+		deviceNameField.textProperty().addListener(observable -> deviceNameAlreadyExists.set(false));
+	}
+
+	private String determineHostname() {
+		try {
+			var hostName = InetAddress.getLocalHost().getHostName();
+			return Objects.requireNonNullElse(hostName, "");
+		} catch (IOException e) {
+			return "";
+		}
+	}
+
+	@FXML
+	public void register() {
+		setupCodeField.setDisable(true);
+		deviceNameField.setDisable(true);
+		deviceNameAlreadyExists.set(false);
+		registerBtn.setContentDisplay(ContentDisplay.LEFT);
+		registerBtn.setDisable(true);
+
+		var apiRootUrl = URI.create(hubConfig.devicesResourceUrl + "/..").normalize(); // TODO: add url to vault config file, only use this as a fallback for legacy vaults
+		var deviceUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
+		var deviceKey = deviceKeyPair.getPublic().getEncoded();
+
+		var userReq = HttpRequest.newBuilder(apiRootUrl.resolve("users/me")) //
+				.GET() //
+				.header("Authorization", "Bearer " + bearerToken) //
+				.header("Content-Type", "application/json") //
+				.build();
+		httpClient.sendAsync(userReq, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8)) //
+				.thenApply(response -> {
+					if (response.statusCode() == 200) {
+						return GSON.fromJson(response.body(), UserDto.class);
+					} else {
+						throw new RuntimeException("Server answered with unexpected status code " + response.statusCode());
+					}
+				}).thenApply(user -> {
+					try {
+						var userKey = JWEHelper.decryptUserKey(JWEObject.parse(user.privateKey), setupCodeField.getText());
+						return JWEHelper.encryptUserKey(userKey, deviceKeyPair.getPublic());
+					} catch (ParseException e) {
+						throw new RuntimeException("Server answered with unparsable user key", e);
+					}
+				}).thenCompose(jwe -> {
+					var dto = new CreateDeviceDto();
+					dto.id = deviceId;
+					dto.name = deviceNameField.getText();
+					dto.publicKey = Base64.getUrlEncoder().withoutPadding().encodeToString(deviceKey);
+					dto.userKey = jwe.serialize();
+					dto.creationTime = Instant.now().toString();
+					dto.lastSeenTime = Instant.now().toString();
+					var json = GSON.toJson(dto);
+					var putDeviceReq = HttpRequest.newBuilder(deviceUri) //
+							.PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
+							.header("Authorization", "Bearer " + bearerToken) //
+							.header("Content-Type", "application/json") //
+							.build();
+					return httpClient.sendAsync(putDeviceReq, HttpResponse.BodyHandlers.discarding());
+				}).handleAsync((response, throwable) -> {
+					if (response != null) {
+						this.handleResponse(response);
+					} else {
+						this.registrationFailed(throwable);
+					}
+					return null;
+				}, Platform::runLater);
+	}
+
+	private void handleResponse(HttpResponse<Void> response) {
+		if (response.statusCode() == 201) {
+			LOG.debug("Device registration for hub instance {} successful.", hubConfig.authSuccessUrl);
+			window.setScene(registerSuccessScene.get());
+		} else if (response.statusCode() == 409) {
+			deviceNameAlreadyExists.set(true);
+			registerBtn.setContentDisplay(ContentDisplay.TEXT_ONLY);
+			registerBtn.setDisable(false);
+		} else {
+			registrationFailed(new IllegalStateException("Unexpected http status code " + response.statusCode()));
+		}
+	}
+
+	private void registrationFailed(Throwable cause) {
+		LOG.warn("Device registration failed.", cause);
+		window.setScene(registerFailedScene.get());
+		result.completeExceptionally(cause);
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+
+	private void windowClosed(WindowEvent windowEvent) {
+		result.cancel(true);
+	}
+
+	/* Getter */
+
+	public String getUserName() {
+		return jwt.getClaim("email").asString();
+	}
+
+
+	//--- Getters & Setters
+
+	public BooleanProperty deviceNameAlreadyExistsProperty() {
+		return deviceNameAlreadyExists;
+	}
+
+	public boolean getDeviceNameAlreadyExists() {
+		return deviceNameAlreadyExists.get();
+	}
+
+
+	private class UserDto {
+		public String id;
+		public String name;
+		public @Nullable String publicKey;
+		public @Nullable String privateKey;
+		public @Nullable String setupCode;
+	}
+}
diff --git a/src/main/resources/fxml/hub_setup_device.fxml b/src/main/resources/fxml/hub_setup_device.fxml
new file mode 100644
index 000000000..47237fe0e
--- /dev/null
+++ b/src/main/resources/fxml/hub_setup_device.fxml
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.control.TextField?>
+<?import javafx.scene.Group?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.shape.Circle?>
+<?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
+<HBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.SetupDeviceController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12"
+	  alignment="TOP_LEFT">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="INFO" glyphSize="24"/>
+			</StackPane>
+		</Group>
+
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.register.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%hub.register.description" wrapText="true"/>
+			<HBox spacing="6" alignment="CENTER_LEFT">
+				<padding>
+					<Insets top="12"/>
+				</padding>
+				<Label text="TODO: Enter your setup code" labelFor="$setupCodeField"/>
+				<TextField fx:id="setupCodeField" HBox.hgrow="ALWAYS"/>
+			</HBox>
+			<HBox spacing="6" alignment="CENTER_LEFT">
+				<padding>
+					<Insets top="12"/>
+				</padding>
+				<Label text="%hub.register.nameLabel" labelFor="$deviceNameField"/>
+				<TextField fx:id="deviceNameField" HBox.hgrow="ALWAYS"/>
+			</HBox>
+			<HBox alignment="TOP_RIGHT">
+				<Label text="%hub.register.occupiedMsg" textAlignment="RIGHT" alignment="CENTER_RIGHT" visible="${controller.deviceNameAlreadyExists}" graphicTextGap="6">
+					<padding>
+						<Insets top="6"/>
+					</padding>
+					<graphic>
+						<FontAwesome5IconView glyph="TIMES" styleClass="glyph-icon-red"/>
+					</graphic>
+				</Label>
+			</HBox>
+
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
+			<ButtonBar buttonMinWidth="120" buttonOrder="+CU">
+				<buttons>
+					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#close"/>
+					<Button fx:id="registerBtn" text="%hub.register.registerBtn" ButtonBar.buttonData="OTHER" defaultButton="true" onAction="#register" contentDisplay="TEXT_ONLY" >
+						<graphic>
+							<FontAwesome5Spinner glyphSize="12" />
+						</graphic>
+					</Button>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</HBox>
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java
index cac307add..2cee9cb44 100644
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java
@@ -3,7 +3,6 @@ package org.cryptomator.ui.keyloading.hub;
 import com.nimbusds.jose.JWEObject;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
 import org.cryptomator.cryptolib.common.P384KeyPair;
-import org.cryptomator.cryptolib.shaded.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;

From 448eac8ff57d77f0300a110d5d7cded55141009e Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 23 Jun 2023 12:06:06 +0200
Subject: [PATCH 04/81] cleanup

---
 .../ui/keyloading/hub/SetupDeviceController.java  | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
index a43629246..7d3e11091 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
@@ -38,7 +38,6 @@ import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
 import java.time.Instant;
-import java.time.format.DateTimeFormatter;
 import java.util.Base64;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
@@ -116,12 +115,14 @@ public class SetupDeviceController implements FxController {
 		httpClient.sendAsync(userReq, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8)) //
 				.thenApply(response -> {
 					if (response.statusCode() == 200) {
-						return GSON.fromJson(response.body(), UserDto.class);
+						var dto = GSON.fromJson(response.body(), UserDto.class);
+						return Objects.requireNonNull(dto, "null or empty response body");
 					} else {
 						throw new RuntimeException("Server answered with unexpected status code " + response.statusCode());
 					}
 				}).thenApply(user -> {
 					try {
+						// TODO: if user.privateKey == null, link to "initial setup"
 						var userKey = JWEHelper.decryptUserKey(JWEObject.parse(user.privateKey), setupCodeField.getText());
 						return JWEHelper.encryptUserKey(userKey, deviceKeyPair.getPublic());
 					} catch (ParseException e) {
@@ -180,13 +181,6 @@ public class SetupDeviceController implements FxController {
 		result.cancel(true);
 	}
 
-	/* Getter */
-
-	public String getUserName() {
-		return jwt.getClaim("email").asString();
-	}
-
-
 	//--- Getters & Setters
 
 	public BooleanProperty deviceNameAlreadyExistsProperty() {
@@ -198,7 +192,8 @@ public class SetupDeviceController implements FxController {
 	}
 
 
-	private class UserDto {
+	// TODO convert to record?
+	private static class UserDto {
 		public String id;
 		public String name;
 		public @Nullable String publicKey;

From 9fc1efa005e642c761e876d38a3451f5b62ea8d1 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 29 Jun 2023 10:38:31 +0200
Subject: [PATCH 05/81] adjust labels

---
 src/main/resources/fxml/hub_setup_device.fxml | 2 +-
 src/main/resources/i18n/strings.properties    | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/main/resources/fxml/hub_setup_device.fxml b/src/main/resources/fxml/hub_setup_device.fxml
index 47237fe0e..71edd45e9 100644
--- a/src/main/resources/fxml/hub_setup_device.fxml
+++ b/src/main/resources/fxml/hub_setup_device.fxml
@@ -46,7 +46,7 @@
 				<padding>
 					<Insets top="12"/>
 				</padding>
-				<Label text="TODO: Enter your setup code" labelFor="$setupCodeField"/>
+				<Label text="%hub.register.setupCodeLabel" labelFor="$setupCodeField"/>
 				<TextField fx:id="setupCodeField" HBox.hgrow="ALWAYS"/>
 			</HBox>
 			<HBox spacing="6" alignment="CENTER_LEFT">
diff --git a/src/main/resources/i18n/strings.properties b/src/main/resources/i18n/strings.properties
index 43060b7c1..6453f1703 100644
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -140,9 +140,10 @@ hub.auth.loginLink=Not redirected? Click here to open it.
 hub.receive.message=Processing response…
 hub.receive.description=Cryptomator is receiving and processing the response from Hub. Please wait.
 ### Register Device
-hub.register.message=Device name required
-hub.register.description=This seems to be the first Hub access from this device. In order to identify it for access authorization, you need to name this device.
+hub.register.message=New Device
+hub.register.description=This is the first Hub access from this device. Please authorize it using your setup code.
 hub.register.nameLabel=Device Name
+hub.register.setupCodeLabel=Setup Code
 hub.register.occupiedMsg=Name already in use
 hub.register.registerBtn=Confirm
 ### Registration Success

From f08049b960afe1c63b09e8c6e28b3222b6a2bb2c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 4 Jul 2023 14:34:36 +0200
Subject: [PATCH 06/81] fix "register device" on legacy hub instances

---
 .../org/cryptomator/ui/common/FxmlFile.java   |   2 +-
 .../keyloading/hub/HubKeyLoadingModule.java   |  10 +-
 .../hub/LegacyRegisterDeviceController.java   | 191 ++++++++++++++++++
 .../keyloading/hub/ReceiveKeyController.java  |   2 +-
 ...e.fxml => hub_legacy_register_device.fxml} |   2 +-
 5 files changed, 201 insertions(+), 6 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/LegacyRegisterDeviceController.java
 rename src/main/resources/fxml/{hub_register_device.fxml => hub_legacy_register_device.fxml} (96%)

diff --git a/src/main/java/org/cryptomator/ui/common/FxmlFile.java b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
index 15df40e2d..0b0b93b16 100644
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -20,7 +20,7 @@ public enum FxmlFile {
 	HUB_AUTH_FLOW("/fxml/hub_auth_flow.fxml"), //
 	HUB_INVALID_LICENSE("/fxml/hub_invalid_license.fxml"), //
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
-	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
+	HUB_LEGACY_REGISTER_DEVICE("/fxml/hub_legacy_register_device.fxml"), //
 	HUB_REGISTER_SUCCESS("/fxml/hub_register_success.fxml"), //
 	HUB_REGISTER_FAILED("/fxml/hub_register_failed.fxml"), //
 	HUB_SETUP_DEVICE("/fxml/hub_setup_device.fxml"), //
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index e95569957..d31641580 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -1,7 +1,6 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.io.BaseEncoding;
-import com.nimbusds.jose.JWEObject;
 import dagger.Binds;
 import dagger.Module;
 import dagger.Provides;
@@ -114,10 +113,10 @@ public abstract class HubKeyLoadingModule {
 	}
 
 	@Provides
-	@FxmlScene(FxmlFile.HUB_REGISTER_DEVICE)
+	@FxmlScene(FxmlFile.HUB_LEGACY_REGISTER_DEVICE)
 	@KeyLoadingScoped
 	static Scene provideHubRegisterDeviceScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
-		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_DEVICE);
+		return fxmlLoaders.createScene(FxmlFile.HUB_LEGACY_REGISTER_DEVICE);
 	}
 
 	@Provides
@@ -173,6 +172,11 @@ public abstract class HubKeyLoadingModule {
 	@FxControllerKey(SetupDeviceController.class)
 	abstract FxController bindSetupDeviceController(SetupDeviceController controller);
 
+	@Binds
+	@IntoMap
+	@FxControllerKey(LegacyRegisterDeviceController.class)
+	abstract FxController bindLegacyRegisterDeviceController(LegacyRegisterDeviceController controller);
+
 	@Binds
 	@IntoMap
 	@FxControllerKey(RegisterSuccessController.class)
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/LegacyRegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/LegacyRegisterDeviceController.java
new file mode 100644
index 000000000..113ecd249
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/LegacyRegisterDeviceController.java
@@ -0,0 +1,191 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.core.JacksonException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import dagger.Lazy;
+import org.cryptomator.common.settings.DeviceKey;
+import org.cryptomator.cryptolib.common.P384KeyPair;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javafx.application.Platform;
+import javafx.beans.property.BooleanProperty;
+import javafx.beans.property.SimpleBooleanProperty;
+import javafx.fxml.FXML;
+import javafx.scene.Scene;
+import javafx.scene.control.Button;
+import javafx.scene.control.ContentDisplay;
+import javafx.scene.control.TextField;
+import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.List;
+import java.util.Objects;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.atomic.AtomicReference;
+
+@KeyLoadingScoped
+public class LegacyRegisterDeviceController implements FxController {
+
+	private static final Logger LOG = LoggerFactory.getLogger(LegacyRegisterDeviceController.class);
+	private static final ObjectMapper JSON = new ObjectMapper().setDefaultLeniency(true);
+	private static final List<Integer> EXPECTED_RESPONSE_CODES = List.of(201, 409);
+
+	private final Stage window;
+	private final HubConfig hubConfig;
+	private final String bearerToken;
+	private final Lazy<Scene> registerSuccessScene;
+	private final Lazy<Scene> registerFailedScene;
+	private final String deviceId;
+	private final P384KeyPair keyPair;
+	private final CompletableFuture<ReceivedKey> result;
+	private final DecodedJWT jwt;
+	private final HttpClient httpClient;
+	private final BooleanProperty deviceNameAlreadyExists = new SimpleBooleanProperty(false);
+
+	public TextField deviceNameField;
+	public Button registerBtn;
+
+	@Inject
+	public LegacyRegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<ReceivedKey> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene, @FxmlScene(FxmlFile.HUB_REGISTER_FAILED) Lazy<Scene> registerFailedScene) {
+		this.window = window;
+		this.hubConfig = hubConfig;
+		this.deviceId = deviceId;
+		this.keyPair = Objects.requireNonNull(deviceKey.get());
+		this.result = result;
+		this.bearerToken = Objects.requireNonNull(bearerToken.get());
+		this.registerSuccessScene = registerSuccessScene;
+		this.registerFailedScene = registerFailedScene;
+		this.jwt = JWT.decode(this.bearerToken);
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+		this.httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).executor(executor).build();
+	}
+
+	public void initialize() {
+		deviceNameField.setText(determineHostname());
+		deviceNameField.textProperty().addListener(observable -> deviceNameAlreadyExists.set(false));
+	}
+
+	private String determineHostname() {
+		try {
+			var hostName = InetAddress.getLocalHost().getHostName();
+			return Objects.requireNonNullElse(hostName, "");
+		} catch (IOException e) {
+			return "";
+		}
+	}
+
+	@FXML
+	public void register() {
+		deviceNameAlreadyExists.set(false);
+		registerBtn.setContentDisplay(ContentDisplay.LEFT);
+		registerBtn.setDisable(true);
+
+		var deviceUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
+		var deviceKey = keyPair.getPublic().getEncoded();
+		var dto = new CreateDeviceDto();
+		dto.id = deviceId;
+		dto.name = deviceNameField.getText();
+		dto.publicKey = Base64.getUrlEncoder().withoutPadding().encodeToString(deviceKey);
+		var json = toJson(dto);
+		var request = HttpRequest.newBuilder(deviceUri) //
+				.PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
+				.header("Authorization", "Bearer " + bearerToken) //
+				.header("Content-Type", "application/json") //
+				.build();
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.discarding()) //
+				.thenApply(response -> {
+					if (EXPECTED_RESPONSE_CODES.contains(response.statusCode())) {
+						return response;
+					} else {
+						throw new RuntimeException("Server answered with unexpected status code " + response.statusCode());
+					}
+				}).handleAsync((response, throwable) -> {
+					if (response != null) {
+						this.handleResponse(response);
+					} else {
+						this.registrationFailed(throwable);
+					}
+					return null;
+				}, Platform::runLater);
+	}
+
+	private String toJson(CreateDeviceDto dto) {
+		try {
+			return JSON.writer().writeValueAsString(dto);
+		} catch (JacksonException e) {
+			throw new IllegalStateException("Failed to serialize DTO", e);
+		}
+	}
+
+	private void handleResponse(HttpResponse<Void> voidHttpResponse) {
+		assert EXPECTED_RESPONSE_CODES.contains(voidHttpResponse.statusCode());
+
+		if (voidHttpResponse.statusCode() == 409) {
+			deviceNameAlreadyExists.set(true);
+			registerBtn.setContentDisplay(ContentDisplay.TEXT_ONLY);
+			registerBtn.setDisable(false);
+		} else {
+			LOG.debug("Device registration for hub instance {} successful.", hubConfig.authSuccessUrl);
+			window.setScene(registerSuccessScene.get());
+		}
+	}
+
+	private void registrationFailed(Throwable cause) {
+		LOG.warn("Device registration failed.", cause);
+		window.setScene(registerFailedScene.get());
+		result.completeExceptionally(cause);
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+
+	private void windowClosed(WindowEvent windowEvent) {
+		result.cancel(true);
+	}
+
+	/* Getter */
+
+	public String getUserName() {
+		return jwt.getClaim("email").asString();
+	}
+
+
+	//--- Getters & Setters
+
+	public BooleanProperty deviceNameAlreadyExistsProperty() {
+		return deviceNameAlreadyExists;
+	}
+
+	public boolean getDeviceNameAlreadyExists() {
+		return deviceNameAlreadyExists.get();
+	}
+
+	private static class CreateDeviceDto {
+		public String id;
+		public String name;
+		public final String type = "DESKTOP";
+		public String publicKey;
+
+	}
+
+}
\ No newline at end of file
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 1bb08c44c..5575d9eb6 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -51,7 +51,7 @@ public class ReceiveKeyController implements FxController {
 	private final HttpClient httpClient;
 
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, HubConfig hubConfig, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<ReceivedKey> result, @FxmlScene(FxmlFile.HUB_SETUP_DEVICE) Lazy<Scene> setupDeviceScene, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, @FxmlScene(FxmlFile.HUB_INVALID_LICENSE) Lazy<Scene> invalidLicenseScene) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, HubConfig hubConfig, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<ReceivedKey> result, @FxmlScene(FxmlFile.HUB_SETUP_DEVICE) Lazy<Scene> setupDeviceScene, @FxmlScene(FxmlFile.HUB_LEGACY_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, @FxmlScene(FxmlFile.HUB_INVALID_LICENSE) Lazy<Scene> invalidLicenseScene) {
 		this.window = window;
 		this.hubConfig = hubConfig;
 		this.deviceId = deviceId;
diff --git a/src/main/resources/fxml/hub_register_device.fxml b/src/main/resources/fxml/hub_legacy_register_device.fxml
similarity index 96%
rename from src/main/resources/fxml/hub_register_device.fxml
rename to src/main/resources/fxml/hub_legacy_register_device.fxml
index 8db67c272..51d4cf8b7 100644
--- a/src/main/resources/fxml/hub_register_device.fxml
+++ b/src/main/resources/fxml/hub_legacy_register_device.fxml
@@ -15,7 +15,7 @@
 <?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
 <HBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
-	  fx:controller="org.cryptomator.ui.keyloading.hub.RegisterDeviceController"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.LegacyRegisterDeviceController"
 	  minWidth="400"
 	  maxWidth="400"
 	  minHeight="145"

From 61025de0d6e7dd66595074dea362a4d5f38df60c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 4 Jul 2023 14:43:56 +0200
Subject: [PATCH 07/81] renamed var

[ci skip]
---
 .../ui/keyloading/hub/ReceiveKeyController.java           | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 5575d9eb6..a32997dcc 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -44,21 +44,21 @@ public class ReceiveKeyController implements FxController {
 	private final String bearerToken;
 	private final CompletableFuture<ReceivedKey> result;
 	private final Lazy<Scene> setupDeviceScene;
-	private final Lazy<Scene> registerDeviceScene;
+	private final Lazy<Scene> legacyRegisterDeviceScene;
 	private final Lazy<Scene> unauthorizedScene;
 	private final URI vaultBaseUri;
 	private final Lazy<Scene> invalidLicenseScene;
 	private final HttpClient httpClient;
 
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, HubConfig hubConfig, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<ReceivedKey> result, @FxmlScene(FxmlFile.HUB_SETUP_DEVICE) Lazy<Scene> setupDeviceScene, @FxmlScene(FxmlFile.HUB_LEGACY_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, @FxmlScene(FxmlFile.HUB_INVALID_LICENSE) Lazy<Scene> invalidLicenseScene) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, HubConfig hubConfig, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<ReceivedKey> result, @FxmlScene(FxmlFile.HUB_SETUP_DEVICE) Lazy<Scene> setupDeviceScene, @FxmlScene(FxmlFile.HUB_LEGACY_REGISTER_DEVICE) Lazy<Scene> legacyRegisterDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, @FxmlScene(FxmlFile.HUB_INVALID_LICENSE) Lazy<Scene> invalidLicenseScene) {
 		this.window = window;
 		this.hubConfig = hubConfig;
 		this.deviceId = deviceId;
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
 		this.result = result;
 		this.setupDeviceScene = setupDeviceScene;
-		this.registerDeviceScene = registerDeviceScene;
+		this.legacyRegisterDeviceScene = legacyRegisterDeviceScene;
 		this.unauthorizedScene = unauthorizedScene;
 		this.vaultBaseUri = getVaultBaseUri(vault);
 		this.invalidLicenseScene = invalidLicenseScene;
@@ -200,7 +200,7 @@ public class ReceiveKeyController implements FxController {
 	}
 
 	private void needsLegacyDeviceRegistration() {
-		window.setScene(registerDeviceScene.get());
+		window.setScene(legacyRegisterDeviceScene.get());
 	}
 
 	private void accessNotGranted() {

From 496f9a9cd5de4d74384779c34bc017e8ba13972a Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 4 Jul 2023 15:05:22 +0200
Subject: [PATCH 08/81] docs

[ci skip]
---
 .../keyloading/hub/ReceiveKeyController.java  | 28 ++++++++++-------
 .../ui/keyloading/hub/ReceivedKey.java        | 31 ++++++++++++++++---
 2 files changed, 42 insertions(+), 17 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index a32997dcc..f634daa5b 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -72,7 +72,7 @@ public class ReceiveKeyController implements FxController {
 	}
 
 	/**
-	 * STEP 1 (Request): GET user token for this vault
+	 * STEP 1 (Request): GET vault key for this user
 	 */
 	private void requestUserToken() {
 		var userTokenUri = appendPath(vaultBaseUri, "/user-tokens/me");
@@ -86,7 +86,7 @@ public class ReceiveKeyController implements FxController {
 	}
 
 	/**
-	 * STEP 1 (Response)
+	 * STEP 1 (Response): GET vault key for this user
 	 *
 	 * @param response Response
 	 */
@@ -106,29 +106,29 @@ public class ReceiveKeyController implements FxController {
 	}
 
 	/**
-	 * STEP 2 (Request): GET device token for this user
+	 * STEP 2 (Request): GET user key for this device
 	 */
-	private void requestDeviceToken(String userToken) {
+	private void requestDeviceToken(String encryptedVaultKey) {
 		var deviceTokenUri = appendPath(URI.create(hubConfig.devicesResourceUrl), "/%s/device-token".formatted(deviceId));
 		var request = HttpRequest.newBuilder(deviceTokenUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.US_ASCII)) //
-				.thenAcceptAsync(response -> receivedDeviceTokenResponse(userToken, response), Platform::runLater) //
+				.thenAcceptAsync(response -> receivedDeviceTokenResponse(encryptedVaultKey, response), Platform::runLater) //
 				.exceptionally(this::retrievalFailed);
 	}
 
 	/**
-	 * STEP 2 (Response)
+	 * STEP 2 (Response): GET user key for this device
 	 *
 	 * @param response Response
 	 */
-	private void receivedDeviceTokenResponse(String userToken, HttpResponse<String> response) {
+	private void receivedDeviceTokenResponse(String encryptedVaultKey, HttpResponse<String> response) {
 		LOG.debug("GET {} -> Status Code {}", response.request().uri(), response.statusCode());
 		try {
 			switch (response.statusCode()) {
-				case 200 -> receivedDeviceTokenSuccess(userToken, response.body());
+				case 200 -> receivedDeviceTokenSuccess(encryptedVaultKey, response.body());
 				case 403, 404 -> needsDeviceSetup();
 				default -> throw new IOException("Unexpected response " + response.statusCode());
 			}
@@ -141,11 +141,11 @@ public class ReceiveKeyController implements FxController {
 		window.setScene(setupDeviceScene.get());
 	}
 
-	private void receivedDeviceTokenSuccess(String rawUserToken, String rawDeviceToken) throws IOException {
+	private void receivedDeviceTokenSuccess(String encryptedVaultKey, String encryptedUserKey) throws IOException {
 		try {
-			var userToken = JWEObject.parse(rawUserToken);
-			var deviceToken = JWEObject.parse(rawDeviceToken);
-			result.complete(ReceivedKey.userAndDeviceKey(userToken, deviceToken));
+			var vaultKeyJwe = JWEObject.parse(encryptedVaultKey);
+			var userKeyJwe = JWEObject.parse(encryptedUserKey);
+			result.complete(ReceivedKey.vaultKeyAndUserKey(vaultKeyJwe, userKeyJwe));
 			window.close();
 		} catch (ParseException e) {
 			throw new IOException("Failed to parse JWE", e);
@@ -155,6 +155,7 @@ public class ReceiveKeyController implements FxController {
 	/**
 	 * LEGACY FALLBACK (Request): GET the legacy access token from Hub 1.x
 	 */
+	@Deprecated
 	private void requestLegacyAccessToken() {
 		var legacyAccessTokenUri = appendPath(vaultBaseUri, "/keys/%s".formatted(deviceId));
 		var request = HttpRequest.newBuilder(legacyAccessTokenUri) //
@@ -171,6 +172,7 @@ public class ReceiveKeyController implements FxController {
 	 *
 	 * @param response Response
 	 */
+	@Deprecated
 	private void receivedLegacyAccessTokenResponse(HttpResponse<String> response) {
 		try {
 			switch (response.statusCode()) {
@@ -185,6 +187,7 @@ public class ReceiveKeyController implements FxController {
 		}
 	}
 
+	@Deprecated
 	private void receivedLegacyAccessTokenSuccess(String rawToken) throws IOException {
 		try {
 			var token = JWEObject.parse(rawToken);
@@ -199,6 +202,7 @@ public class ReceiveKeyController implements FxController {
 		window.setScene(invalidLicenseScene.get());
 	}
 
+	@Deprecated
 	private void needsLegacyDeviceRegistration() {
 		window.setScene(legacyRegisterDeviceScene.get());
 	}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java
index a6f0ac397..f59f6ead2 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java
@@ -8,17 +8,38 @@ import java.security.interfaces.ECPrivateKey;
 @FunctionalInterface
 interface ReceivedKey {
 
+	/**
+	 * Decrypts the vault key.
+	 *
+	 * @param deviceKey This device's private key.
+	 * @return The decrypted vault key
+	 */
 	Masterkey decryptMasterkey(ECPrivateKey deviceKey);
 
-	static ReceivedKey userAndDeviceKey(JWEObject userToken, JWEObject deviceToken) {
+	/**
+	 * Creates an unlock response object from the received legacy "access token" JWE.
+	 *
+	 * @param vaultKeyJwe a JWE containing the symmetric vault key, encrypted for this device's user.
+	 * @param userKeyJwe a JWE containing the user's private key, encrypted for this device.
+	 * @return Ciphertext received by Hub, which can be decrypted using this device's private key.
+	 */
+	static ReceivedKey vaultKeyAndUserKey(JWEObject vaultKeyJwe, JWEObject userKeyJwe) {
 		return deviceKey -> {
-			var userKey = JWEHelper.decryptUserKey(deviceToken, deviceKey);
-			return JWEHelper.decryptVaultKey(userToken, userKey);
+			var userKey = JWEHelper.decryptUserKey(userKeyJwe, deviceKey);
+			return JWEHelper.decryptVaultKey(vaultKeyJwe, userKey);
 		};
 	}
 
-	static ReceivedKey legacyDeviceKey(JWEObject legacyAccessToken) {
-		return deviceKey -> JWEHelper.decryptVaultKey(legacyAccessToken, deviceKey);
+	/**
+	 * Creates an unlock response object from the received legacy "access token" JWE.
+	 *
+	 * @param vaultKeyJwe a JWE containing the symmetric vault key, encrypted for this device.
+	 * @return Ciphertext received by Hub, which can be decrypted using this device's private key.
+	 * @deprecated Only for compatibility with Hub 1.0 - 1.2
+	 */
+	@Deprecated
+	static ReceivedKey legacyDeviceKey(JWEObject vaultKeyJwe) {
+		return deviceKey -> JWEHelper.decryptVaultKey(vaultKeyJwe, deviceKey);
 	}
 
 }

From e358ffd666337b225635110a9c2465f77e842073 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 4 Jul 2023 16:47:54 +0200
Subject: [PATCH 09/81] added tests

---
 .../ui/keyloading/hub/JWEHelper.java          | 21 ++++---
 .../ui/keyloading/hub/JWEHelperTest.java      | 61 +++++++++++++++++--
 2 files changed, 69 insertions(+), 13 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
index 233f2a6df..2333051be 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
@@ -53,22 +53,21 @@ class JWEHelper {
 		}
 	}
 
-	public static ECPrivateKey decryptUserKey(JWEObject jwe, String setupCode) {
+	public static ECPrivateKey decryptUserKey(JWEObject jwe, String setupCode) throws InvalidJweKeyException {
 		try {
 			jwe.decrypt(new PasswordBasedDecrypter(setupCode));
 			return decodeUserKey(jwe);
 		} catch (JOSEException e) {
-			throw new MasterkeyLoadingFailedException("Failed to decrypt JWE", e);
+			throw new InvalidJweKeyException(e);
 		}
 	}
 
-	public static ECPrivateKey decryptUserKey(JWEObject jwe, ECPrivateKey deviceKey) {
+	public static ECPrivateKey decryptUserKey(JWEObject jwe, ECPrivateKey deviceKey) throws InvalidJweKeyException {
 		try {
 			jwe.decrypt(new ECDHDecrypter(deviceKey));
 			return decodeUserKey(jwe);
 		} catch (JOSEException e) {
-			LOG.warn("Failed to decrypt JWE: {}", jwe);
-			throw new MasterkeyLoadingFailedException("Failed to decrypt JWE", e);
+			throw new InvalidJweKeyException(e);
 		}
 	}
 
@@ -90,13 +89,12 @@ class JWEHelper {
 		}
 	}
 
-	public static Masterkey decryptVaultKey(JWEObject jwe, ECPrivateKey privateKey) throws MasterkeyLoadingFailedException {
+	public static Masterkey decryptVaultKey(JWEObject jwe, ECPrivateKey privateKey) throws InvalidJweKeyException {
 		try {
 			jwe.decrypt(new ECDHDecrypter(privateKey));
 			return readKey(jwe, JWE_PAYLOAD_KEY_FIELD, Masterkey::new);
 		} catch (JOSEException e) {
-			LOG.warn("Failed to decrypt JWE: {}", jwe);
-			throw new MasterkeyLoadingFailedException("Failed to decrypt JWE", e);
+			throw new InvalidJweKeyException(e);
 		}
 	}
 
@@ -122,4 +120,11 @@ class JWEHelper {
 			Arrays.fill(keyBytes, (byte) 0x00);
 		}
 	}
+
+	public static class InvalidJweKeyException extends MasterkeyLoadingFailedException {
+
+		public InvalidJweKeyException(Throwable cause) {
+			super("Invalid key", cause);
+		}
+	}
 }
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java
index 2cee9cb44..a2e46cc28 100644
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java
@@ -16,6 +16,7 @@ import java.text.ParseException;
 import java.util.Arrays;
 import java.util.Base64;
 
+@SuppressWarnings("resource")
 public class JWEHelperTest {
 
 	// key pairs from frontend tests (crypto.spec.ts):
@@ -29,8 +30,8 @@ public class JWEHelperTest {
 	private static final String PUB_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERxQR+NRN6Wga01370uBBzr2NHDbKIC56tPUEq2HX64RhITGhii8Zzbkb1HnRmdF0aq6uqmUy4jUhuxnKxsv59A6JeK7Unn+mpmm3pQAygjoGc9wrvoH4HWJSQYUlsXDu";
 
 	@Test
-	@DisplayName("decryptUserKey")
-	public void testDecryptUserKey() throws ParseException, InvalidKeySpecException {
+	@DisplayName("decryptUserKey with device key")
+	public void testDecryptUserKeyECDHES() throws ParseException, InvalidKeySpecException {
 		var jwe = JWEObject.parse("""
 			eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrZXlfb3BzIjpbXSwiZXh0Ijp\
 			0cnVlLCJrdHkiOiJFQyIsIngiOiJoeHpiSWh6SUJza3A5ZkZFUmJSQ2RfOU1fbWYxNElqaDZhcnNoVX\
@@ -49,6 +50,58 @@ public class JWEHelperTest {
 		Assertions.assertArrayEquals(Base64.getDecoder().decode(USER_PRIV_KEY), userKey.getEncoded());
 	}
 
+	@Test
+	@DisplayName("decryptUserKey with incorrect device key")
+	public void testDecryptUserKeyECDHESWrongKey() throws ParseException, InvalidKeySpecException {
+		var jwe = JWEObject.parse("""
+			eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrZXlfb3BzIjpbXSwiZXh0Ijp\
+			0cnVlLCJrdHkiOiJFQyIsIngiOiJoeHpiSWh6SUJza3A5ZkZFUmJSQ2RfOU1fbWYxNElqaDZhcnNoVX\
+			NkcEEyWno5ejZZNUs4NHpZR2I4b2FHemNUIiwieSI6ImJrMGRaNWhpelZ0TF9hN2hNejBjTUduNjhIR\
+			jZFdWlyNHdlclNkTFV5QWd2NWUzVzNYSG5sdHJ2VlRyU3pzUWYiLCJjcnYiOiJQLTM4NCJ9LCJhcHUi\
+			OiIiLCJhcHYiOiIifQ..pu3Q1nR_yvgRAapG.4zW0xm0JPxbcvZ66R-Mn3k841lHelDQfaUvsZZAtWs\
+			L2w4FMi6H_uu6ArAWYLtNREa_zfcPuyuJsFferYPSNRUWt4OW6aWs-l_wfo7G1ceEVxztQXzQiwD30U\
+			TA8OOdPcUuFfEq2-d9217jezrcyO6m6FjyssEZIrnRArUPWKzGdghXccGkkf0LTZcGJoHeKal-RtyP8\
+			PfvEAWTjSOCpBlSdUJ-1JL3tyd97uVFNaVuH3i7vvcMoUP_bdr0XW3rvRgaeC6X4daPLUvR1hK5Msut\
+			QMtM2vpFghS_zZxIQRqz3B2ECxa9Bjxhmn8kLX5heZ8fq3lH-bmJp1DxzZ4V1RkWk.yVwXG9yARa5Ih\
+			q2koh2NbQ""");
+		var userKeyPair = P384KeyPair.create(new X509EncodedKeySpec(Base64.getDecoder().decode(USER_PUB_KEY)), new PKCS8EncodedKeySpec(Base64.getDecoder().decode(USER_PRIV_KEY)));
+		var incorrectDevicePrivateKey = userKeyPair.getPrivate();
+
+		Assertions.assertThrows(JWEHelper.InvalidJweKeyException.class, () -> JWEHelper.decryptUserKey(jwe, incorrectDevicePrivateKey));
+	}
+
+	@Test
+	@DisplayName("decryptUserKey with setup code")
+	public void testDecryptUserKeyPBES2() throws ParseException {
+		var jwe = JWEObject.parse("""
+				eyJhbGciOiJQQkVTMi1IUzUxMitBMjU2S1ciLCJlbmMiOiJBMjU2R0NNIiwicDJzIjoiT3hMY0Q\
+				xX1pCODc1c2hvUWY2Q1ZHQSIsInAyYyI6MTAwMCwiYXB1IjoiIiwiYXB2IjoiIn0.FD4fcrP4Pb\
+				aKOQ9ZfXl0gpMM6Fa2rfqAvL0K5ZyYUiVeHCNV-A02Rg.urT1ShSv6qQxh8X7.gEqAiUWD98a2E\
+				P7ITCPTw4DJo6-BpqrxA73D6gNIj9z4d1hN-EP99Q4mWBWLH97H8ugbG5rGsm8xsjsBqpWORQqF\
+				mJZR2AhlPiwFaC7n_MDDBupSy_swDnCfj731Lal297IP5WbkFcmozKsyhmwdkctxjf_VHA.fJki\
+				kDjUaxwUKqpvT7qaAQ
+				""");
+
+		var userKey = JWEHelper.decryptUserKey(jwe, "123456");
+
+		Assertions.assertArrayEquals(Base64.getDecoder().decode(PRIV_KEY), userKey.getEncoded());
+	}
+
+	@Test
+	@DisplayName("decryptUserKey with incorrect setup code")
+	public void testDecryptUserKeyPBES2WrongKey() throws ParseException {
+		var jwe = JWEObject.parse("""
+				eyJhbGciOiJQQkVTMi1IUzUxMitBMjU2S1ciLCJlbmMiOiJBMjU2R0NNIiwicDJzIjoiT3hMY0Q\
+				xX1pCODc1c2hvUWY2Q1ZHQSIsInAyYyI6MTAwMCwiYXB1IjoiIiwiYXB2IjoiIn0.FD4fcrP4Pb\
+				aKOQ9ZfXl0gpMM6Fa2rfqAvL0K5ZyYUiVeHCNV-A02Rg.urT1ShSv6qQxh8X7.gEqAiUWD98a2E\
+				P7ITCPTw4DJo6-BpqrxA73D6gNIj9z4d1hN-EP99Q4mWBWLH97H8ugbG5rGsm8xsjsBqpWORQqF\
+				mJZR2AhlPiwFaC7n_MDDBupSy_swDnCfj731Lal297IP5WbkFcmozKsyhmwdkctxjf_VHA.fJki\
+				kDjUaxwUKqpvT7qaAQ
+				""");
+
+		Assertions.assertThrows(JWEHelper.InvalidJweKeyException.class, () -> JWEHelper.decryptUserKey(jwe, "654321"));
+	}
+
 	@Test
 	@DisplayName("decryptVaultKey")
 	public void testDecryptVaultKey() throws ParseException, InvalidKeySpecException {
@@ -84,9 +137,7 @@ public class JWEHelperTest {
 		var jwe = JWEObject.parse(malformed);
 		var privateKey = P384KeyPair.create(new X509EncodedKeySpec(Base64.getDecoder().decode(PUB_KEY)), new PKCS8EncodedKeySpec(Base64.getDecoder().decode(PRIV_KEY))).getPrivate();
 
-		Assertions.assertThrows(MasterkeyLoadingFailedException.class, () -> {
-			JWEHelper.decryptVaultKey(jwe, privateKey);
-		});
+		Assertions.assertThrows(MasterkeyLoadingFailedException.class, () -> JWEHelper.decryptVaultKey(jwe, privateKey));
 	}
 
 }
\ No newline at end of file

From 0ad8ce77ef8f7d27b14d37383a9f5ebac58348e4 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 4 Jul 2023 16:55:42 +0200
Subject: [PATCH 10/81] handle "invalid setup code" error properly

---
 .../keyloading/hub/SetupDeviceController.java | 64 +++++++++++--------
 src/main/resources/fxml/hub_setup_device.fxml | 11 +++-
 src/main/resources/i18n/strings.properties    |  1 +
 3 files changed, 49 insertions(+), 27 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
index 85277f00d..d3ea5a29a 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
@@ -1,7 +1,5 @@
 package org.cryptomator.ui.keyloading.hub;
 
-import com.auth0.jwt.JWT;
-import com.auth0.jwt.interfaces.DecodedJWT;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JacksonException;
@@ -23,6 +21,7 @@ import org.slf4j.LoggerFactory;
 import javax.inject.Inject;
 import javax.inject.Named;
 import javafx.application.Platform;
+import javafx.beans.binding.Bindings;
 import javafx.beans.property.BooleanProperty;
 import javafx.beans.property.SimpleBooleanProperty;
 import javafx.fxml.FXML;
@@ -43,6 +42,7 @@ import java.text.ParseException;
 import java.time.Instant;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CompletionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
 
@@ -60,10 +60,11 @@ public class SetupDeviceController implements FxController {
 	private final String deviceId;
 	private final P384KeyPair deviceKeyPair;
 	private final CompletableFuture<ReceivedKey> result;
-	private final DecodedJWT jwt;
 	private final HttpClient httpClient;
-	private final BooleanProperty deviceNameAlreadyExists = new SimpleBooleanProperty(false);
 
+	private final BooleanProperty deviceNameAlreadyExists = new SimpleBooleanProperty(false);
+	private final BooleanProperty invalidSetupCode = new SimpleBooleanProperty(false);
+	private final BooleanProperty workInProgress = new SimpleBooleanProperty(false);
 	public TextField setupCodeField;
 	public TextField deviceNameField;
 	public Button registerBtn;
@@ -78,7 +79,6 @@ public class SetupDeviceController implements FxController {
 		this.bearerToken = Objects.requireNonNull(bearerToken.get());
 		this.registerSuccessScene = registerSuccessScene;
 		this.registerFailedScene = registerFailedScene;
-		this.jwt = JWT.decode(this.bearerToken);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 		this.httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).executor(executor).build();
 	}
@@ -86,6 +86,11 @@ public class SetupDeviceController implements FxController {
 	public void initialize() {
 		deviceNameField.setText(determineHostname());
 		deviceNameField.textProperty().addListener(observable -> deviceNameAlreadyExists.set(false));
+		deviceNameField.disableProperty().bind(workInProgress);
+		setupCodeField.textProperty().addListener(observable -> invalidSetupCode.set(false));
+		setupCodeField.disableProperty().bind(workInProgress);
+		registerBtn.disableProperty().bind(workInProgress.or(setupCodeField.textProperty().isEmpty()).or(deviceNameField.textProperty().isEmpty()));
+		registerBtn.contentDisplayProperty().bind(Bindings.when(workInProgress).then(ContentDisplay.LEFT).otherwise(ContentDisplay.TEXT_ONLY));
 	}
 
 	private String determineHostname() {
@@ -99,11 +104,7 @@ public class SetupDeviceController implements FxController {
 
 	@FXML
 	public void register() {
-		setupCodeField.setDisable(true);
-		deviceNameField.setDisable(true);
-		deviceNameAlreadyExists.set(false);
-		registerBtn.setContentDisplay(ContentDisplay.LEFT);
-		registerBtn.setDisable(true);
+		workInProgress.set(true);
 
 		var apiRootUrl = URI.create(hubConfig.devicesResourceUrl + "/..").normalize(); // TODO: add url to vault config file, only use this as a fallback for legacy vaults
 		var deviceUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
@@ -140,13 +141,13 @@ public class SetupDeviceController implements FxController {
 							.header("Content-Type", "application/json") //
 							.build();
 					return httpClient.sendAsync(putDeviceReq, HttpResponse.BodyHandlers.discarding());
-				}).handleAsync((response, throwable) -> {
+				}).whenCompleteAsync((response, throwable) -> {
 					if (response != null) {
 						this.handleResponse(response);
 					} else {
-						this.registrationFailed(throwable);
+						this.setupFailed(throwable);
 					}
-					return null;
+					workInProgress.set(false);
 				}, Platform::runLater);
 	}
 
@@ -172,17 +173,20 @@ public class SetupDeviceController implements FxController {
 			window.setScene(registerSuccessScene.get());
 		} else if (response.statusCode() == 409) {
 			deviceNameAlreadyExists.set(true);
-			registerBtn.setContentDisplay(ContentDisplay.TEXT_ONLY);
-			registerBtn.setDisable(false);
 		} else {
-			registrationFailed(new IllegalStateException("Unexpected http status code " + response.statusCode()));
+			setupFailed(new IllegalStateException("Unexpected http status code " + response.statusCode()));
 		}
 	}
 
-	private void registrationFailed(Throwable cause) {
-		LOG.warn("Device registration failed.", cause);
-		window.setScene(registerFailedScene.get());
-		result.completeExceptionally(cause);
+	private void setupFailed(Throwable cause) {
+		switch (cause) {
+			case CompletionException e when e.getCause() instanceof JWEHelper.InvalidJweKeyException -> invalidSetupCode.set(true);
+			default -> {
+				LOG.warn("Device setup failed.", cause);
+				window.setScene(registerFailedScene.get());
+				result.completeExceptionally(cause);
+			}
+		}
 	}
 
 	@FXML
@@ -204,14 +208,22 @@ public class SetupDeviceController implements FxController {
 		return deviceNameAlreadyExists.get();
 	}
 
+	public BooleanProperty invalidSetupCodeProperty() {
+		return invalidSetupCode;
+	}
+
+	public boolean isInvalidSetupCode() {
+		return invalidSetupCode.get();
+	}
+
 	@JsonIgnoreProperties(ignoreUnknown = true)
 	private record UserDto(String id, String name, String publicKey, String privateKey, String setupCode) {}
 
 	private record CreateDeviceDto(@JsonProperty(required = true) String id, //
-								  @JsonProperty(required = true) String name, //
-								  @JsonProperty(required = true) String publicKey, //
-								  @JsonProperty(defaultValue = "DESKTOP", required = true) String type, //
-								  @JsonProperty @Nullable String userKey, //
-								  @JsonProperty @Nullable String creationTime, //
-								  @JsonProperty @Nullable String lastSeenTime) {}
+								   @JsonProperty(required = true) String name, //
+								   @JsonProperty(required = true) String publicKey, //
+								   @JsonProperty(defaultValue = "DESKTOP", required = true) String type, //
+								   @JsonProperty @Nullable String userKey, //
+								   @JsonProperty @Nullable String creationTime, //
+								   @JsonProperty @Nullable String lastSeenTime) {}
 }
diff --git a/src/main/resources/fxml/hub_setup_device.fxml b/src/main/resources/fxml/hub_setup_device.fxml
index 71edd45e9..708abbae8 100644
--- a/src/main/resources/fxml/hub_setup_device.fxml
+++ b/src/main/resources/fxml/hub_setup_device.fxml
@@ -57,7 +57,16 @@
 				<TextField fx:id="deviceNameField" HBox.hgrow="ALWAYS"/>
 			</HBox>
 			<HBox alignment="TOP_RIGHT">
-				<Label text="%hub.register.occupiedMsg" textAlignment="RIGHT" alignment="CENTER_RIGHT" visible="${controller.deviceNameAlreadyExists}" graphicTextGap="6">
+				<Label text="%hub.register.occupiedMsg" textAlignment="RIGHT" alignment="CENTER_RIGHT" visible="${controller.deviceNameAlreadyExists}" managed="${controller.deviceNameAlreadyExists}" graphicTextGap="6">
+					<padding>
+						<Insets top="6"/>
+					</padding>
+					<graphic>
+						<FontAwesome5IconView glyph="TIMES" styleClass="glyph-icon-red"/>
+					</graphic>
+				</Label>
+
+				<Label text="%hub.register.invalidSetupCode" textAlignment="RIGHT" alignment="CENTER_RIGHT" visible="${controller.invalidSetupCode}" managed="${controller.invalidSetupCode}" graphicTextGap="6">
 					<padding>
 						<Insets top="6"/>
 					</padding>
diff --git a/src/main/resources/i18n/strings.properties b/src/main/resources/i18n/strings.properties
index 003daf65f..6ed6de62a 100644
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -148,6 +148,7 @@ hub.register.message=New Device
 hub.register.description=This is the first Hub access from this device. Please authorize it using your setup code.
 hub.register.nameLabel=Device Name
 hub.register.setupCodeLabel=Setup Code
+hub.register.invalidSetupCode=Invalid Setup Code
 hub.register.occupiedMsg=Name already in use
 hub.register.registerBtn=Confirm
 ### Registration Success

From 8cb21c97e34aba28b6b5b055857b5f3991e3ac5c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 4 Jul 2023 16:58:37 +0200
Subject: [PATCH 11/81] add mark for future improvement

---
 .../org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index f634daa5b..4292d809f 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -129,7 +129,7 @@ public class ReceiveKeyController implements FxController {
 		try {
 			switch (response.statusCode()) {
 				case 200 -> receivedDeviceTokenSuccess(encryptedVaultKey, response.body());
-				case 403, 404 -> needsDeviceSetup();
+				case 403, 404 -> needsDeviceSetup(); // TODO: using the setup code, we can theoretically immediately unlock
 				default -> throw new IOException("Unexpected response " + response.statusCode());
 			}
 		} catch (IOException e) {

From cd10d389901ac84871bb82593b7c4c4fbf3e0bd8 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 6 Jul 2023 18:57:10 +0200
Subject: [PATCH 12/81] adjusted to latest API-changes

---
 .../keyloading/hub/ReceiveKeyController.java  | 44 ++++++++++++-------
 .../keyloading/hub/SetupDeviceController.java |  9 ++--
 2 files changed, 33 insertions(+), 20 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 4292d809f..88f8045eb 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -1,5 +1,8 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.nimbusds.jose.JWEObject;
 import dagger.Lazy;
 import org.cryptomator.common.vaults.Vault;
@@ -8,6 +11,7 @@ import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.jetbrains.annotations.NotNull;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -27,6 +31,7 @@ import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
+import java.time.Instant;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutorService;
@@ -37,6 +42,7 @@ public class ReceiveKeyController implements FxController {
 
 	private static final Logger LOG = LoggerFactory.getLogger(ReceiveKeyController.class);
 	private static final String SCHEME_PREFIX = "hub+";
+	private static final ObjectMapper JSON = new ObjectMapper().setDefaultLeniency(true);
 
 	private final Stage window;
 	private final HubConfig hubConfig;
@@ -68,20 +74,20 @@ public class ReceiveKeyController implements FxController {
 
 	@FXML
 	public void initialize() {
-		requestUserToken();
+		requestVaultMasterkey();
 	}
 
 	/**
 	 * STEP 1 (Request): GET vault key for this user
 	 */
-	private void requestUserToken() {
-		var userTokenUri = appendPath(vaultBaseUri, "/user-tokens/me");
-		var request = HttpRequest.newBuilder(userTokenUri) //
+	private void requestVaultMasterkey() {
+		var accessTokenUri = appendPath(vaultBaseUri, "/access-token");
+		var request = HttpRequest.newBuilder(accessTokenUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.US_ASCII)) //
-				.thenAcceptAsync(this::receivedUserTokenResponse, Platform::runLater) //
+				.thenAcceptAsync(this::receivedVaultMasterkey, Platform::runLater) //
 				.exceptionally(this::retrievalFailed);
 	}
 
@@ -90,14 +96,15 @@ public class ReceiveKeyController implements FxController {
 	 *
 	 * @param response Response
 	 */
-	private void receivedUserTokenResponse(HttpResponse<String> response) {
+	private void receivedVaultMasterkey(HttpResponse<String> response) {
 		LOG.debug("GET {} -> Status Code {}", response.request().uri(), response.statusCode());
 		try {
 			switch (response.statusCode()) {
-				case 200 -> requestDeviceToken(response.body());
+				case 200 -> requestUserKey(response.body());
 				case 402 -> licenseExceeded();
 				case 403 -> accessNotGranted();
 				case 404 -> requestLegacyAccessToken();
+				case 410 -> throw new IOException("Vault has been archived."); // TODO add dialog
 				default -> throw new IOException("Unexpected response " + response.statusCode());
 			}
 		} catch (IOException e) {
@@ -108,14 +115,14 @@ public class ReceiveKeyController implements FxController {
 	/**
 	 * STEP 2 (Request): GET user key for this device
 	 */
-	private void requestDeviceToken(String encryptedVaultKey) {
-		var deviceTokenUri = appendPath(URI.create(hubConfig.devicesResourceUrl), "/%s/device-token".formatted(deviceId));
+	private void requestUserKey(String encryptedVaultKey) {
+		var deviceTokenUri = appendPath(URI.create(hubConfig.devicesResourceUrl), "/%s".formatted(deviceId));
 		var request = HttpRequest.newBuilder(deviceTokenUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
 				.build();
-		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.US_ASCII)) //
-				.thenAcceptAsync(response -> receivedDeviceTokenResponse(encryptedVaultKey, response), Platform::runLater) //
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8)) //
+				.thenAcceptAsync(response -> receivedUserKey(encryptedVaultKey, response), Platform::runLater) //
 				.exceptionally(this::retrievalFailed);
 	}
 
@@ -124,12 +131,15 @@ public class ReceiveKeyController implements FxController {
 	 *
 	 * @param response Response
 	 */
-	private void receivedDeviceTokenResponse(String encryptedVaultKey, HttpResponse<String> response) {
+	private void receivedUserKey(String encryptedVaultKey, HttpResponse<String> response) {
 		LOG.debug("GET {} -> Status Code {}", response.request().uri(), response.statusCode());
 		try {
 			switch (response.statusCode()) {
-				case 200 -> receivedDeviceTokenSuccess(encryptedVaultKey, response.body());
-				case 403, 404 -> needsDeviceSetup(); // TODO: using the setup code, we can theoretically immediately unlock
+				case 200 -> {
+					var device = JSON.reader().readValue(response.body(), DeviceDto.class);
+					receivedBothEncryptedKeys(encryptedVaultKey, device.userPrivateKey);
+				}
+				case 404 -> needsDeviceSetup(); // TODO: using the setup code, we can theoretically immediately unlock
 				default -> throw new IOException("Unexpected response " + response.statusCode());
 			}
 		} catch (IOException e) {
@@ -141,7 +151,7 @@ public class ReceiveKeyController implements FxController {
 		window.setScene(setupDeviceScene.get());
 	}
 
-	private void receivedDeviceTokenSuccess(String encryptedVaultKey, String encryptedUserKey) throws IOException {
+	private void receivedBothEncryptedKeys(String encryptedVaultKey, String encryptedUserKey) throws IOException {
 		try {
 			var vaultKeyJwe = JWEObject.parse(encryptedVaultKey);
 			var userKeyJwe = JWEObject.parse(encryptedUserKey);
@@ -180,6 +190,7 @@ public class ReceiveKeyController implements FxController {
 				case 402 -> licenseExceeded();
 				case 403 -> accessNotGranted();
 				case 404 -> needsLegacyDeviceRegistration();
+				case 410 -> throw new IOException("Vault has been archived."); // TODO add dialog
 				default -> throw new IOException("Unexpected response " + response.statusCode());
 			}
 		} catch (IOException e) {
@@ -246,4 +257,7 @@ public class ReceiveKeyController implements FxController {
 			throw new IllegalStateException("URI constructed from params known to be valid", e);
 		}
 	}
+
+	@JsonIgnoreProperties(ignoreUnknown = true)
+	private record DeviceDto(@JsonProperty(value = "userPrivateKey", required = true) String userPrivateKey) {}
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
index d3ea5a29a..5340f6295 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
@@ -133,7 +133,7 @@ public class SetupDeviceController implements FxController {
 					}
 				}).thenCompose(jwe -> {
 					var now = Instant.now().toString();
-					var dto = new CreateDeviceDto(deviceId, deviceNameField.getText(), BaseEncoding.base64Url().omitPadding().encode(deviceKey), "DESKTOP", jwe.serialize(), now, now);
+					var dto = new CreateDeviceDto(deviceId, deviceNameField.getText(), BaseEncoding.base64().encode(deviceKey), "DESKTOP", jwe.serialize(), now);
 					var json = toJson(dto);
 					var putDeviceReq = HttpRequest.newBuilder(deviceUri) //
 							.PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
@@ -222,8 +222,7 @@ public class SetupDeviceController implements FxController {
 	private record CreateDeviceDto(@JsonProperty(required = true) String id, //
 								   @JsonProperty(required = true) String name, //
 								   @JsonProperty(required = true) String publicKey, //
-								   @JsonProperty(defaultValue = "DESKTOP", required = true) String type, //
-								   @JsonProperty @Nullable String userKey, //
-								   @JsonProperty @Nullable String creationTime, //
-								   @JsonProperty @Nullable String lastSeenTime) {}
+								   @JsonProperty(required = true, defaultValue = "DESKTOP") String type, //
+								   @JsonProperty(required = true) String userPrivateKey, //
+								   @JsonProperty(required = true) String creationTime) {}
 }

From cfd433b3286a5a7634e9dd27ecd5a0148ea3f821 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 29 Aug 2023 07:26:46 +0200
Subject: [PATCH 13/81] revert to simple of of bounds check

as suggested in https://github.com/cryptomator/cryptomator/pull/3017#discussion_r1264527894 with minor adjustments
---
 .../ui/mainwindow/ResizeController.java       | 49 +++++++------------
 1 file changed, 17 insertions(+), 32 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java b/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java
index b136fa55c..76bddd0d8 100644
--- a/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java
+++ b/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java
@@ -7,7 +7,6 @@ import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
 import javafx.beans.binding.BooleanBinding;
-import javafx.collections.ObservableList;
 import javafx.fxml.FXML;
 import javafx.geometry.Rectangle2D;
 import javafx.scene.input.MouseEvent;
@@ -67,37 +66,7 @@ public class ResizeController implements FxController {
 		return (settings.windowHeight.get() == 0) && (settings.windowWidth.get() == 0) && (settings.windowXPosition.get() == 0) && (settings.windowYPosition.get() == 0);
 	}
 
-	private boolean isWithinDisplayBounds() {
-		// (x1, y1) is the top left corner of the window, (x2, y2) is the bottom right corner
-		final double slack = 10;
-		final double width = window.getWidth() - 2 * slack;
-		final double height = window.getHeight() - 2 * slack;
-		final double x1 = window.getX() + slack;
-		final double y1 = window.getY() + slack;
-		final double x2 = x1 + width;
-		final double y2 = y1 + height;
-
-		final ObservableList<Screen> screens = Screen.getScreensForRectangle(x1, y1, width, height);
-
-		// Find the total visible area of the window
-		double visibleArea = 0;
-		for (Screen screen : screens) {
-			Rectangle2D bounds = screen.getVisualBounds();
-
-			double xOverlap = Math.min(x2, bounds.getMaxX()) - Math.max(x1, bounds.getMinX());
-			double yOverlap = Math.min(y2, bounds.getMaxY()) - Math.max(y1, bounds.getMinY());
-
-			visibleArea += xOverlap * yOverlap;
-		}
-
-		final double windowArea = width * height;
-
-		// Within bounds if the visible area matches the window area
-		return visibleArea == windowArea;
-	}
-
 	private void checkDisplayBounds(WindowEvent evt) {
-
 		// Minimizing a window in Windows and closing it could result in an out of bounds position at (x, y) = (-32000, -32000)
 		// See https://devblogs.microsoft.com/oldnewthing/20041028-00/?p=37453
 		// If the position is (-32000, -32000), restore to the last saved position
@@ -108,8 +77,9 @@ public class ResizeController implements FxController {
 			window.setHeight(settings.windowHeight.get());
 		}
 
-		if (!isWithinDisplayBounds()) {
+		if (isOutOfDisplayBounds()) {
 			// If the position is illegal, then the window appears on the main screen in the middle of the window.
+			LOG.debug("Resetting window position due to insufficient screen overlap");
 			Rectangle2D primaryScreenBounds = Screen.getPrimary().getBounds();
 			window.setX((primaryScreenBounds.getWidth() - window.getMinWidth()) / 2);
 			window.setY((primaryScreenBounds.getHeight() - window.getMinHeight()) / 2);
@@ -119,6 +89,21 @@ public class ResizeController implements FxController {
 		}
 	}
 
+	private boolean isOutOfDisplayBounds() {
+		final int x = settings.windowXPosition.get();
+		final int y = settings.windowYPosition.get();
+		final int width = settings.windowWidth.get();
+		final int height = settings.windowHeight.get();
+		return isRectangleOutOfScreen(x + 20, y, 0, height) // Left pixel column (+20)
+				|| isRectangleOutOfScreen(x + width - 20, y, 0, height) // Right pixel column (-20)
+				|| isRectangleOutOfScreen(x, y + 5, width, 0) // Top pixel row (+5)
+				|| isRectangleOutOfScreen(x, y + height - 20, width, 0); // Bottom pixel row (-20)
+	}
+
+	private boolean isRectangleOutOfScreen(int x, int y, int width, int height) {
+		return Screen.getScreensForRectangle(x, y, width, height).isEmpty();
+	}
+
 	private void startResize(MouseEvent evt) {
 		origX = window.getX();
 		origY = window.getY();

From 4043e3f71f9f2dd908814a54700ae0e52582e163 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 6 Sep 2023 16:22:41 +0200
Subject: [PATCH 14/81] build using JDK 21

---
 .github/workflows/appimage-amd64.yml |  4 ++--
 .github/workflows/build.yml          |  4 ++--
 .github/workflows/debian.yml         |  4 ++--
 .github/workflows/get-version.yml    |  4 ++--
 .github/workflows/mac-dmg.yml        |  4 ++--
 .github/workflows/pullrequest.yml    |  4 ++--
 .github/workflows/win-exe.yml        |  4 ++--
 .idea/compiler.xml                   | 23 +++++++++++------------
 .idea/misc.xml                       |  2 +-
 pom.xml                              |  6 ++++--
 10 files changed, 30 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/appimage-amd64.yml b/.github/workflows/appimage-amd64.yml
index dbc180473..14da19fc1 100644
--- a/.github/workflows/appimage-amd64.yml
+++ b/.github/workflows/appimage-amd64.yml
@@ -10,8 +10,8 @@ on:
         required: false
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21-ea
   OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_linux-x64_bin-jmods.zip'
   OPENJFX_JMODS_AMD64_HASH: 'f522ac2ae4bdd61f0219b7b8d2058ff72a22f36a44378453bcfdcd82f8f5e08c'
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 13acee970..df7d13b0f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,8 +6,8 @@ on:
     types: [labeled]
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21-ea
 
 defaults:
   run:
diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml
index 14cdca80a..281e570ee 100644
--- a/.github/workflows/debian.yml
+++ b/.github/workflows/debian.yml
@@ -16,8 +16,8 @@ on:
         type: boolean
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21-ea
   OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_linux-x64_bin-jmods.zip'
   OPENJFX_JMODS_AMD64_HASH: 'f522ac2ae4bdd61f0219b7b8d2058ff72a22f36a44378453bcfdcd82f8f5e08c'
   OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_linux-aarch64_bin-jmods.zip'
diff --git a/.github/workflows/get-version.yml b/.github/workflows/get-version.yml
index 44f5ccd85..543789d04 100644
--- a/.github/workflows/get-version.yml
+++ b/.github/workflows/get-version.yml
@@ -22,8 +22,8 @@ on:
         value: ${{ jobs.determine-version.outputs.type }}
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21-ea
 
 jobs:
   determine-version:
diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml
index fe10ce531..63c7cf5c4 100644
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -15,8 +15,8 @@ on:
         type: boolean
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21-ea
   OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_osx-x64_bin-jmods.zip'
   OPENJFX_JMODS_AMD64_HASH: '55b8ff7453d59c89ae129f6c9c5ad7b09a5d359568811b376ac1766c14d6a17c'
   OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_osx-aarch64_bin-jmods.zip'
diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
index 14146d0cb..b7409acfa 100644
--- a/.github/workflows/pullrequest.yml
+++ b/.github/workflows/pullrequest.yml
@@ -4,8 +4,8 @@ on:
   pull_request:
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21-ea
 
 defaults:
   run:
diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index 066b7d49e..6747199c7 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -14,8 +14,8 @@ on:
 
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21-ea
   OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_windows-x64_bin-jmods.zip'
   OPENJFX_JMODS_AMD64_HASH: '18625bbc13c57dbf802486564247a8d8cab72ec558c240a401bf6440384ebd77'
 
diff --git a/.idea/compiler.xml b/.idea/compiler.xml
index 1d25cbef3..df360a26d 100644
--- a/.idea/compiler.xml
+++ b/.idea/compiler.xml
@@ -14,10 +14,10 @@
         <option name="dagger.fastInit" value="enabled" />
         <option name="dagger.formatGeneratedSource" value="enabled" />
         <processorPath useClasspath="false">
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.45/dagger-compiler-2.45.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.45/dagger-2.45.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.48/dagger-compiler-2.48.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.48/dagger-2.48.jar" />
           <entry name="$MAVEN_REPOSITORY$/javax/inject/javax.inject/1/javax.inject-1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-producers/2.45/dagger-producers-2.45.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-producers/2.48/dagger-producers-2.48.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/guava/31.0.1-jre/guava-31.0.1-jre.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar" />
@@ -26,20 +26,19 @@
           <entry name="$MAVEN_REPOSITORY$/com/google/errorprone/error_prone_annotations/2.7.1/error_prone_annotations-2.7.1.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar" />
           <entry name="$MAVEN_REPOSITORY$/org/checkerframework/checker-compat-qual/2.5.5/checker-compat-qual-2.5.5.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.45/dagger-spi-2.45.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/devtools/ksp/symbol-processing-api/1.7.0-1.0.6/symbol-processing-api-1.7.0-1.0.6.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib/1.7.0/kotlin-stdlib-1.7.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-common/1.7.0/kotlin-stdlib-common-1.7.0.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.48/dagger-spi-2.48.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/devtools/ksp/symbol-processing-api/1.9.0-1.0.12/symbol-processing-api-1.9.0-1.0.12.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib/1.9.0/kotlin-stdlib-1.9.0.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-common/1.9.0/kotlin-stdlib-common-1.9.0.jar" />
           <entry name="$MAVEN_REPOSITORY$/org/jetbrains/annotations/13.0/annotations-13.0.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/squareup/javapoet/1.13.0/javapoet-1.13.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/squareup/kotlinpoet/1.11.0/kotlinpoet-1.11.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk8/1.7.0/kotlin-stdlib-jdk8-1.7.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk7/1.7.0/kotlin-stdlib-jdk7-1.7.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-reflect/1.6.10/kotlin-reflect-1.6.10.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/googlejavaformat/google-java-format/1.5/google-java-format-1.5.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/errorprone/javac-shaded/9-dev-r4023-3/javac-shaded-9-dev-r4023-3.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/squareup/kotlinpoet/1.11.0/kotlinpoet-1.11.0.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk8/1.6.10/kotlin-stdlib-jdk8-1.6.10.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk7/1.6.10/kotlin-stdlib-jdk7-1.6.10.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-reflect/1.6.10/kotlin-reflect-1.6.10.jar" />
           <entry name="$MAVEN_REPOSITORY$/net/ltgt/gradle/incap/incap/0.2/incap-0.2.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlinx/kotlinx-metadata-jvm/0.5.0/kotlinx-metadata-jvm-0.5.0.jar" />
         </processorPath>
         <module name="cryptomator" />
       </profile>
diff --git a/.idea/misc.xml b/.idea/misc.xml
index 891096945..a85576869 100644
--- a/.idea/misc.xml
+++ b/.idea/misc.xml
@@ -8,7 +8,7 @@
       </list>
     </option>
   </component>
-  <component name="ProjectRootManager" version="2" languageLevel="JDK_20_PREVIEW" project-jdk-name="20" project-jdk-type="JavaSDK">
+  <component name="ProjectRootManager" version="2" languageLevel="JDK_X" default="true" project-jdk-name="21" project-jdk-type="JavaSDK">
     <output url="file://$PROJECT_DIR$/out" />
   </component>
 </project>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 07deef6c0..cd0fcf82e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -26,7 +26,7 @@
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<project.jdk.version>20</project.jdk.version>
+		<project.jdk.version>21</project.jdk.version>
 
 		<!-- Group IDs of jars that need to stay on the class path for now -->
 		<!-- remove them, as soon they got modularized or support is dropped (i.e., WebDAV) -->
@@ -38,7 +38,7 @@
 		<cryptomator.integrations.win.version>1.2.2</cryptomator.integrations.win.version>
 		<cryptomator.integrations.mac.version>1.2.1</cryptomator.integrations.mac.version>
 		<cryptomator.integrations.linux.version>1.3.0-beta6</cryptomator.integrations.linux.version>
-		<cryptomator.fuse.version>3.0.0</cryptomator.fuse.version>
+		<cryptomator.fuse.version>4.0.0-beta1</cryptomator.fuse.version>
 		<cryptomator.dokany.version>2.0.0</cryptomator.dokany.version>
 		<cryptomator.webdav.version>2.0.3</cryptomator.webdav.version>
 
@@ -509,11 +509,13 @@
 				</property>
 			</activation>
 			<dependencies>
+				<!-- not yet JDK 21 compatible, falling back to AWT; see https://github.com/purejava/appindicator-gtk3-java/issues/14
 				<dependency>
 					<groupId>org.cryptomator</groupId>
 					<artifactId>integrations-linux</artifactId>
 					<version>${cryptomator.integrations.linux.version}</version>
 				</dependency>
+				 -->
 			</dependencies>
 		</profile>
 

From eb4d39e8b481a5c16996b3002d318b1bb42f9f8d Mon Sep 17 00:00:00 2001
From: Jan-Peter Klein <jan-peter.klein@skymatic.de>
Date: Tue, 12 Sep 2023 13:34:55 +0200
Subject: [PATCH 15/81] introduce 'errorCode' parameter in request

---
 src/main/java/org/cryptomator/ui/error/ErrorController.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/error/ErrorController.java b/src/main/java/org/cryptomator/ui/error/ErrorController.java
index 3feb3ff44..deb114116 100644
--- a/src/main/java/org/cryptomator/ui/error/ErrorController.java
+++ b/src/main/java/org/cryptomator/ui/error/ErrorController.java
@@ -42,7 +42,7 @@ public class ErrorController implements FxController {
 
 	private static final ObjectMapper JSON = new ObjectMapper();
 	private static final Logger LOG = LoggerFactory.getLogger(ErrorController.class);
-	private static final String ERROR_CODES_URL = "https://api.cryptomator.org/desktop/error-codes.json";
+	private static final String ERROR_CODES_URL = "https://api.cryptomator.org/desktop/error-codes.json?error-code=%s";
 	private static final String SEARCH_URL_FORMAT = "https://github.com/cryptomator/cryptomator/discussions/categories/errors?discussions_q=category:Errors+%s";
 	private static final String REPORT_URL_FORMAT = "https://github.com/cryptomator/cryptomator/discussions/new?category=Errors&title=Error+%s&body=%s";
 	private static final String SEARCH_ERRORCODE_DELIM = " OR ";
@@ -146,7 +146,7 @@ public class ErrorController implements FxController {
 		askedForLookupDatabasePermission.set(true);
 		HttpClient httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build();
 		HttpRequest httpRequest = HttpRequest.newBuilder()//
-				.uri(URI.create(ERROR_CODES_URL))//
+				.uri(URI.create(ERROR_CODES_URL.formatted(errorCode.toString())))//
 				.build();
 		httpClient.sendAsync(httpRequest, HttpResponse.BodyHandlers.ofInputStream())//
 				.thenAcceptAsync(this::loadHttpResponse, executorService)//

From 666cd4a4f05367a4a5723d1fcec9b3517bd6c451 Mon Sep 17 00:00:00 2001
From: Jan-Peter Klein <jan-peter.klein@skymatic.de>
Date: Tue, 12 Sep 2023 17:14:45 +0200
Subject: [PATCH 16/81] enhanced request URI with URLEncoder for errorCode

---
 src/main/java/org/cryptomator/ui/error/ErrorController.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/cryptomator/ui/error/ErrorController.java b/src/main/java/org/cryptomator/ui/error/ErrorController.java
index deb114116..686d219e1 100644
--- a/src/main/java/org/cryptomator/ui/error/ErrorController.java
+++ b/src/main/java/org/cryptomator/ui/error/ErrorController.java
@@ -146,7 +146,7 @@ public class ErrorController implements FxController {
 		askedForLookupDatabasePermission.set(true);
 		HttpClient httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build();
 		HttpRequest httpRequest = HttpRequest.newBuilder()//
-				.uri(URI.create(ERROR_CODES_URL.formatted(errorCode.toString())))//
+				.uri(URI.create(ERROR_CODES_URL.formatted(URLEncoder.encode(errorCode.toString(),StandardCharsets.UTF_8))))//
 				.build();
 		httpClient.sendAsync(httpRequest, HttpResponse.BodyHandlers.ofInputStream())//
 				.thenAcceptAsync(this::loadHttpResponse, executorService)//

From 5d7906972b0c59d877c391573d44ed8b9c64e1f4 Mon Sep 17 00:00:00 2001
From: Jan-Peter Klein <jan-peter.klein@skymatic.de>
Date: Tue, 12 Sep 2023 17:59:08 +0200
Subject: [PATCH 17/81] added user-agent header with <product> /
 <product-version> to HttpRequest

---
 .../org/cryptomator/ui/error/ErrorController.java     | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/error/ErrorController.java b/src/main/java/org/cryptomator/ui/error/ErrorController.java
index 686d219e1..856d8599f 100644
--- a/src/main/java/org/cryptomator/ui/error/ErrorController.java
+++ b/src/main/java/org/cryptomator/ui/error/ErrorController.java
@@ -6,6 +6,7 @@ import org.cryptomator.common.Environment;
 import org.cryptomator.common.ErrorCode;
 import org.cryptomator.common.Nullable;
 import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.fxapp.UpdateChecker;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -42,7 +43,8 @@ public class ErrorController implements FxController {
 
 	private static final ObjectMapper JSON = new ObjectMapper();
 	private static final Logger LOG = LoggerFactory.getLogger(ErrorController.class);
-	private static final String ERROR_CODES_URL = "https://api.cryptomator.org/desktop/error-codes.json?error-code=%s";
+	private static final String USER_AGENT_VERSION_FORMAT = "Cryptomator/%s";
+	private static final String ERROR_CODES_URL_FORMAT = "https://api.cryptomator.org/desktop/error-codes.json?error-code=%s";
 	private static final String SEARCH_URL_FORMAT = "https://github.com/cryptomator/cryptomator/discussions/categories/errors?discussions_q=category:Errors+%s";
 	private static final String REPORT_URL_FORMAT = "https://github.com/cryptomator/cryptomator/discussions/new?category=Errors&title=Error+%s&body=%s";
 	private static final String SEARCH_ERRORCODE_DELIM = " OR ";
@@ -67,6 +69,7 @@ public class ErrorController implements FxController {
 	private final Stage window;
 	private final Environment environment;
 	private final ExecutorService executorService;
+	private final UpdateChecker updateChecker;
 
 	private final BooleanProperty copiedDetails = new SimpleBooleanProperty();
 	private final ObjectProperty<ErrorDiscussion> matchingErrorDiscussion = new SimpleObjectProperty<>();
@@ -75,7 +78,7 @@ public class ErrorController implements FxController {
 	private final BooleanProperty askedForLookupDatabasePermission = new SimpleBooleanProperty();
 
 	@Inject
-	ErrorController(Application application, @Named("stackTrace") String stackTrace, ErrorCode errorCode, @Nullable Scene previousScene, Stage window, Environment environment, ExecutorService executorService) {
+	ErrorController(Application application, @Named("stackTrace") String stackTrace, ErrorCode errorCode, @Nullable Scene previousScene, Stage window, Environment environment, ExecutorService executorService, UpdateChecker updateChecker) {
 		this.application = application;
 		this.stackTrace = stackTrace;
 		this.errorCode = errorCode;
@@ -83,6 +86,7 @@ public class ErrorController implements FxController {
 		this.window = window;
 		this.environment = environment;
 		this.executorService = executorService;
+		this.updateChecker = updateChecker;
 	}
 
 	@FXML
@@ -146,7 +150,8 @@ public class ErrorController implements FxController {
 		askedForLookupDatabasePermission.set(true);
 		HttpClient httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build();
 		HttpRequest httpRequest = HttpRequest.newBuilder()//
-				.uri(URI.create(ERROR_CODES_URL.formatted(URLEncoder.encode(errorCode.toString(),StandardCharsets.UTF_8))))//
+				.header("User-Agent", USER_AGENT_VERSION_FORMAT.formatted(updateChecker.getCurrentVersion()))
+				.uri(URI.create(ERROR_CODES_URL_FORMAT.formatted(URLEncoder.encode(errorCode.toString(),StandardCharsets.UTF_8))))//
 				.build();
 		httpClient.sendAsync(httpRequest, HttpResponse.BodyHandlers.ofInputStream())//
 				.thenAcceptAsync(this::loadHttpResponse, executorService)//

From 4c836178470b2d1635fdab3a947bd09aed8b7556 Mon Sep 17 00:00:00 2001
From: Jan-Peter Klein <jan-peter.klein@skymatic.de>
Date: Tue, 12 Sep 2023 18:07:30 +0200
Subject: [PATCH 18/81] fixed build error

---
 .../java/org/cryptomator/ui/error/ErrorController.java     | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/error/ErrorController.java b/src/main/java/org/cryptomator/ui/error/ErrorController.java
index 856d8599f..8fcc01ea8 100644
--- a/src/main/java/org/cryptomator/ui/error/ErrorController.java
+++ b/src/main/java/org/cryptomator/ui/error/ErrorController.java
@@ -6,7 +6,6 @@ import org.cryptomator.common.Environment;
 import org.cryptomator.common.ErrorCode;
 import org.cryptomator.common.Nullable;
 import org.cryptomator.ui.common.FxController;
-import org.cryptomator.ui.fxapp.UpdateChecker;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -69,7 +68,6 @@ public class ErrorController implements FxController {
 	private final Stage window;
 	private final Environment environment;
 	private final ExecutorService executorService;
-	private final UpdateChecker updateChecker;
 
 	private final BooleanProperty copiedDetails = new SimpleBooleanProperty();
 	private final ObjectProperty<ErrorDiscussion> matchingErrorDiscussion = new SimpleObjectProperty<>();
@@ -78,7 +76,7 @@ public class ErrorController implements FxController {
 	private final BooleanProperty askedForLookupDatabasePermission = new SimpleBooleanProperty();
 
 	@Inject
-	ErrorController(Application application, @Named("stackTrace") String stackTrace, ErrorCode errorCode, @Nullable Scene previousScene, Stage window, Environment environment, ExecutorService executorService, UpdateChecker updateChecker) {
+	ErrorController(Application application, @Named("stackTrace") String stackTrace, ErrorCode errorCode, @Nullable Scene previousScene, Stage window, Environment environment, ExecutorService executorService) {
 		this.application = application;
 		this.stackTrace = stackTrace;
 		this.errorCode = errorCode;
@@ -86,7 +84,6 @@ public class ErrorController implements FxController {
 		this.window = window;
 		this.environment = environment;
 		this.executorService = executorService;
-		this.updateChecker = updateChecker;
 	}
 
 	@FXML
@@ -150,7 +147,7 @@ public class ErrorController implements FxController {
 		askedForLookupDatabasePermission.set(true);
 		HttpClient httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build();
 		HttpRequest httpRequest = HttpRequest.newBuilder()//
-				.header("User-Agent", USER_AGENT_VERSION_FORMAT.formatted(updateChecker.getCurrentVersion()))
+				.header("User-Agent", USER_AGENT_VERSION_FORMAT.formatted(environment.getAppVersion()))
 				.uri(URI.create(ERROR_CODES_URL_FORMAT.formatted(URLEncoder.encode(errorCode.toString(),StandardCharsets.UTF_8))))//
 				.build();
 		httpClient.sendAsync(httpRequest, HttpResponse.BodyHandlers.ofInputStream())//

From 9d640b57cee557541b5b46db46a8cde234fbe10a Mon Sep 17 00:00:00 2001
From: Jan-Peter Klein <jan-peter.klein@skymatic.de>
Date: Wed, 13 Sep 2023 12:31:53 +0200
Subject: [PATCH 19/81] added build number to user-agent header

---
 src/main/java/org/cryptomator/ui/error/ErrorController.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/error/ErrorController.java b/src/main/java/org/cryptomator/ui/error/ErrorController.java
index 8fcc01ea8..5009229b5 100644
--- a/src/main/java/org/cryptomator/ui/error/ErrorController.java
+++ b/src/main/java/org/cryptomator/ui/error/ErrorController.java
@@ -42,7 +42,7 @@ public class ErrorController implements FxController {
 
 	private static final ObjectMapper JSON = new ObjectMapper();
 	private static final Logger LOG = LoggerFactory.getLogger(ErrorController.class);
-	private static final String USER_AGENT_VERSION_FORMAT = "Cryptomator/%s";
+	private static final String USER_AGENT_VERSION_FORMAT = "Cryptomator/%s (Build %s)";
 	private static final String ERROR_CODES_URL_FORMAT = "https://api.cryptomator.org/desktop/error-codes.json?error-code=%s";
 	private static final String SEARCH_URL_FORMAT = "https://github.com/cryptomator/cryptomator/discussions/categories/errors?discussions_q=category:Errors+%s";
 	private static final String REPORT_URL_FORMAT = "https://github.com/cryptomator/cryptomator/discussions/new?category=Errors&title=Error+%s&body=%s";
@@ -147,7 +147,7 @@ public class ErrorController implements FxController {
 		askedForLookupDatabasePermission.set(true);
 		HttpClient httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build();
 		HttpRequest httpRequest = HttpRequest.newBuilder()//
-				.header("User-Agent", USER_AGENT_VERSION_FORMAT.formatted(environment.getAppVersion()))
+				.header("User-Agent", USER_AGENT_VERSION_FORMAT.formatted(environment.getAppVersion(),environment.getBuildNumber().orElse("undefined")))
 				.uri(URI.create(ERROR_CODES_URL_FORMAT.formatted(URLEncoder.encode(errorCode.toString(),StandardCharsets.UTF_8))))//
 				.build();
 		httpClient.sendAsync(httpRequest, HttpResponse.BodyHandlers.ofInputStream())//

From bcb970afb1639fe5869a3670fbb9d2eeb8e0d2c6 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 13 Sep 2023 13:59:50 +0200
Subject: [PATCH 20/81] Update bug.yml

Add missing FUSE option in volume type selection
---
 .github/ISSUE_TEMPLATE/bug.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml
index 6c30aa606..9ced33c15 100644
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -43,6 +43,7 @@ body:
         - WinFsp (Local Drive)
         - FUSE-T
         - macFUSE
+        - FUSE
         - WebDAV (Windows Explorer)
         - WebDAV (AppleScript)
         - WebDAV (gio)
@@ -95,4 +96,4 @@ body:
     id: further-info
     attributes:
       label: Anything else?
-      description: Links? References? Screenshots? Configurations? Any data that might be necessary to reproduce the issue?
\ No newline at end of file
+      description: Links? References? Screenshots? Configurations? Any data that might be necessary to reproduce the issue?

From 84ac803a7d8dfa3682b25627c3c7b4ae8a3a86cd Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 18 Sep 2023 10:10:50 +0200
Subject: [PATCH 21/81] reordered properties

[ci skip]
---
 .../org/cryptomator/common/Environment.java   | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/main/java/org/cryptomator/common/Environment.java b/src/main/java/org/cryptomator/common/Environment.java
index c47870dd8..8e378b93d 100644
--- a/src/main/java/org/cryptomator/common/Environment.java
+++ b/src/main/java/org/cryptomator/common/Environment.java
@@ -43,15 +43,15 @@ public class Environment {
 		logCryptomatorSystemProperty(SETTINGS_PATH_PROP_NAME);
 		logCryptomatorSystemProperty(IPC_SOCKET_PATH_PROP_NAME);
 		logCryptomatorSystemProperty(KEYCHAIN_PATHS_PROP_NAME);
+		logCryptomatorSystemProperty(P12_PATH_PROP_NAME);
 		logCryptomatorSystemProperty(LOG_DIR_PROP_NAME);
 		logCryptomatorSystemProperty(LOOPBACK_ALIAS_PROP_NAME);
-		logCryptomatorSystemProperty(PLUGIN_DIR_PROP_NAME);
 		logCryptomatorSystemProperty(MOUNTPOINT_DIR_PROP_NAME);
 		logCryptomatorSystemProperty(MIN_PW_LENGTH_PROP_NAME);
 		logCryptomatorSystemProperty(APP_VERSION_PROP_NAME);
 		logCryptomatorSystemProperty(BUILD_NUMBER_PROP_NAME);
+		logCryptomatorSystemProperty(PLUGIN_DIR_PROP_NAME);
 		logCryptomatorSystemProperty(TRAY_ICON_PROP_NAME);
-		logCryptomatorSystemProperty(P12_PATH_PROP_NAME);
 	}
 
 	public static Environment getInstance() {
@@ -74,10 +74,6 @@ public class Environment {
 		return getPaths(SETTINGS_PATH_PROP_NAME);
 	}
 
-	public Stream<Path> getP12Path() {
-		return getPaths(P12_PATH_PROP_NAME);
-	}
-
 	public Stream<Path> getIpcSocketPath() {
 		return getPaths(IPC_SOCKET_PATH_PROP_NAME);
 	}
@@ -86,6 +82,10 @@ public class Environment {
 		return getPaths(KEYCHAIN_PATHS_PROP_NAME);
 	}
 
+	public Stream<Path> getP12Path() {
+		return getPaths(P12_PATH_PROP_NAME);
+	}
+
 	public Optional<Path> getLogDir() {
 		return getPath(LOG_DIR_PROP_NAME);
 	}
@@ -94,14 +94,14 @@ public class Environment {
 		return Optional.ofNullable(System.getProperty(LOOPBACK_ALIAS_PROP_NAME));
 	}
 
-	public Optional<Path> getPluginDir() {
-		return getPath(PLUGIN_DIR_PROP_NAME);
-	}
-
 	public Optional<Path> getMountPointsDir() {
 		return getPath(MOUNTPOINT_DIR_PROP_NAME);
 	}
 
+	public int getMinPwLength() {
+		return Integer.getInteger(MIN_PW_LENGTH_PROP_NAME, DEFAULT_MIN_PW_LENGTH);
+	}
+
 	/**
 	 * Returns the app version defined in the {@value APP_VERSION_PROP_NAME} property or returns "SNAPSHOT".
 	 *
@@ -115,8 +115,8 @@ public class Environment {
 		return Optional.ofNullable(System.getProperty(BUILD_NUMBER_PROP_NAME));
 	}
 
-	public int getMinPwLength() {
-		return Integer.getInteger(MIN_PW_LENGTH_PROP_NAME, DEFAULT_MIN_PW_LENGTH);
+	public Optional<Path> getPluginDir() {
+		return getPath(PLUGIN_DIR_PROP_NAME);
 	}
 
 	public boolean showTrayIcon() {

From e31e06b288be0be0e58ffe4ae7ed925819896277 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 18 Sep 2023 10:13:51 +0200
Subject: [PATCH 22/81] added `@VisibleForTesting`

---
 src/main/java/org/cryptomator/common/Environment.java    | 3 ++-
 src/main/java/org/cryptomator/common/ErrorCode.java      | 5 +++--
 .../cryptomator/common/mount/MountWithinParentUtil.java  | 9 +++++----
 .../org/cryptomator/common/settings/VaultSettings.java   | 3 ++-
 .../org/cryptomator/launcher/FileOpenRequestHandler.java | 3 ++-
 .../cryptomator/ui/addvaultwizard/ReadmeGenerator.java   | 6 ++++--
 .../ui/convertvault/HubToPasswordConvertController.java  | 7 ++++---
 .../cryptomator/ui/recoverykey/RecoveryKeyFactory.java   | 3 ++-
 8 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/src/main/java/org/cryptomator/common/Environment.java b/src/main/java/org/cryptomator/common/Environment.java
index 8e378b93d..17816df96 100644
--- a/src/main/java/org/cryptomator/common/Environment.java
+++ b/src/main/java/org/cryptomator/common/Environment.java
@@ -2,6 +2,7 @@ package org.cryptomator.common;
 
 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
+import org.jetbrains.annotations.VisibleForTesting;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -128,7 +129,7 @@ public class Environment {
 		return Optional.ofNullable(value).map(Paths::get);
 	}
 
-	// visible for testing
+	@VisibleForTesting
 	Stream<Path> getPaths(String propertyName) {
 		Stream<String> rawSettingsPaths = getRawList(propertyName, System.getProperty("path.separator").charAt(0));
 		return rawSettingsPaths.filter(Predicate.not(Strings::isNullOrEmpty)).map(Path::of);
diff --git a/src/main/java/org/cryptomator/common/ErrorCode.java b/src/main/java/org/cryptomator/common/ErrorCode.java
index 7363e2278..d75ab97d0 100644
--- a/src/main/java/org/cryptomator/common/ErrorCode.java
+++ b/src/main/java/org/cryptomator/common/ErrorCode.java
@@ -3,6 +3,7 @@ package org.cryptomator.common;
 import com.google.common.base.Preconditions;
 import com.google.common.base.Strings;
 import com.google.common.base.Throwables;
+import org.jetbrains.annotations.VisibleForTesting;
 
 import java.util.Locale;
 import java.util.Objects;
@@ -114,7 +115,7 @@ public class ErrorCode {
 	 * @param bottomFrames Other stack frames, potentially forming the bottom of the stack of <code>allFrames</code>
 	 * @return The number of additional frames in <code>allFrames</code>. In most cases this should be equal to the difference in size.
 	 */
-	// visible for testing
+	@VisibleForTesting
 	static int countTopmostFrames(StackTraceElement[] allFrames, StackTraceElement[] bottomFrames) {
 		if (allFrames.length < bottomFrames.length) {
 			// if frames had been stacked on top of bottomFrames, allFrames would be larger
@@ -124,7 +125,7 @@ public class ErrorCode {
 		}
 	}
 
-	// visible for testing
+	@VisibleForTesting
 	static <T> int commonSuffixLength(T[] set, T[] subset) {
 		Preconditions.checkArgument(set.length >= subset.length);
 		// iterate items backwards as long as they are identical
diff --git a/src/main/java/org/cryptomator/common/mount/MountWithinParentUtil.java b/src/main/java/org/cryptomator/common/mount/MountWithinParentUtil.java
index b632923a8..b436bc19a 100644
--- a/src/main/java/org/cryptomator/common/mount/MountWithinParentUtil.java
+++ b/src/main/java/org/cryptomator/common/mount/MountWithinParentUtil.java
@@ -1,6 +1,7 @@
 package org.cryptomator.common.mount;
 
 import org.apache.commons.lang3.SystemUtils;
+import org.jetbrains.annotations.VisibleForTesting;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -66,7 +67,7 @@ public final class MountWithinParentUtil {
 		}
 	}
 
-	//visible for testing
+	@VisibleForTesting
 	static MountPointState getMountPointState(Path path) throws IOException, IllegalMountPointException {
 		if (Files.notExists(path, LinkOption.NOFOLLOW_LINKS)) {
 			return MountPointState.NOT_EXISTING;
@@ -82,7 +83,7 @@ public final class MountWithinParentUtil {
 		return MountPointState.BROKEN_JUNCTION;
 	}
 
-	//visible for testing
+	@VisibleForTesting
 	enum MountPointState {
 
 		NOT_EXISTING,
@@ -93,7 +94,7 @@ public final class MountWithinParentUtil {
 
 	}
 
-	//visible for testing
+	@VisibleForTesting
 	static void removeResidualHideaway(Path mountPoint, Path hideaway) throws IOException {
 		checkIsHideawayDirectory(mountPoint, hideaway);
 		Files.delete(hideaway); //Fails if not empty
@@ -155,7 +156,7 @@ public final class MountWithinParentUtil {
 		}
 	}
 
-	//visible for testing
+	@VisibleForTesting
 	static Path getHideaway(Path mountPoint) {
 		return mountPoint.resolveSibling(HIDEAWAY_PREFIX + mountPoint.getFileName().toString() + HIDEAWAY_SUFFIX);
 	}
diff --git a/src/main/java/org/cryptomator/common/settings/VaultSettings.java b/src/main/java/org/cryptomator/common/settings/VaultSettings.java
index 7b7e319c9..6662f61ff 100644
--- a/src/main/java/org/cryptomator/common/settings/VaultSettings.java
+++ b/src/main/java/org/cryptomator/common/settings/VaultSettings.java
@@ -9,6 +9,7 @@ import com.google.common.base.CharMatcher;
 import com.google.common.base.Strings;
 import com.google.common.io.BaseEncoding;
 import org.apache.commons.lang3.SystemUtils;
+import org.jetbrains.annotations.VisibleForTesting;
 
 import javafx.beans.Observable;
 import javafx.beans.binding.Bindings;
@@ -126,7 +127,7 @@ public class VaultSettings {
 		return json;
 	}
 
-	//visible for testing
+	@VisibleForTesting
 	static String normalizeDisplayName(String original) {
 		if (original.isBlank() || ".".equals(original) || "..".equals(original)) {
 			return "_";
diff --git a/src/main/java/org/cryptomator/launcher/FileOpenRequestHandler.java b/src/main/java/org/cryptomator/launcher/FileOpenRequestHandler.java
index eb2418c69..dbdb37823 100644
--- a/src/main/java/org/cryptomator/launcher/FileOpenRequestHandler.java
+++ b/src/main/java/org/cryptomator/launcher/FileOpenRequestHandler.java
@@ -6,6 +6,7 @@
  *******************************************************************************/
 package org.cryptomator.launcher;
 
+import org.jetbrains.annotations.VisibleForTesting;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -48,7 +49,7 @@ class FileOpenRequestHandler {
 		handleLaunchArgs(FileSystems.getDefault(), args);
 	}
 
-	// visible for testing
+	@VisibleForTesting
 	void handleLaunchArgs(FileSystem fs, List<String> args) {
 		Collection<Path> pathsToOpen = args.stream().map(str -> {
 			try {
diff --git a/src/main/java/org/cryptomator/ui/addvaultwizard/ReadmeGenerator.java b/src/main/java/org/cryptomator/ui/addvaultwizard/ReadmeGenerator.java
index 5cf14444a..2ffda4d73 100644
--- a/src/main/java/org/cryptomator/ui/addvaultwizard/ReadmeGenerator.java
+++ b/src/main/java/org/cryptomator/ui/addvaultwizard/ReadmeGenerator.java
@@ -1,5 +1,7 @@
 package org.cryptomator.ui.addvaultwizard;
 
+import org.jetbrains.annotations.VisibleForTesting;
+
 import javax.inject.Inject;
 import java.util.List;
 import java.util.ResourceBundle;
@@ -51,7 +53,7 @@ public class ReadmeGenerator {
 				resourceBundle.getString("addvault.new.readme.accessLocation.4")));
 	}
 
-	// visible for testing
+	@VisibleForTesting
 	String createDocument(Iterable<String> paragraphs) {
 		StringBuilder sb = new StringBuilder(RTF_HEADER);
 		for (String p : paragraphs) {
@@ -63,7 +65,7 @@ public class ReadmeGenerator {
 		return sb.toString();
 	}
 
-	// visible for testing
+	@VisibleForTesting
 	String escapeNonAsciiChars(CharSequence input) {
 		StringBuilder sb = new StringBuilder();
 		appendEscaped(sb, input);
diff --git a/src/main/java/org/cryptomator/ui/convertvault/HubToPasswordConvertController.java b/src/main/java/org/cryptomator/ui/convertvault/HubToPasswordConvertController.java
index 51ff65ec1..fd6d49b89 100644
--- a/src/main/java/org/cryptomator/ui/convertvault/HubToPasswordConvertController.java
+++ b/src/main/java/org/cryptomator/ui/convertvault/HubToPasswordConvertController.java
@@ -16,6 +16,7 @@ import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.fxapp.FxApplicationWindows;
 import org.cryptomator.ui.recoverykey.RecoveryKeyFactory;
+import org.jetbrains.annotations.VisibleForTesting;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -116,7 +117,7 @@ public class HubToPasswordConvertController implements FxController {
 				}, Platform::runLater); //
 	}
 
-	//visible for testing
+	@VisibleForTesting
 	void convertInternal() throws CompletionException, IllegalArgumentException {
 		var passphrase = newPasswordController.getNewPassword();
 		var vaultPath = vault.getPath();
@@ -141,7 +142,7 @@ public class HubToPasswordConvertController implements FxController {
 		}
 	}
 
-	//visible for testing
+	@VisibleForTesting
 	void backupHubConfig(Path hubConfigPath) throws IOException {
 		byte[] hubConfigBytes = Files.readAllBytes(hubConfigPath);
 		Path backupPath = hubConfigPath.resolveSibling(VAULTCONFIG_FILENAME + BackupHelper.generateFileIdSuffix(hubConfigBytes) + MASTERKEY_BACKUP_SUFFIX);
@@ -149,7 +150,7 @@ public class HubToPasswordConvertController implements FxController {
 		LOG.debug("Successfully created hub config backup {}", backupPath.getFileName());
 	}
 
-	//visible for testing
+	@VisibleForTesting
 	Path createPasswordConfig(Path passwordConfigPath, Path masterkeyFile, Passphrase passphrase) throws IOException, MasterkeyLoadingFailedException {
 		var unverifiedVaultConfig = vault.getVaultConfigCache().get();
 		try (var masterkey = masterkeyFileAccess.load(masterkeyFile, passphrase)) {
diff --git a/src/main/java/org/cryptomator/ui/recoverykey/RecoveryKeyFactory.java b/src/main/java/org/cryptomator/ui/recoverykey/RecoveryKeyFactory.java
index 73279396d..8f5bb0500 100644
--- a/src/main/java/org/cryptomator/ui/recoverykey/RecoveryKeyFactory.java
+++ b/src/main/java/org/cryptomator/ui/recoverykey/RecoveryKeyFactory.java
@@ -8,6 +8,7 @@ import org.cryptomator.cryptolib.api.InvalidPassphraseException;
 import org.cryptomator.cryptolib.api.Masterkey;
 import org.cryptomator.cryptolib.common.MasterkeyFileAccess;
 import org.jetbrains.annotations.Nullable;
+import org.jetbrains.annotations.VisibleForTesting;
 
 import javax.inject.Inject;
 import javax.inject.Singleton;
@@ -58,7 +59,7 @@ public class RecoveryKeyFactory {
 		}
 	}
 
-	// visible for testing
+	@VisibleForTesting
 	String createRecoveryKey(byte[] rawKey) {
 		Preconditions.checkArgument(rawKey.length == 64, "key should be 64 bytes");
 		byte[] paddedKey = Arrays.copyOf(rawKey, 66);

From 6017d6b7a904a2d039a4c27d674f032a20a6fc3e Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 18 Sep 2023 12:34:49 +0200
Subject: [PATCH 23/81] bump webdav-nio-adapter

containing fixes for CVE-2023-40167, CVE-2023-2976, CVE-2023-37895
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 5e2e46028..311fcaf58 100644
--- a/pom.xml
+++ b/pom.xml
@@ -40,7 +40,7 @@
 		<cryptomator.integrations.linux.version>1.3.0-beta6</cryptomator.integrations.linux.version>
 		<cryptomator.fuse.version>3.0.0</cryptomator.fuse.version>
 		<cryptomator.dokany.version>2.0.0</cryptomator.dokany.version>
-		<cryptomator.webdav.version>2.0.3</cryptomator.webdav.version>
+		<cryptomator.webdav.version>2.0.4</cryptomator.webdav.version>
 
 		<!-- 3rd party dependencies -->
 		<commons-lang3.version>3.13.0</commons-lang3.version>

From c5d6c0ce9839ad620098c8049614d81a874780a0 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 18 Sep 2023 13:03:09 +0200
Subject: [PATCH 24/81] add `cryptomator.disableUpdateCheck` property

---
 .../java/org/cryptomator/common/Environment.java     |  6 ++++++
 .../java/org/cryptomator/ui/fxapp/FxApplication.java |  9 +++++++--
 .../java/org/cryptomator/ui/fxapp/UpdateChecker.java | 12 ++++++------
 .../ui/preferences/PreferencesController.java        |  8 +++++++-
 4 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/src/main/java/org/cryptomator/common/Environment.java b/src/main/java/org/cryptomator/common/Environment.java
index 17816df96..981b3729b 100644
--- a/src/main/java/org/cryptomator/common/Environment.java
+++ b/src/main/java/org/cryptomator/common/Environment.java
@@ -32,6 +32,7 @@ public class Environment {
 	private static final String BUILD_NUMBER_PROP_NAME = "cryptomator.buildNumber";
 	private static final String PLUGIN_DIR_PROP_NAME = "cryptomator.pluginDir";
 	private static final String TRAY_ICON_PROP_NAME = "cryptomator.showTrayIcon";
+	private static final String DISABLE_UPDATE_CHECK_PROP_NAME = "cryptomator.disableUpdateCheck";
 
 	private Environment() {}
 
@@ -53,6 +54,7 @@ public class Environment {
 		logCryptomatorSystemProperty(BUILD_NUMBER_PROP_NAME);
 		logCryptomatorSystemProperty(PLUGIN_DIR_PROP_NAME);
 		logCryptomatorSystemProperty(TRAY_ICON_PROP_NAME);
+		logCryptomatorSystemProperty(DISABLE_UPDATE_CHECK_PROP_NAME);
 	}
 
 	public static Environment getInstance() {
@@ -124,6 +126,10 @@ public class Environment {
 		return Boolean.getBoolean(TRAY_ICON_PROP_NAME);
 	}
 
+	public boolean disableUpdateCheck() {
+		return Boolean.getBoolean(DISABLE_UPDATE_CHECK_PROP_NAME);
+	}
+
 	private Optional<Path> getPath(String propertyName) {
 		String value = System.getProperty(propertyName);
 		return Optional.ofNullable(value).map(Paths::get);
diff --git a/src/main/java/org/cryptomator/ui/fxapp/FxApplication.java b/src/main/java/org/cryptomator/ui/fxapp/FxApplication.java
index d845655cf..711a0fa44 100644
--- a/src/main/java/org/cryptomator/ui/fxapp/FxApplication.java
+++ b/src/main/java/org/cryptomator/ui/fxapp/FxApplication.java
@@ -1,6 +1,7 @@
 package org.cryptomator.ui.fxapp;
 
 import dagger.Lazy;
+import org.cryptomator.common.Environment;
 import org.cryptomator.common.settings.Settings;
 import org.cryptomator.ui.traymenu.TrayMenuComponent;
 import org.slf4j.Logger;
@@ -17,6 +18,7 @@ public class FxApplication {
 	private static final Logger LOG = LoggerFactory.getLogger(FxApplication.class);
 
 	private final long startupTime;
+	private final Environment environment;
 	private final Settings settings;
 	private final AppLaunchEventHandler launchEventHandler;
 	private final Lazy<TrayMenuComponent> trayMenu;
@@ -26,8 +28,9 @@ public class FxApplication {
 	private final AutoUnlocker autoUnlocker;
 
 	@Inject
-	FxApplication(@Named("startupTime") long startupTime, Settings settings, AppLaunchEventHandler launchEventHandler, Lazy<TrayMenuComponent> trayMenu, FxApplicationWindows appWindows, FxApplicationStyle applicationStyle, FxApplicationTerminator applicationTerminator, AutoUnlocker autoUnlocker) {
+	FxApplication(@Named("startupTime") long startupTime, Environment environment, Settings settings, AppLaunchEventHandler launchEventHandler, Lazy<TrayMenuComponent> trayMenu, FxApplicationWindows appWindows, FxApplicationStyle applicationStyle, FxApplicationTerminator applicationTerminator, AutoUnlocker autoUnlocker) {
 		this.startupTime = startupTime;
+		this.environment = environment;
 		this.settings = settings;
 		this.launchEventHandler = launchEventHandler;
 		this.trayMenu = trayMenu;
@@ -68,7 +71,9 @@ public class FxApplication {
 			return null;
 		});
 
-		appWindows.checkAndShowUpdateReminderWindow();
+		if (!environment.disableUpdateCheck()) {
+			appWindows.checkAndShowUpdateReminderWindow();
+		}
 
 		launchEventHandler.startHandlingLaunchEvents();
 		autoUnlocker.tryUnlockForTimespan(2, TimeUnit.MINUTES);
diff --git a/src/main/java/org/cryptomator/ui/fxapp/UpdateChecker.java b/src/main/java/org/cryptomator/ui/fxapp/UpdateChecker.java
index 4418f79b5..709eb2fe7 100644
--- a/src/main/java/org/cryptomator/ui/fxapp/UpdateChecker.java
+++ b/src/main/java/org/cryptomator/ui/fxapp/UpdateChecker.java
@@ -22,23 +22,23 @@ public class UpdateChecker {
 	private static final Logger LOG = LoggerFactory.getLogger(UpdateChecker.class);
 	private static final Duration AUTOCHECK_DELAY = Duration.seconds(5);
 
+	private final Environment env;
 	private final Settings settings;
-	private final String currentVersion;
 	private final StringProperty latestVersionProperty;
 	private final Comparator<String> semVerComparator;
 	private final ScheduledService<String> updateCheckerService;
 
 	@Inject
 	UpdateChecker(Settings settings, Environment env, @Named("latestVersion") StringProperty latestVersionProperty, @Named("SemVer") Comparator<String> semVerComparator, ScheduledService<String> updateCheckerService) {
+		this.env = env;
 		this.settings = settings;
 		this.latestVersionProperty = latestVersionProperty;
 		this.semVerComparator = semVerComparator;
 		this.updateCheckerService = updateCheckerService;
-		this.currentVersion = env.getAppVersion();
 	}
 
 	public void automaticallyCheckForUpdatesIfEnabled() {
-		if (settings.checkForUpdates.get()) {
+		if (!env.disableUpdateCheck() && settings.checkForUpdates.get()) {
 			startCheckingForUpdates(AUTOCHECK_DELAY);
 		}
 	}
@@ -63,9 +63,9 @@ public class UpdateChecker {
 
 	private void checkSucceeded(WorkerStateEvent event) {
 		String latestVersion = updateCheckerService.getValue();
-		LOG.info("Current version: {}, lastest version: {}", currentVersion, latestVersion);
+		LOG.info("Current version: {}, lastest version: {}", getCurrentVersion(), latestVersion);
 
-		if (semVerComparator.compare(currentVersion, latestVersion) < 0) {
+		if (semVerComparator.compare(getCurrentVersion(), latestVersion) < 0) {
 			// update is available
 			latestVersionProperty.set(latestVersion);
 		} else {
@@ -88,7 +88,7 @@ public class UpdateChecker {
 	}
 
 	public String getCurrentVersion() {
-		return currentVersion;
+		return env.getAppVersion();
 	}
 
 }
diff --git a/src/main/java/org/cryptomator/ui/preferences/PreferencesController.java b/src/main/java/org/cryptomator/ui/preferences/PreferencesController.java
index caaaf7d80..0937fccd9 100644
--- a/src/main/java/org/cryptomator/ui/preferences/PreferencesController.java
+++ b/src/main/java/org/cryptomator/ui/preferences/PreferencesController.java
@@ -1,5 +1,6 @@
 package org.cryptomator.ui.preferences;
 
+import org.cryptomator.common.Environment;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.fxapp.UpdateChecker;
 import org.slf4j.Logger;
@@ -19,6 +20,7 @@ public class PreferencesController implements FxController {
 
 	private static final Logger LOG = LoggerFactory.getLogger(PreferencesController.class);
 
+	private final Environment env;
 	private final Stage window;
 	private final ObjectProperty<SelectedPreferencesTab> selectedTabProperty;
 	private final BooleanBinding updateAvailable;
@@ -31,7 +33,8 @@ public class PreferencesController implements FxController {
 	public Tab aboutTab;
 
 	@Inject
-	public PreferencesController(@PreferencesWindow Stage window, ObjectProperty<SelectedPreferencesTab> selectedTabProperty, UpdateChecker updateChecker) {
+	public PreferencesController(Environment env, @PreferencesWindow Stage window, ObjectProperty<SelectedPreferencesTab> selectedTabProperty, UpdateChecker updateChecker) {
+		this.env = env;
 		this.window = window;
 		this.selectedTabProperty = selectedTabProperty;
 		this.updateAvailable = updateChecker.latestVersionProperty().isNotNull();
@@ -42,6 +45,9 @@ public class PreferencesController implements FxController {
 		window.setOnShowing(this::windowWillAppear);
 		selectedTabProperty.addListener(observable -> this.selectChosenTab());
 		tabPane.getSelectionModel().selectedItemProperty().addListener(observable -> this.selectedTabChanged());
+		if (env.disableUpdateCheck()) {
+			tabPane.getTabs().remove(updatesTab);
+		}
 	}
 
 	private void selectChosenTab() {

From 47bd0ca64738e6b218b4ba81af4be788d252b11d Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 18 Sep 2023 13:10:19 +0200
Subject: [PATCH 25/81] disable update check for PPA builds

---
 .github/workflows/debian.yml | 3 ++-
 dist/linux/debian/rules      | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml
index 14cdca80a..2ae6c3262 100644
--- a/.github/workflows/debian.yml
+++ b/.github/workflows/debian.yml
@@ -97,7 +97,8 @@ jobs:
         run: |
           cp -r dist/linux/debian/ pkgdir
           export RFC2822_TIMESTAMP=`date --rfc-2822`
-          envsubst '${SEMVER_STR} ${VERSION_NUM} ${REVISION_NUM}' < dist/linux/debian/rules > pkgdir/debian/rules
+          export DISABLE_UPDATE_CHECK=${{ inputs.dput }}
+          envsubst '${SEMVER_STR} ${VERSION_NUM} ${REVISION_NUM} ${DISABLE_UPDATE_CHECK}' < dist/linux/debian/rules > pkgdir/debian/rules
           envsubst '${PPA_VERSION} ${RFC2822_TIMESTAMP}' < dist/linux/debian/changelog > pkgdir/debian/changelog
           find . -name "*.jar" >> pkgdir/debian/source/include-binaries
           mv pkgdir cryptomator_${{ inputs.ppaver }}
diff --git a/dist/linux/debian/rules b/dist/linux/debian/rules
index 231f2a1d5..c12879025 100755
--- a/dist/linux/debian/rules
+++ b/dist/linux/debian/rules
@@ -59,6 +59,7 @@ override_dh_auto_build:
 		--java-options "-Dcryptomator.integrationsLinux.trayIconsDir=\"/usr/share/icons/hicolor/symbolic/apps\"" \
 		--java-options "-Dcryptomator.buildNumber=\"deb-${REVISION_NUM}\"" \
 		--java-options "-Dcryptomator.appVersion=\"${SEMVER_STR}\"" \
+		--java-options "-Dcryptomator.disableUpdateCheck=\"${DISABLE_UPDATE_CHECK}\"" \
 		--app-version "${VERSION_NUM}.${REVISION_NUM}" \
 		--resource-dir resources \
 		--verbose

From b7da508ccc1f3371b79ab1406f0cf34329b8d37b Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <overheadhunter@users.noreply.github.com>
Date: Mon, 18 Sep 2023 13:19:58 +0200
Subject: [PATCH 26/81] Update
 src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java

Co-authored-by: Bas Ruigrok <Rexbas@proton.me>
---
 .../ui/mainwindow/ResizeController.java        | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java b/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java
index 76bddd0d8..2bd387ab0 100644
--- a/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java
+++ b/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java
@@ -90,17 +90,17 @@ public class ResizeController implements FxController {
 	}
 
 	private boolean isOutOfDisplayBounds() {
-		final int x = settings.windowXPosition.get();
-		final int y = settings.windowYPosition.get();
-		final int width = settings.windowWidth.get();
-		final int height = settings.windowHeight.get();
-		return isRectangleOutOfScreen(x + 20, y, 0, height) // Left pixel column (+20)
-				|| isRectangleOutOfScreen(x + width - 20, y, 0, height) // Right pixel column (-20)
-				|| isRectangleOutOfScreen(x, y + 5, width, 0) // Top pixel row (+5)
-				|| isRectangleOutOfScreen(x, y + height - 20, width, 0); // Bottom pixel row (-20)
+		final double x = window.getX() + 20;
+		final double y = window.getY() + 5;
+		final double width = window.getWidth() - 40; // Window width - inset right (20px) - inset left (20px)
+		final double height = window.getHeight() - 25; // Window height - inset top (5px) - inset bottom (20px)
+		return isRectangleOutOfScreen(x, y, 0, height) // Left pixel column (+20)
+				|| isRectangleOutOfScreen(x + width, y, 0, height) // Right pixel column (-20)
+				|| isRectangleOutOfScreen(x, y, width, 0) // Top pixel row (+5)
+				|| isRectangleOutOfScreen(x, y + height, width, 0); // Bottom pixel row (-20)
 	}
 
-	private boolean isRectangleOutOfScreen(int x, int y, int width, int height) {
+	private boolean isRectangleOutOfScreen(double x, double y, double width, double height) {
 		return Screen.getScreensForRectangle(x, y, width, height).isEmpty();
 	}
 

From aa382ce80de1e519ad30a6fca8a666e404961697 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 18 Sep 2023 19:10:54 +0200
Subject: [PATCH 27/81] update coffeelibs jdk to 21

---
 .github/workflows/debian.yml | 3 ++-
 dist/linux/debian/control    | 2 +-
 dist/linux/debian/rules      | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml
index 281e570ee..1261224f2 100644
--- a/.github/workflows/debian.yml
+++ b/.github/workflows/debian.yml
@@ -18,6 +18,7 @@ on:
 env:
   JAVA_DIST: 'zulu'
   JAVA_VERSION: 21-ea
+  COFFEELIBS_JDK_VERSION: 21
   OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_linux-x64_bin-jmods.zip'
   OPENJFX_JMODS_AMD64_HASH: 'f522ac2ae4bdd61f0219b7b8d2058ff72a22f36a44378453bcfdcd82f8f5e08c'
   OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_linux-aarch64_bin-jmods.zip'
@@ -42,7 +43,7 @@ jobs:
         run: |
           sudo add-apt-repository ppa:coffeelibs/openjdk
           sudo apt-get update
-          sudo apt-get install debhelper devscripts dput coffeelibs-jdk-${{ env.JAVA_VERSION }} libgtk2.0-0
+          sudo apt-get install debhelper devscripts dput coffeelibs-jdk-${{ env.COFFEELIBS_JDK_VERSION }} libgtk2.0-0
       - name: Setup Java
         uses: actions/setup-java@v3
         with:
diff --git a/dist/linux/debian/control b/dist/linux/debian/control
index b04812fbb..148fdb213 100644
--- a/dist/linux/debian/control
+++ b/dist/linux/debian/control
@@ -2,7 +2,7 @@ Source: cryptomator
 Maintainer: Cryptobot <releases@cryptomator.org>
 Section: utils
 Priority: optional
-Build-Depends: debhelper (>=10), coffeelibs-jdk-20, libgtk2.0-0, libgtk-3-0,  libxxf86vm1, libgl1
+Build-Depends: debhelper (>=10), coffeelibs-jdk-21, libgtk2.0-0, libgtk-3-0,  libxxf86vm1, libgl1
 Standards-Version: 4.5.0
 Homepage: https://cryptomator.org
 Vcs-Git: https://github.com/cryptomator/cryptomator.git
diff --git a/dist/linux/debian/rules b/dist/linux/debian/rules
index 231f2a1d5..912395bce 100755
--- a/dist/linux/debian/rules
+++ b/dist/linux/debian/rules
@@ -4,7 +4,7 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
-JAVA_HOME = /usr/lib/jvm/java-20-coffeelibs
+JAVA_HOME = /usr/lib/jvm/java-21-coffeelibs
 DEB_BUILD_ARCH ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH)
 ifeq ($(DEB_BUILD_ARCH),amd64)
 JMODS_PATH = jmods/amd64:${JAVA_HOME}/jmods

From ac243a706eef92234bde4167d1016ab8f74108b9 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 18 Sep 2023 19:13:03 +0200
Subject: [PATCH 28/81] improve readability

---
 .../ui/mainwindow/ResizeController.java         | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java b/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java
index 2bd387ab0..2c3838ea0 100644
--- a/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java
+++ b/src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java
@@ -90,14 +90,15 @@ public class ResizeController implements FxController {
 	}
 
 	private boolean isOutOfDisplayBounds() {
-		final double x = window.getX() + 20;
-		final double y = window.getY() + 5;
-		final double width = window.getWidth() - 40; // Window width - inset right (20px) - inset left (20px)
-		final double height = window.getHeight() - 25; // Window height - inset top (5px) - inset bottom (20px)
-		return isRectangleOutOfScreen(x, y, 0, height) // Left pixel column (+20)
-				|| isRectangleOutOfScreen(x + width, y, 0, height) // Right pixel column (-20)
-				|| isRectangleOutOfScreen(x, y, width, 0) // Top pixel row (+5)
-				|| isRectangleOutOfScreen(x, y + height, width, 0); // Bottom pixel row (-20)
+		// define a rect which is inset on all sides from the window's rect:
+		final double x = window.getX() + 20; // 20px left
+		final double y = window.getY() + 5; // 5px top
+		final double w = window.getWidth() - 40; // 20px left + 20px right
+		final double h = window.getHeight() - 25; // 5px top + 20px bottom
+		return isRectangleOutOfScreen(x, y, 0, h) // Left pixel column
+				|| isRectangleOutOfScreen(x + w, y, 0, h) // Right pixel column
+				|| isRectangleOutOfScreen(x, y, w, 0) // Top pixel row
+				|| isRectangleOutOfScreen(x, y + h, w, 0); // Bottom pixel row
 	}
 
 	private boolean isRectangleOutOfScreen(double x, double y, double width, double height) {

From 70805665bf8dec2ba4d17a2d049f3e98e76b9548 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 18 Sep 2023 19:21:56 +0200
Subject: [PATCH 29/81] use features of Java 21 with `--enable-preview`

---
 .idea/misc.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.idea/misc.xml b/.idea/misc.xml
index a85576869..ee700a1c2 100644
--- a/.idea/misc.xml
+++ b/.idea/misc.xml
@@ -8,7 +8,7 @@
       </list>
     </option>
   </component>
-  <component name="ProjectRootManager" version="2" languageLevel="JDK_X" default="true" project-jdk-name="21" project-jdk-type="JavaSDK">
+  <component name="ProjectRootManager" version="2" languageLevel="JDK_21_PREVIEW" project-jdk-name="21" project-jdk-type="JavaSDK">
     <output url="file://$PROJECT_DIR$/out" />
   </component>
 </project>
\ No newline at end of file

From 8e9d54b44b4b4c7a54ec5074165869504cb6f0ca Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 18 Sep 2023 19:27:28 +0200
Subject: [PATCH 30/81] rename unused var

---
 src/main/java/org/cryptomator/ipc/IpcMessageListener.java       | 2 +-
 .../java/org/cryptomator/ui/traymenu/AwtTrayMenuController.java | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ipc/IpcMessageListener.java b/src/main/java/org/cryptomator/ipc/IpcMessageListener.java
index 756305cbe..284ed075b 100644
--- a/src/main/java/org/cryptomator/ipc/IpcMessageListener.java
+++ b/src/main/java/org/cryptomator/ipc/IpcMessageListener.java
@@ -6,7 +6,7 @@ public interface IpcMessageListener {
 
 	default void handleMessage(IpcMessage message) {
 		switch (message) {
-			case RevealRunningAppMessage m -> revealRunningApp(); // TODO: rename to _ with JEP 443
+			case RevealRunningAppMessage _ -> revealRunningApp();
 			case HandleLaunchArgsMessage m -> handleLaunchArgs(m.args());
 		}
 	}
diff --git a/src/main/java/org/cryptomator/ui/traymenu/AwtTrayMenuController.java b/src/main/java/org/cryptomator/ui/traymenu/AwtTrayMenuController.java
index 012097e33..ba6b2ef74 100644
--- a/src/main/java/org/cryptomator/ui/traymenu/AwtTrayMenuController.java
+++ b/src/main/java/org/cryptomator/ui/traymenu/AwtTrayMenuController.java
@@ -109,7 +109,7 @@ public class AwtTrayMenuController implements TrayMenuController {
 					menuItem.setEnabled(a.enabled());
 					menu.add(menuItem);
 				}
-				case SeparatorItem s -> menu.addSeparator(); // TODO: rename to _ with JEP 443
+				case SeparatorItem _ -> menu.addSeparator();
 				case SubMenuItem s -> {
 					var submenu = new Menu(s.title());
 					addChildren(submenu, s.items());

From 6c5ee14c7309aec4a0ea4ea14e854e66ed3f2358 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 18 Sep 2023 19:29:35 +0200
Subject: [PATCH 31/81] rename unused var

---
 src/main/java/org/cryptomator/ui/health/StartController.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/health/StartController.java b/src/main/java/org/cryptomator/ui/health/StartController.java
index 4e95b6b0f..917ba8095 100644
--- a/src/main/java/org/cryptomator/ui/health/StartController.java
+++ b/src/main/java/org/cryptomator/ui/health/StartController.java
@@ -103,8 +103,8 @@ public class StartController implements FxController {
 
 	private void loadingKeyFailed(Throwable e) {
 		switch (e) {
-			case UnlockCancelledException uce -> {} //ok
-			case VaultKeyInvalidException vkie -> {
+			case UnlockCancelledException _ -> {} //ok
+			case VaultKeyInvalidException _ -> {
 				LOG.error("Invalid key"); //TODO: specific error screen
 				appWindows.showErrorWindow(e, window, null);
 			}

From 1657cd50fc89922f64c69939a4a82d5693fbb470 Mon Sep 17 00:00:00 2001
From: Tobias Hagemann <tobias.hagemann@skymatic.de>
Date: Tue, 19 Sep 2023 12:12:27 +0200
Subject: [PATCH 32/81] fixes #3112

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 311fcaf58..9034aba9d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -37,7 +37,7 @@
 		<cryptomator.integrations.version>1.3.0</cryptomator.integrations.version>
 		<cryptomator.integrations.win.version>1.2.2</cryptomator.integrations.win.version>
 		<cryptomator.integrations.mac.version>1.2.1</cryptomator.integrations.mac.version>
-		<cryptomator.integrations.linux.version>1.3.0-beta6</cryptomator.integrations.linux.version>
+		<cryptomator.integrations.linux.version>1.3.0</cryptomator.integrations.linux.version>
 		<cryptomator.fuse.version>3.0.0</cryptomator.fuse.version>
 		<cryptomator.dokany.version>2.0.0</cryptomator.dokany.version>
 		<cryptomator.webdav.version>2.0.4</cryptomator.webdav.version>

From 5554dfdd89767552d3e718d8663ae0c0c9827fa8 Mon Sep 17 00:00:00 2001
From: Tobias Hagemann <tobias.hagemann@skymatic.de>
Date: Tue, 19 Sep 2023 12:22:24 +0200
Subject: [PATCH 33/81] fixes #3121

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 9034aba9d..0edfaa862 100644
--- a/pom.xml
+++ b/pom.xml
@@ -36,7 +36,7 @@
 		<cryptomator.cryptofs.version>2.6.7</cryptomator.cryptofs.version>
 		<cryptomator.integrations.version>1.3.0</cryptomator.integrations.version>
 		<cryptomator.integrations.win.version>1.2.2</cryptomator.integrations.win.version>
-		<cryptomator.integrations.mac.version>1.2.1</cryptomator.integrations.mac.version>
+		<cryptomator.integrations.mac.version>1.2.2</cryptomator.integrations.mac.version>
 		<cryptomator.integrations.linux.version>1.3.0</cryptomator.integrations.linux.version>
 		<cryptomator.fuse.version>3.0.0</cryptomator.fuse.version>
 		<cryptomator.dokany.version>2.0.0</cryptomator.dokany.version>

From d6a7efcb7f0b98aeddfc6b263a999437685057af Mon Sep 17 00:00:00 2001
From: Jan-Peter Klein <jan-peter.klein@skymatic.de>
Date: Tue, 19 Sep 2023 14:00:45 +0200
Subject: [PATCH 34/81] added OS_NAME, OS_VERSION and OS_ARCH to user-agent

---
 .../org/cryptomator/ui/error/ErrorController.java     | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/error/ErrorController.java b/src/main/java/org/cryptomator/ui/error/ErrorController.java
index 5009229b5..0ca8c9dcd 100644
--- a/src/main/java/org/cryptomator/ui/error/ErrorController.java
+++ b/src/main/java/org/cryptomator/ui/error/ErrorController.java
@@ -2,6 +2,7 @@ package org.cryptomator.ui.error;
 
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.lang3.SystemUtils;
 import org.cryptomator.common.Environment;
 import org.cryptomator.common.ErrorCode;
 import org.cryptomator.common.Nullable;
@@ -42,7 +43,7 @@ public class ErrorController implements FxController {
 
 	private static final ObjectMapper JSON = new ObjectMapper();
 	private static final Logger LOG = LoggerFactory.getLogger(ErrorController.class);
-	private static final String USER_AGENT_VERSION_FORMAT = "Cryptomator/%s (Build %s)";
+	private static final String USER_AGENT_VERSION_FORMAT = "Cryptomator/%s (Build %s) %s %s (%s)";
 	private static final String ERROR_CODES_URL_FORMAT = "https://api.cryptomator.org/desktop/error-codes.json?error-code=%s";
 	private static final String SEARCH_URL_FORMAT = "https://github.com/cryptomator/cryptomator/discussions/categories/errors?discussions_q=category:Errors+%s";
 	private static final String REPORT_URL_FORMAT = "https://github.com/cryptomator/cryptomator/discussions/new?category=Errors&title=Error+%s&body=%s";
@@ -143,11 +144,17 @@ public class ErrorController implements FxController {
 
 	@FXML
 	public void lookUpSolution() {
+		String userAgent = USER_AGENT_VERSION_FORMAT.formatted( //
+				environment.getAppVersion(), //
+				environment.getBuildNumber().orElse("undefined"), //
+				SystemUtils.OS_NAME, //
+				SystemUtils.OS_VERSION, //
+				SystemUtils.OS_ARCH); //
 		isLoadingHttpResponse.set(true);
 		askedForLookupDatabasePermission.set(true);
 		HttpClient httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build();
 		HttpRequest httpRequest = HttpRequest.newBuilder()//
-				.header("User-Agent", USER_AGENT_VERSION_FORMAT.formatted(environment.getAppVersion(),environment.getBuildNumber().orElse("undefined")))
+				.header("User-Agent", userAgent)
 				.uri(URI.create(ERROR_CODES_URL_FORMAT.formatted(URLEncoder.encode(errorCode.toString(),StandardCharsets.UTF_8))))//
 				.build();
 		httpClient.sendAsync(httpRequest, HttpResponse.BodyHandlers.ofInputStream())//

From c40ad58028df8cc2d438858fa4b77a13ed5990d9 Mon Sep 17 00:00:00 2001
From: Jan-Peter Klein <jan-peter.klein@skymatic.de>
Date: Tue, 19 Sep 2023 15:03:22 +0200
Subject: [PATCH 35/81] detached context menu from button to fix misbehavior

---
 .../ui/mainwindow/VaultListController.java    | 12 +++++--
 src/main/resources/fxml/vault_list.fxml       | 32 +++++++++----------
 2 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java b/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java
index 357222b33..889ac290c 100644
--- a/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java
+++ b/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java
@@ -22,7 +22,9 @@ import javafx.collections.ListChangeListener;
 import javafx.collections.ObservableList;
 import javafx.event.Event;
 import javafx.fxml.FXML;
+import javafx.geometry.Side;
 import javafx.scene.control.Button;
+import javafx.scene.control.ContextMenu;
 import javafx.scene.control.ListView;
 import javafx.scene.input.ContextMenuEvent;
 import javafx.scene.input.DragEvent;
@@ -67,6 +69,8 @@ public class VaultListController implements FxController {
 	public ListView<Vault> vaultList;
 	public StackPane root;
 	public Button addVaultBtn;
+	@FXML
+	private ContextMenu addVaultContextMenu;
 
 	@Inject
 	VaultListController(@MainWindow Stage mainWindow, //
@@ -146,9 +150,11 @@ public class VaultListController implements FxController {
 
 	@FXML
 	private void showMenu() {
-		double screenX = addVaultBtn.localToScreen(addVaultBtn.getBoundsInLocal()).getMinX();
-		double screenY = addVaultBtn.localToScreen(addVaultBtn.getBoundsInLocal()).getMaxY();
-		addVaultBtn.getContextMenu().show(addVaultBtn, screenX, screenY);
+		if (addVaultContextMenu.isShowing()) {
+			addVaultContextMenu.hide();
+		} else {
+			addVaultContextMenu.show(addVaultBtn, Side.BOTTOM, 0.0, 0.0);
+		}
 	}
 
 	private void deselect(MouseEvent released) {
diff --git a/src/main/resources/fxml/vault_list.fxml b/src/main/resources/fxml/vault_list.fxml
index 146fa877c..cfa3750a7 100644
--- a/src/main/resources/fxml/vault_list.fxml
+++ b/src/main/resources/fxml/vault_list.fxml
@@ -32,23 +32,23 @@
 			<graphic>
 				<FontAwesome5IconView glyph="CARET_DOWN"/>
 			</graphic>
-			<contextMenu>
-				<ContextMenu>
-					<items>
-						<MenuItem styleClass="add-vault-menu-item" text="%main.vaultlist.addVaultBtn.menuItemNew" onAction="#didClickAddNewVault" >
-							<graphic>
-								<FontAwesome5IconView glyph="PLUS" textAlignment="CENTER" wrappingWidth="14" />
-							</graphic>
-						</MenuItem>
-						<MenuItem styleClass="add-vault-menu-item" text="%main.vaultlist.addVaultBtn.menuItemExisting" onAction="#didClickAddExistingVault" >
-							<graphic>
-								<FontAwesome5IconView glyph="FOLDER_OPEN" textAlignment="CENTER" wrappingWidth="14" />
-							</graphic>
-						</MenuItem>
-					</items>
-				</ContextMenu>
-			</contextMenu>
 		</Button>
+		<fx:define>
+			<ContextMenu fx:id="addVaultContextMenu">
+				<items>
+					<MenuItem styleClass="add-vault-menu-item" text="%main.vaultlist.addVaultBtn.menuItemNew" onAction="#didClickAddNewVault" >
+						<graphic>
+							<FontAwesome5IconView glyph="PLUS" textAlignment="CENTER" wrappingWidth="14" />
+						</graphic>
+					</MenuItem>
+					<MenuItem styleClass="add-vault-menu-item" text="%main.vaultlist.addVaultBtn.menuItemExisting" onAction="#didClickAddExistingVault" >
+						<graphic>
+							<FontAwesome5IconView glyph="FOLDER_OPEN" textAlignment="CENTER" wrappingWidth="14" />
+						</graphic>
+					</MenuItem>
+				</items>
+			</ContextMenu>
+		</fx:define>
 	</VBox>
 	<Region styleClass="drag-n-drop-border" visible="${controller.draggingVaultOver}"/>
 </StackPane>

From 113717f955dc83b13e0ddba5f069abfbb0fa0456 Mon Sep 17 00:00:00 2001
From: Jan-Peter Klein <jan-peter.klein@skymatic.de>
Date: Tue, 19 Sep 2023 15:12:40 +0200
Subject: [PATCH 36/81]  addVaultButton context menu event filter removed

---
 .../java/org/cryptomator/ui/mainwindow/VaultListController.java | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java b/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java
index 889ac290c..afdb0bb36 100644
--- a/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java
+++ b/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java
@@ -144,8 +144,6 @@ public class VaultListController implements FxController {
 		root.setOnDragOver(this::handleDragEvent);
 		root.setOnDragDropped(this::handleDragEvent);
 		root.setOnDragExited(this::handleDragEvent);
-
-		addVaultBtn.addEventFilter(ContextMenuEvent.CONTEXT_MENU_REQUESTED, Event::consume);
 	}
 
 	@FXML

From 76a4062f8b21ab637dad2de91541ec1301dfad9d Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 19 Sep 2023 15:12:45 +0200
Subject: [PATCH 37/81] update org.cryptomator.integrations:integrations-win
 from 1.2.2 to 1.2.3

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 0edfaa862..796e73541 100644
--- a/pom.xml
+++ b/pom.xml
@@ -35,7 +35,7 @@
 		<!-- cryptomator dependencies -->
 		<cryptomator.cryptofs.version>2.6.7</cryptomator.cryptofs.version>
 		<cryptomator.integrations.version>1.3.0</cryptomator.integrations.version>
-		<cryptomator.integrations.win.version>1.2.2</cryptomator.integrations.win.version>
+		<cryptomator.integrations.win.version>1.2.3</cryptomator.integrations.win.version>
 		<cryptomator.integrations.mac.version>1.2.2</cryptomator.integrations.mac.version>
 		<cryptomator.integrations.linux.version>1.3.0</cryptomator.integrations.linux.version>
 		<cryptomator.fuse.version>3.0.0</cryptomator.fuse.version>

From 9b2987d0a24e5ea0aedd42aa62c013ff0d4a2b11 Mon Sep 17 00:00:00 2001
From: Jan-Peter Klein <jan-peter.klein@skymatic.de>
Date: Tue, 19 Sep 2023 16:26:55 +0200
Subject: [PATCH 38/81] improved function naming

---
 .../org/cryptomator/ui/mainwindow/VaultListController.java     | 3 +--
 src/main/resources/fxml/vault_list.fxml                        | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java b/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java
index afdb0bb36..8f0a91d58 100644
--- a/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java
+++ b/src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java
@@ -20,7 +20,6 @@ import javafx.beans.property.SimpleBooleanProperty;
 import javafx.beans.value.ObservableValue;
 import javafx.collections.ListChangeListener;
 import javafx.collections.ObservableList;
-import javafx.event.Event;
 import javafx.fxml.FXML;
 import javafx.geometry.Side;
 import javafx.scene.control.Button;
@@ -147,7 +146,7 @@ public class VaultListController implements FxController {
 	}
 
 	@FXML
-	private void showMenu() {
+	private void toggleMenu() {
 		if (addVaultContextMenu.isShowing()) {
 			addVaultContextMenu.hide();
 		} else {
diff --git a/src/main/resources/fxml/vault_list.fxml b/src/main/resources/fxml/vault_list.fxml
index cfa3750a7..f9cb29258 100644
--- a/src/main/resources/fxml/vault_list.fxml
+++ b/src/main/resources/fxml/vault_list.fxml
@@ -28,7 +28,7 @@
 				<Arc VBox.vgrow="NEVER" styleClass="onboarding-overlay-arc" type="OPEN" centerX="50" centerY="0" radiusY="100" radiusX="50" startAngle="0" length="-60" strokeWidth="1"/>
 			</VBox>
 		</StackPane>
-		<Button fx:id="addVaultBtn" onAction="#showMenu" styleClass="toolbar-button" text="%main.vaultlist.addVaultBtn" alignment="BASELINE_CENTER" maxWidth="Infinity" contentDisplay="RIGHT">
+		<Button fx:id="addVaultBtn" onAction="#toggleMenu" styleClass="toolbar-button" text="%main.vaultlist.addVaultBtn" alignment="BASELINE_CENTER" maxWidth="Infinity" contentDisplay="RIGHT">
 			<graphic>
 				<FontAwesome5IconView glyph="CARET_DOWN"/>
 			</graphic>

From 830970cb75726db8b484e834743cd62cff6f32cc Mon Sep 17 00:00:00 2001
From: Jan-Peter Klein <jan-peter.klein@skymatic.de>
Date: Tue, 19 Sep 2023 16:29:12 +0200
Subject: [PATCH 39/81] improved format and naming

---
 src/main/java/org/cryptomator/ui/error/ErrorController.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/error/ErrorController.java b/src/main/java/org/cryptomator/ui/error/ErrorController.java
index 0ca8c9dcd..aded9f8b8 100644
--- a/src/main/java/org/cryptomator/ui/error/ErrorController.java
+++ b/src/main/java/org/cryptomator/ui/error/ErrorController.java
@@ -43,7 +43,7 @@ public class ErrorController implements FxController {
 
 	private static final ObjectMapper JSON = new ObjectMapper();
 	private static final Logger LOG = LoggerFactory.getLogger(ErrorController.class);
-	private static final String USER_AGENT_VERSION_FORMAT = "Cryptomator/%s (Build %s) %s %s (%s)";
+	private static final String USER_AGENT_FORMAT = "Cryptomator/%s (Build %s) (%s %s %s)";
 	private static final String ERROR_CODES_URL_FORMAT = "https://api.cryptomator.org/desktop/error-codes.json?error-code=%s";
 	private static final String SEARCH_URL_FORMAT = "https://github.com/cryptomator/cryptomator/discussions/categories/errors?discussions_q=category:Errors+%s";
 	private static final String REPORT_URL_FORMAT = "https://github.com/cryptomator/cryptomator/discussions/new?category=Errors&title=Error+%s&body=%s";
@@ -144,7 +144,7 @@ public class ErrorController implements FxController {
 
 	@FXML
 	public void lookUpSolution() {
-		String userAgent = USER_AGENT_VERSION_FORMAT.formatted( //
+		String userAgent = USER_AGENT_FORMAT.formatted( //
 				environment.getAppVersion(), //
 				environment.getBuildNumber().orElse("undefined"), //
 				SystemUtils.OS_NAME, //

From 7a0d50ecca4b777ba17d3979fd515ec9bf293aae Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 20 Sep 2023 10:48:26 +0200
Subject: [PATCH 40/81] removed unnecessary  import

---
 .../java/org/cryptomator/ui/error/ErrorController.java     | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/error/ErrorController.java b/src/main/java/org/cryptomator/ui/error/ErrorController.java
index aded9f8b8..61f2b0e10 100644
--- a/src/main/java/org/cryptomator/ui/error/ErrorController.java
+++ b/src/main/java/org/cryptomator/ui/error/ErrorController.java
@@ -2,7 +2,6 @@ package org.cryptomator.ui.error;
 
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.apache.commons.lang3.SystemUtils;
 import org.cryptomator.common.Environment;
 import org.cryptomator.common.ErrorCode;
 import org.cryptomator.common.Nullable;
@@ -147,9 +146,9 @@ public class ErrorController implements FxController {
 		String userAgent = USER_AGENT_FORMAT.formatted( //
 				environment.getAppVersion(), //
 				environment.getBuildNumber().orElse("undefined"), //
-				SystemUtils.OS_NAME, //
-				SystemUtils.OS_VERSION, //
-				SystemUtils.OS_ARCH); //
+				System.getProperty("os.name"), //
+				System.getProperty("os.version"), //
+				System.getProperty("os.arch"));
 		isLoadingHttpResponse.set(true);
 		askedForLookupDatabasePermission.set(true);
 		HttpClient httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build();

From e858280f30a39d2bf1db0c39954dd81e0609985b Mon Sep 17 00:00:00 2001
From: Cryptobot <cryptobot@users.noreply.github.com>
Date: Wed, 20 Sep 2023 11:05:33 +0200
Subject: [PATCH 41/81] New Crowdin updates (#3110)

New Crowdin updates (#3110)

New translations strings.properties

Bulgarian; Chinese Traditional;

[ci skip]
---
 src/main/resources/i18n/strings_bg.properties    | 1 +
 src/main/resources/i18n/strings_zh_TW.properties | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/src/main/resources/i18n/strings_bg.properties b/src/main/resources/i18n/strings_bg.properties
index ace7569d6..172b27b5c 100644
--- a/src/main/resources/i18n/strings_bg.properties
+++ b/src/main/resources/i18n/strings_bg.properties
@@ -153,6 +153,7 @@ hub.invalidLicense.message=Лиценза за Hub е недействителе
 
 # Lock
 ## Force
+lock.forced.retryBtn=Повторен опит
 ## Failure
 
 # Migration
diff --git a/src/main/resources/i18n/strings_zh_TW.properties b/src/main/resources/i18n/strings_zh_TW.properties
index 0aede0ed4..3f2ee62fd 100644
--- a/src/main/resources/i18n/strings_zh_TW.properties
+++ b/src/main/resources/i18n/strings_zh_TW.properties
@@ -22,6 +22,9 @@ error.hyperlink.report=回報錯誤
 error.technicalDetails=詳情：
 error.existingSolutionDescription=Cryptomator 沒有預料到會發生這種情況。但我們找到了一個現有的解決方案來解決這個錯誤。請查看以下連結。
 error.hyperlink.solution=查詢解決方案
+error.lookupPermissionMessage=Cryptomator 可以在線查找此問題的解決方案。 這將從您的 IP 地址向我們的問題數據庫發送請求。
+error.dismiss=忽略
+error.lookUpSolution=查詢解決方案
 
 # Defaults
 defaults.vault.vaultName=加密檔案庫
@@ -134,6 +137,7 @@ unlock.error.customPath.message=無法將檔案庫掛載至自訂路徑
 unlock.error.customPath.description.notSupported=如果要繼續使用自訂的掛載路徑，必須變更成支援的磁區空間類型，不然就必須使用不同的掛載路徑
 unlock.error.customPath.description.notExists=自訂的掛載路徑並不存在‧ 請在本機創立該路徑，或者在加密庫選項中更改
 unlock.error.customPath.description.inUse=磁碟代號或自訂掛載路徑「%s」已被使用。
+unlock.error.customPath.description.hideawayNotDir=無法移除用於解鎖的臨時隱藏檔案「%3$s」。請檢查該檔案，然後手動刪除。
 unlock.error.customPath.description.couldNotBeCleaned=無法將您的保險庫掛載至路徑「%s」。請再試一次或選擇不同的路徑。
 unlock.error.customPath.description.notEmptyDir=自訂掛載路徑「%s」不是一個空資料夾。請選擇一個空資料夾並重試。
 unlock.error.customPath.description.generic=您為此保險庫選擇了自訂掛載路徑，但使用時出現了錯誤訊息：%2$s

From f704dc0de99dfbe651fc5a82d62a087aefed90d3 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 20 Sep 2023 11:07:50 +0200
Subject: [PATCH 42/81] prepare 1.10.1

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 796e73541..08cb4bb73 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>cryptomator</artifactId>
-	<version>1.11.0-SNAPSHOT</version>
+	<version>1.10.1</version>
 	<name>Cryptomator Desktop App</name>
 
 	<organization>

From 51e55d3e3b0e6d30c3320070252a00a2f5094383 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 20 Sep 2023 11:09:37 +0200
Subject: [PATCH 43/81] finalize 1.10.1

---
 dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml b/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
index 596ebea4a..6e4873712 100644
--- a/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
+++ b/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
@@ -66,6 +66,7 @@
 	</content_rating>
 
 	<releases>
+		<release date="2023-09-20" version="1.10.1"/>
 		<release date="2023-09-11" version="1.10.0"/>
 		<release date="2023-08-11" version="1.9.4"/>
 		<release date="2023-08-07" version="1.9.3"/>

From d7488b69847aca77adf39438c7054f88948e70fe Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 20 Sep 2023 15:16:18 +0200
Subject: [PATCH 44/81] fix wrong pom version

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 0af0fd7ca..796e73541 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>cryptomator</artifactId>
-	<version>1.11,0-SNAPSHOT</version>
+	<version>1.11.0-SNAPSHOT</version>
 	<name>Cryptomator Desktop App</name>
 
 	<organization>

From 92d9f2c18de7f064dda731035677ae055f6ba5dd Mon Sep 17 00:00:00 2001
From: Tobias Hagemann <tobias.hagemann@skymatic.de>
Date: Wed, 20 Sep 2023 15:27:17 +0200
Subject: [PATCH 45/81] try to fix mac build script to be compatible with
 create-dmg 1.2.0

---
 .github/workflows/mac-dmg.yml |  5 ++---
 dist/mac/dmg/build.sh         | 12 ++++++------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml
index a394101ff..899fc2197 100644
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -62,7 +62,7 @@ jobs:
           curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
           echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check
           mkdir -p openjfx-jmods/
-          unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
+          unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
       - name: Ensure major jfx version in pom and in jmods is the same
         run: |
           JMOD_VERSION=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)
@@ -72,7 +72,7 @@ jobs:
           POM_JFX_VERSION=${POM_JFX_VERSION#*@}
           POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
 
-          if [ $POM_JFX_VERSION -ne $JMOD_VERSION ]; then
+          if [ "${POM_JFX_VERSION}" -ne "${JMOD_VERSION}" ]; then
             >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != jmod version (${JMOD_VERSION})"
             exit 1
           fi
@@ -222,7 +222,6 @@ jobs:
           --app-drop-link 512 245
           --eula "dist/mac/dmg/resources/license.rtf"
           --icon ".background" 128 758
-          --icon ".fseventsd" 320 758
           --icon ".VolumeIcon.icns" 512 758
           Cryptomator-${VERSION_NO}-${{ matrix.output-suffix }}.dmg dmg
         env:
diff --git a/dist/mac/dmg/build.sh b/dist/mac/dmg/build.sh
index 6d586f02c..b2c8d55e3 100755
--- a/dist/mac/dmg/build.sh
+++ b/dist/mac/dmg/build.sh
@@ -49,21 +49,22 @@ fi
 # download and check jmods
 curl -L ${OPENJFX_JMODS} -o openjfx-jmods.zip
 mkdir -p openjfx-jmods/
-unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods/
+unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
 JMOD_VERSION=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)
 JMOD_VERSION=${JMOD_VERSION#*@}
 JMOD_VERSION=${JMOD_VERSION%%.*}
-POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
+POM_JFX_VERSION=$(mvn -f../../../pom.xml help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
 POM_JFX_VERSION=${POM_JFX_VERSION#*@}
 POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
 
-if [ $POM_JFX_VERSION -ne $JMOD_VERSION ]; then
->&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != jmod version (${JMOD_VERSION})"
-exit 1
+if [ "${POM_JFX_VERSION}" -ne "${JMOD_VERSION}" ]; then
+    >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != jmod version (${JMOD_VERSION})"
+    exit 1
 fi
 
 # compile
 mvn -B -f../../../pom.xml clean package -DskipTests -Pmac
+cp ../../../LICENSE.txt ../../../target
 cp ../../../target/${MAIN_JAR_GLOB} ../../../target/mods
 
 # add runtime
@@ -168,6 +169,5 @@ create-dmg \
     --app-drop-link 512 245 \
     --eula "resources/license.rtf" \
     --icon ".background" 128 758 \
-    --icon ".fseventsd" 320 758 \
     --icon ".VolumeIcon.icns" 512 758 \
     ${APP_NAME}-${VERSION_NO}.dmg dmg

From c10dc7481850744b9c29c99be7eae14acba9aa2c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 25 Sep 2023 12:12:28 +0200
Subject: [PATCH 46/81] update integrations-linux to 1.4.0-beta1

---
 pom.xml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 8f08ebdf3..a62120a4d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -37,7 +37,7 @@
 		<cryptomator.integrations.version>1.3.0</cryptomator.integrations.version>
 		<cryptomator.integrations.win.version>1.2.2</cryptomator.integrations.win.version>
 		<cryptomator.integrations.mac.version>1.2.1</cryptomator.integrations.mac.version>
-		<cryptomator.integrations.linux.version>1.3.0-beta6</cryptomator.integrations.linux.version>
+		<cryptomator.integrations.linux.version>1.4.0-beta1</cryptomator.integrations.linux.version>
 		<cryptomator.fuse.version>4.0.0-beta1</cryptomator.fuse.version>
 		<cryptomator.dokany.version>2.0.0</cryptomator.dokany.version>
 		<cryptomator.webdav.version>2.0.4</cryptomator.webdav.version>
@@ -509,13 +509,11 @@
 				</property>
 			</activation>
 			<dependencies>
-				<!-- not yet JDK 21 compatible, falling back to AWT; see https://github.com/purejava/appindicator-gtk3-java/issues/14
 				<dependency>
 					<groupId>org.cryptomator</groupId>
 					<artifactId>integrations-linux</artifactId>
 					<version>${cryptomator.integrations.linux.version}</version>
 				</dependency>
-				 -->
 			</dependencies>
 		</profile>
 

From 943374856e9aaab3f68720bc2a8bb12b2876b741 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 25 Sep 2023 12:18:01 +0200
Subject: [PATCH 47/81] build using JDK 21 GA

---
 .github/workflows/appimage.yml    | 2 +-
 .github/workflows/build.yml       | 2 +-
 .github/workflows/debian.yml      | 2 +-
 .github/workflows/get-version.yml | 2 +-
 .github/workflows/mac-dmg.yml     | 2 +-
 .github/workflows/pullrequest.yml | 2 +-
 .github/workflows/win-exe.yml     | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/appimage.yml b/.github/workflows/appimage.yml
index 25892a0dd..a5c393a9a 100644
--- a/.github/workflows/appimage.yml
+++ b/.github/workflows/appimage.yml
@@ -11,7 +11,7 @@ on:
 
 env:
   JAVA_DIST: 'zulu'
-  JAVA_VERSION: 21-ea
+  JAVA_VERSION: 21
 
 jobs:
   get-version:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index df7d13b0f..8ac352b5e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,7 +7,7 @@ on:
 
 env:
   JAVA_DIST: 'zulu'
-  JAVA_VERSION: 21-ea
+  JAVA_VERSION: 21
 
 defaults:
   run:
diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml
index e791b5c49..d16b2936f 100644
--- a/.github/workflows/debian.yml
+++ b/.github/workflows/debian.yml
@@ -17,7 +17,7 @@ on:
 
 env:
   JAVA_DIST: 'zulu'
-  JAVA_VERSION: 21-ea
+  JAVA_VERSION: 21
   COFFEELIBS_JDK_VERSION: 21
   OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_linux-x64_bin-jmods.zip'
   OPENJFX_JMODS_AMD64_HASH: 'f522ac2ae4bdd61f0219b7b8d2058ff72a22f36a44378453bcfdcd82f8f5e08c'
diff --git a/.github/workflows/get-version.yml b/.github/workflows/get-version.yml
index 543789d04..48cc95af8 100644
--- a/.github/workflows/get-version.yml
+++ b/.github/workflows/get-version.yml
@@ -23,7 +23,7 @@ on:
 
 env:
   JAVA_DIST: 'zulu'
-  JAVA_VERSION: 21-ea
+  JAVA_VERSION: 21
 
 jobs:
   determine-version:
diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml
index 1e32b7960..6e6aee590 100644
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -16,7 +16,7 @@ on:
 
 env:
   JAVA_DIST: 'zulu'
-  JAVA_VERSION: 21-ea
+  JAVA_VERSION: 21
 
 jobs:
   get-version:
diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
index b7409acfa..161e6c072 100644
--- a/.github/workflows/pullrequest.yml
+++ b/.github/workflows/pullrequest.yml
@@ -5,7 +5,7 @@ on:
 
 env:
   JAVA_DIST: 'zulu'
-  JAVA_VERSION: 21-ea
+  JAVA_VERSION: 21
 
 defaults:
   run:
diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index 6747199c7..be1229f1a 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -15,7 +15,7 @@ on:
 
 env:
   JAVA_DIST: 'zulu'
-  JAVA_VERSION: 21-ea
+  JAVA_VERSION: 21
   OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_windows-x64_bin-jmods.zip'
   OPENJFX_JMODS_AMD64_HASH: '18625bbc13c57dbf802486564247a8d8cab72ec558c240a401bf6440384ebd77'
 

From 625334c6c8d314c21fc34f0815b10c9490a15d7f Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 25 Sep 2023 16:02:31 +0200
Subject: [PATCH 48/81] fix windows build script

---
 dist/win/build.ps1 | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dist/win/build.ps1 b/dist/win/build.ps1
index bef7a9acb..d011f7cc6 100644
--- a/dist/win/build.ps1
+++ b/dist/win/build.ps1
@@ -63,9 +63,10 @@ if( !(Test-Path -Path $jfxJmodsZip) ) {
 $jmodsChecksumActual = $(Get-FileHash -Path $jfxJmodsZip -Algorithm SHA256).Hash
 if( $jmodsChecksumActual -ne $jfxJmodsChecksum ) {
 	Write-Error "Checksum mismatch for jfxJmods.zip. Expected: $jfxJmodsChecksum, actual: $jmodsChecksumActual"
-	exit 1;	
+	exit 1;
 }
-Expand-Archive -Path $jfxJmodsZip -DestinationPath ".\resources\"
+Expand-Archive -Path $jfxJmodsZip -Force -DestinationPath ".\resources\"
+Remove-Item -Recurse -Force -Path ".\resources\javafx-jmods"
 Move-Item -Force -Path ".\resources\javafx-jmods-*" -Destination ".\resources\javafx-jmods" -ErrorAction Stop
 
 

From 93b4cbfb2c473fa06fef67ddb7d263796925be6e Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 26 Sep 2023 13:42:18 +0200
Subject: [PATCH 49/81] add test script

---
 dist/win/signJarDlls.ps1 | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 dist/win/signJarDlls.ps1

diff --git a/dist/win/signJarDlls.ps1 b/dist/win/signJarDlls.ps1
new file mode 100644
index 000000000..701ed69ff
--- /dev/null
+++ b/dist/win/signJarDlls.ps1
@@ -0,0 +1,23 @@
+<#
+1. Select jar file
+2. extract jar to own directory
+3. Sign everything
+4. Update dlls in the jar
+#>
+
+New-Item -Path ".\extract" -ItemType Directory
+Get-ChildItem -Path "." -File *.jar | ForEach-Object {
+    $jar = Copy-Item $_ -Destination ".\extract" -PassThru
+    Set-Location -Path ".\extract"
+    "Extracting jar $($jar.FullName)"
+    jar --file=$($_.FullName) --extract
+    Get-ChildItem -Path "." -Recurse -File "*.dll" | ForEach-Object {
+        <# pipe into signtool, here we are just writing something into the file #>
+        Set-Content -Path $_ -Value "Hello"
+        jar --file=$($jar.FullName) --update $(Resolve-Path -Relative -Path $_)
+    }
+    Move-Item -Path $($jar.FullName) -Destination $_ -Force
+    Remove-Item -Path ".\*" -Force -Recurse
+    Set-Location -Path ".."
+}
+Remove-Item -Path ".\extract"
\ No newline at end of file

From d85733590147a25e5ebd1812fd81e94f6bb84e8e Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 26 Sep 2023 16:43:00 +0200
Subject: [PATCH 50/81] update test script: * use variables * use signtool *
 find newest signtool version

---
 dist/win/signJarDlls.ps1 | 35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/dist/win/signJarDlls.ps1 b/dist/win/signJarDlls.ps1
index 701ed69ff..edf55aed0 100644
--- a/dist/win/signJarDlls.ps1
+++ b/dist/win/signJarDlls.ps1
@@ -1,23 +1,32 @@
-<#
-1. Select jar file
-2. extract jar to own directory
-3. Sign everything
-4. Update dlls in the jar
-#>
 
-New-Item -Path ".\extract" -ItemType Directory
-Get-ChildItem -Path "." -File *.jar | ForEach-Object {
-    $jar = Copy-Item $_ -Destination ".\extract" -PassThru
-    Set-Location -Path ".\extract"
+$certificateSHA1 = 5FC94CE149E5B511E621F53A060AC67CBD446B3A
+$description = Cryptomator
+$timestampUrl = 'http://timestamp.digicert.com'
+$folder = ".\appdir\Cryptomator"
+$tmpDir = ".\extract"
+$signtool = $(Get-ChildItem "C:/Program Files (x86)/Windows Kits/10/bin/" -Recurse -File signtool.exe | Where-Object { $_.Directory.ToString().EndsWith("x64")} | Select-Object -Last 1).FullName
+
+# import certificate
+
+# create directory to extract every jar to
+New-Item -Path $tmpDir -ItemType Directory
+# iterate over all jars
+Get-ChildItem -Path $folder -Recurse -File *.jar | ForEach-Object {
+    $jar = Copy-Item $_ -Destination $tmpDir -PassThru
+    Set-Location -Path $tmpDir
     "Extracting jar $($jar.FullName)"
     jar --file=$($_.FullName) --extract
     Get-ChildItem -Path "." -Recurse -File "*.dll" | ForEach-Object {
-        <# pipe into signtool, here we are just writing something into the file #>
-        Set-Content -Path $_ -Value "Hello"
+        # sign
+        & $signtool sign /sm /tr ${timestampUrl} /td SH256 /fd SHA256 /d $description /sha1 $certificateSHA1 $_.FullName
+        # update jar with signed dll
         jar --file=$($jar.FullName) --update $(Resolve-Path -Relative -Path $_)
     }
+    # replace old jar with its update
     Move-Item -Path $($jar.FullName) -Destination $_ -Force
+    # clear extraction dir
     Remove-Item -Path ".\*" -Force -Recurse
     Set-Location -Path ".."
 }
-Remove-Item -Path ".\extract"
\ No newline at end of file
+# clean up
+Remove-Item -Path $tmpDir
\ No newline at end of file

From fadd6b761fc308b0e5b3364724427a671533c5dd Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 26 Sep 2023 17:30:18 +0200
Subject: [PATCH 51/81] add cert import

---
 dist/win/signJarDlls.ps1 | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/dist/win/signJarDlls.ps1 b/dist/win/signJarDlls.ps1
index edf55aed0..3f185e249 100644
--- a/dist/win/signJarDlls.ps1
+++ b/dist/win/signJarDlls.ps1
@@ -1,4 +1,5 @@
-
+$certificate = 'abc'
+$password = 'secret'
 $certificateSHA1 = 5FC94CE149E5B511E621F53A060AC67CBD446B3A
 $description = Cryptomator
 $timestampUrl = 'http://timestamp.digicert.com'
@@ -6,7 +7,14 @@ $folder = ".\appdir\Cryptomator"
 $tmpDir = ".\extract"
 $signtool = $(Get-ChildItem "C:/Program Files (x86)/Windows Kits/10/bin/" -Recurse -File signtool.exe | Where-Object { $_.Directory.ToString().EndsWith("x64")} | Select-Object -Last 1).FullName
 
+# preps
+# does this work on CI?
+Install-Module -Name Microsoft.PowerShell.TextUtility
+
 # import certificate
+$bytes = ConvertFrom-Base64 -EncodedText $certificate -AsByteArray
+Set-Content -Path $certificateFile -AsByteStream -Value $bytes
+& certutil -f -p $password -importpfx $certificateFile
 
 # create directory to extract every jar to
 New-Item -Path $tmpDir -ItemType Directory

From 29fedcd39032e12d09e6f5473e4cea2574632431 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 26 Sep 2023 17:30:56 +0200
Subject: [PATCH 52/81] integrate code from test script into github workflow

---
 .github/workflows/win-exe.yml | 46 ++++++++++++++++++++++++++++++-----
 1 file changed, 40 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index 066b7d49e..b54d6731c 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -143,9 +143,47 @@ jobs:
       - name: Fix permissions
         run: attrib -r appdir/Cryptomator/Cryptomator.exe
         shell: pwsh
-      - name: Extract integrations DLL for code signing
+      - name: Codesign binaries inside jars
+        run: |
+          $certificate = '${{ secrets.WIN_CODESIGN_P12_BASE64 }}'
+          $password = '${{ secrets.WIN_CODESIGN_P12_PW }}'
+          $certificateSHA1 = '5FC94CE149E5B511E621F53A060AC67CBD446B3A'
+          $description = 'Cryptomator'
+          $timestampUrl = 'http://timestamp.digicert.com'
+          $folder = ".\appdir\Cryptomator\app"
+          $tmpDir = ".\extract"
+          $signtool = $(Get-ChildItem 'C:\Program Files (x86)\Windows Kits\10\bin\' -Recurse -File signtool.exe | Where-Object { $_.Directory.ToString().EndsWith('x64') } | Select-Object -Last 1).FullName
+
+          # preps
+          Install-Module -Name Microsoft.PowerShell.TextUtility -Force -Confirm:$False
+
+          # import certificate
+          $bytes = ConvertFrom-Base64 -EncodedText $certificate -AsByteArray
+          Set-Content -Path ".\certFile" -AsByteStream -Value $bytes
+          & certutil -f -p $password -importpfx ".\certFile"
+
+          # create directory to extract every jar to
+          New-Item -Path $tmpDir -ItemType Directory
+          # iterate over all jars
+          Get-ChildItem -Path $folder -Recurse -File *.jar | ForEach-Object {
+              $jar = Copy-Item $_ -Destination $tmpDir -PassThru
+              Set-Location -Path $tmpDir
+              jar --file=$($_.FullName) --extract
+              Get-ChildItem -Path "." -Recurse -File "*.dll" | ForEach-Object {
+                  # sign
+                  & $signtool sign /sm /tr ${timestampUrl} /td SHA256 /fd SHA256 /d $description /sha1 $certificateSHA1 $_.FullName
+                  # update jar with signed dll
+                  jar --file=$($jar.FullName) --update $(Resolve-Path -Relative -Path $_)
+              }
+              # replace old jar with its update
+              Move-Item -Path $($jar.FullName) -Destination $_ -Force
+              # clear extraction dir
+              Remove-Item -Path ".\*" -Force -Recurse
+              Set-Location -Path ".."
+          }
+          # clean up
+          Remove-Item -Path $tmpDir
         shell: pwsh
-        run: gci ./appdir/Cryptomator/app/mods/ -File integrations-win-*.jar | ForEach-Object {Set-Location -Path $_.Directory; jar --file=$($_.FullName) --extract integrations.dll }
       - name: Codesign
         uses: skymatic/code-sign-action@v2
         with:
@@ -156,10 +194,6 @@ jobs:
           timestampUrl: 'http://timestamp.digicert.com'
           folder: appdir/Cryptomator
           recursive: true
-      - name: Repack signed DLL into jar
-        shell: pwsh
-        run: |
-          gci ./appdir/Cryptomator/app/mods/ -File integrations-win-*.jar | ForEach-Object {Set-Location -Path $_.Directory; jar --file=$($_.FullName) --update integrations.dll; Remove-Item integrations.dll}
       - name: Generate license for MSI
         run: >
           mvn -B license:add-third-party

From 15885545b58036d2c9318a94da5681399a01cdb4 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 27 Sep 2023 11:13:52 +0200
Subject: [PATCH 53/81] supress some output

---
 .github/workflows/win-exe.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index b54d6731c..3b43a24ec 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -163,7 +163,7 @@ jobs:
           & certutil -f -p $password -importpfx ".\certFile"
 
           # create directory to extract every jar to
-          New-Item -Path $tmpDir -ItemType Directory
+          New-Item -Path $tmpDir -ItemType Directory > $null
           # iterate over all jars
           Get-ChildItem -Path $folder -Recurse -File *.jar | ForEach-Object {
               $jar = Copy-Item $_ -Destination $tmpDir -PassThru

From ce466e7715414238ecb1ccc26ccff485a994df5b Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 28 Sep 2023 13:42:16 +0200
Subject: [PATCH 54/81] fixes #3130

---
 .github/workflows/win-exe.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index 3b43a24ec..2b0352e79 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -14,7 +14,7 @@ on:
 
 
 env:
-  JAVA_DIST: 'temurin'
+  JAVA_DIST: 'corretto'
   JAVA_VERSION: 20
   OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_windows-x64_bin-jmods.zip'
   OPENJFX_JMODS_AMD64_HASH: '18625bbc13c57dbf802486564247a8d8cab72ec558c240a401bf6440384ebd77'

From ae50846257d673a8bfb561fc7e00b5bfa769b4cb Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 28 Sep 2023 18:33:01 +0200
Subject: [PATCH 55/81] Revert ce466e7715414238ecb1ccc26ccff485a994df5b

---
 .github/workflows/win-exe.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index 2b0352e79..3b43a24ec 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -14,7 +14,7 @@ on:
 
 
 env:
-  JAVA_DIST: 'corretto'
+  JAVA_DIST: 'temurin'
   JAVA_VERSION: 20
   OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_windows-x64_bin-jmods.zip'
   OPENJFX_JMODS_AMD64_HASH: '18625bbc13c57dbf802486564247a8d8cab72ec558c240a401bf6440384ebd77'

From 7bc47fe6d72f97d950fdcfb8777e4b490d9dcc4b Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 28 Sep 2023 18:33:26 +0200
Subject: [PATCH 56/81] Really fixes #3130

---
 .github/workflows/win-exe.yml | 9 ++++++++-
 dist/win/build.ps1            | 1 +
 dist/win/resources/main.wxs   | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index 3b43a24ec..c6ebdecbb 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -184,6 +184,12 @@ jobs:
           # clean up
           Remove-Item -Path $tmpDir
         shell: pwsh
+      - name: Extract wixhelper.dll for Codesigning #see https://github.com/cryptomator/cryptomator/issues/3130
+        run: |
+          New-Item -Path appdir/jpackage-jmod -ItemType Directory
+          & $env:JAVA_HOME\bin\jmod.exe extract --dir jpackage-jmod "${env:JAVA_HOME}\jmods\jdk.jpackage.jmod"
+          Get-ChildItem -Recurse -Path "jpackage-jmod" -File wixhelper.dll | Select-Object -Last 1 | Copy-Item -Destination "appdir"
+        shell: pwsh
       - name: Codesign
         uses: skymatic/code-sign-action@v2
         with:
@@ -192,7 +198,7 @@ jobs:
           certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
           description: Cryptomator
           timestampUrl: 'http://timestamp.digicert.com'
-          folder: appdir/Cryptomator
+          folder: appdir
           recursive: true
       - name: Generate license for MSI
         run: >
@@ -227,6 +233,7 @@ jobs:
           --file-associations dist/win/resources/FAvaultFile.properties
         env:
           JP_WIXWIZARD_RESOURCES: ${{ github.workspace }}/dist/win/resources # requires abs path, used in resources/main.wxs
+          JP_WIXHELPER_DIR: ${{ github.workspace }}\appdir
       - name: Codesign MSI
         uses: skymatic/code-sign-action@v2
         with:
diff --git a/dist/win/build.ps1 b/dist/win/build.ps1
index d011f7cc6..9d2fb0def 100644
--- a/dist/win/build.ps1
+++ b/dist/win/build.ps1
@@ -144,6 +144,7 @@ try {
 
 # create .msi
 $Env:JP_WIXWIZARD_RESOURCES = "$buildDir\resources"
+$Env:JP_WIXHELPER_DIR = "."
 & "$Env:JAVA_HOME\bin\jpackage" `
 	--verbose `
 	--type msi `
diff --git a/dist/win/resources/main.wxs b/dist/win/resources/main.wxs
index c940b9f9a..2fe2eb348 100644
--- a/dist/win/resources/main.wxs
+++ b/dist/win/resources/main.wxs
@@ -70,7 +70,7 @@
     <CustomAction Id="JpDisallowDowngrade" Error="!(loc.DowngradeErrorMessage)" />
     <?endif?>
 
-    <Binary Id="JpCaDll" SourceFile="wixhelper.dll"/>
+    <Binary Id="JpCaDll" SourceFile="$(env.JP_WIXHELPER_DIR)\wixhelper.dll"/>
     <CustomAction Id="JpFindRelatedProducts" BinaryKey="JpCaDll" DllEntry="FindRelatedProductsEx" />
 
     <?ifndef SkipCryptomatorLegacyCheck ?>

From 0d805b2d432e8a4ca35410a72aca18adb45066ff Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 28 Sep 2023 18:34:38 +0200
Subject: [PATCH 57/81] clean up

---
 dist/win/signJarDlls.ps1 | 40 ----------------------------------------
 1 file changed, 40 deletions(-)
 delete mode 100644 dist/win/signJarDlls.ps1

diff --git a/dist/win/signJarDlls.ps1 b/dist/win/signJarDlls.ps1
deleted file mode 100644
index 3f185e249..000000000
--- a/dist/win/signJarDlls.ps1
+++ /dev/null
@@ -1,40 +0,0 @@
-$certificate = 'abc'
-$password = 'secret'
-$certificateSHA1 = 5FC94CE149E5B511E621F53A060AC67CBD446B3A
-$description = Cryptomator
-$timestampUrl = 'http://timestamp.digicert.com'
-$folder = ".\appdir\Cryptomator"
-$tmpDir = ".\extract"
-$signtool = $(Get-ChildItem "C:/Program Files (x86)/Windows Kits/10/bin/" -Recurse -File signtool.exe | Where-Object { $_.Directory.ToString().EndsWith("x64")} | Select-Object -Last 1).FullName
-
-# preps
-# does this work on CI?
-Install-Module -Name Microsoft.PowerShell.TextUtility
-
-# import certificate
-$bytes = ConvertFrom-Base64 -EncodedText $certificate -AsByteArray
-Set-Content -Path $certificateFile -AsByteStream -Value $bytes
-& certutil -f -p $password -importpfx $certificateFile
-
-# create directory to extract every jar to
-New-Item -Path $tmpDir -ItemType Directory
-# iterate over all jars
-Get-ChildItem -Path $folder -Recurse -File *.jar | ForEach-Object {
-    $jar = Copy-Item $_ -Destination $tmpDir -PassThru
-    Set-Location -Path $tmpDir
-    "Extracting jar $($jar.FullName)"
-    jar --file=$($_.FullName) --extract
-    Get-ChildItem -Path "." -Recurse -File "*.dll" | ForEach-Object {
-        # sign
-        & $signtool sign /sm /tr ${timestampUrl} /td SH256 /fd SHA256 /d $description /sha1 $certificateSHA1 $_.FullName
-        # update jar with signed dll
-        jar --file=$($jar.FullName) --update $(Resolve-Path -Relative -Path $_)
-    }
-    # replace old jar with its update
-    Move-Item -Path $($jar.FullName) -Destination $_ -Force
-    # clear extraction dir
-    Remove-Item -Path ".\*" -Force -Recurse
-    Set-Location -Path ".."
-}
-# clean up
-Remove-Item -Path $tmpDir
\ No newline at end of file

From 24a63c10d0578390dd5fa6c7211646e1a8592911 Mon Sep 17 00:00:00 2001
From: Ralph Plawetzki <ralph@purejava.org>
Date: Sat, 30 Sep 2023 14:54:15 +0200
Subject: [PATCH 58/81] Build for aarch64 too

---
 dist/linux/appimage/build.sh | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/dist/linux/appimage/build.sh b/dist/linux/appimage/build.sh
index d3390c717..0a4b7f65d 100755
--- a/dist/linux/appimage/build.sh
+++ b/dist/linux/appimage/build.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+set -e
 
 cd $(dirname $0)
 REVISION_NO=`git rev-list --count HEAD`
@@ -10,6 +11,7 @@ command -v curl >/dev/null 2>&1 || { echo >&2 "curl not found."; exit 1; }
 
 VERSION=$(mvn -f ../../../pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout)
 SEMVER_STR=${VERSION}
+MACHINE_TYPE=$(uname -m)
 
 mvn -f ../../../pom.xml versions:set -DnewVersion=${SEMVER_STR}
 
@@ -83,17 +85,17 @@ ln -s usr/share/applications/org.cryptomator.Cryptomator.desktop Cryptomator.App
 ln -s bin/cryptomator.sh Cryptomator.AppDir/AppRun
 
 # load AppImageTool
-curl -L https://github.com/AppImage/AppImageKit/releases/download/13/appimagetool-x86_64.AppImage -o /tmp/appimagetool.AppImage
+curl -L https://github.com/AppImage/AppImageKit/releases/download/13/appimagetool-${MACHINE_TYPE}.AppImage -o /tmp/appimagetool.AppImage
 chmod +x /tmp/appimagetool.AppImage
 
 # create AppImage
 /tmp/appimagetool.AppImage \
     Cryptomator.AppDir \
-    cryptomator-${SEMVER_STR}-x86_64.AppImage  \
-    -u 'gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-x86_64.AppImage.zsync'
+    cryptomator-${SEMVER_STR}-${MACHINE_TYPE}.AppImage  \
+    -u 'gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-${MACHINE_TYPE}.AppImage.zsync'
 
 echo ""
-echo "Done. AppImage successfully created: cryptomator-${SEMVER_STR}-x86_64.AppImage"
+echo "Done. AppImage successfully created: cryptomator-${SEMVER_STR}-${MACHINE_TYPE}.AppImage"
 echo ""
 echo >&2 "To clean up, run: rm -rf Cryptomator.AppDir appdir jni runtime squashfs-root; rm launcher-gtk2.properties /tmp/appimagetool.AppImage"
 echo ""
\ No newline at end of file

From 4ee1e6d9f1c79efc2bc25e3eaf88e54d20a68840 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 4 Oct 2023 20:24:43 +0000
Subject: [PATCH 59/81] Bump the github-actions group with 1 update (#3135)

---
 .github/workflows/appimage.yml      | 2 +-
 .github/workflows/build.yml         | 2 +-
 .github/workflows/debian.yml        | 2 +-
 .github/workflows/get-version.yml   | 2 +-
 .github/workflows/mac-dmg.yml       | 2 +-
 .github/workflows/pullrequest.yml   | 2 +-
 .github/workflows/release-check.yml | 2 +-
 .github/workflows/win-exe.yml       | 4 ++--
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/appimage.yml b/.github/workflows/appimage.yml
index fbbc879b6..ee89a17ec 100644
--- a/.github/workflows/appimage.yml
+++ b/.github/workflows/appimage.yml
@@ -36,7 +36,7 @@ jobs:
             openjfx-url: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_linux-aarch64_bin-jmods.zip'
             openjfx-sha: 'c0d80ebbe0aab404ef9ad8b46c05bf533a1e40b39b2720eebd9238d81f6326ca'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Java
         uses: actions/setup-java@v3
         with:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 13acee970..1416c3809 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -18,7 +18,7 @@ jobs:
     name: Compile and Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-java@v3
         with:
           distribution: ${{ env.JAVA_DIST }}
diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml
index 2ae6c3262..6c1a68944 100644
--- a/.github/workflows/debian.yml
+++ b/.github/workflows/debian.yml
@@ -28,7 +28,7 @@ jobs:
     name: Build Debian Package
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - id: versions
         name: Get version information
         run: |
diff --git a/.github/workflows/get-version.yml b/.github/workflows/get-version.yml
index 44f5ccd85..f05d7742a 100644
--- a/.github/workflows/get-version.yml
+++ b/.github/workflows/get-version.yml
@@ -35,7 +35,7 @@ jobs:
       revNum: ${{ steps.versions.outputs.revNum }}
       type: ${{ steps.versions.outputs.type}}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup Java
diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml
index 899fc2197..ea6fed274 100644
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -47,7 +47,7 @@ jobs:
           openjfx-url: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_osx-aarch64_bin-jmods.zip'
           openjfx-sha: 'c60f5f19aa847e0e620e0b011e5de68f2c6755641c2141cec27a0b89f612beaf'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Java
         uses: actions/setup-java@v3
         with:
diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
index 14146d0cb..9b615756a 100644
--- a/.github/workflows/pullrequest.yml
+++ b/.github/workflows/pullrequest.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')"
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-java@v3
         with:
           distribution: ${{ env.JAVA_DIST }}
diff --git a/.github/workflows/release-check.yml b/.github/workflows/release-check.yml
index ec532081b..1bbfb5d1a 100644
--- a/.github/workflows/release-check.yml
+++ b/.github/workflows/release-check.yml
@@ -15,7 +15,7 @@ jobs:
     name: Validate commits pushed to release/hotfix branch to fulfill release requirements
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - id: validate-pom-version
         name: Validate POM version
         run: |
diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index 066b7d49e..7066a0bb6 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -37,7 +37,7 @@ jobs:
       LOOPBACK_ALIAS: 'cryptomator-vault'
       WIN_CONSOLE_FLAG: ''
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Java
         uses: actions/setup-java@v3
         with:
@@ -234,7 +234,7 @@ jobs:
     runs-on: windows-latest
     needs: [get-version, build-msi]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Download .msi
         uses: actions/download-artifact@v3
         with:

From a7eba377baf511f5107c24808de5b48bfa10ea3f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 9 Oct 2023 09:58:47 +0000
Subject: [PATCH 60/81] Bump org.mockito:mockito-core from 5.5.0 to 5.6.0
 (#3142)

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 796e73541..2c6faa90c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -58,7 +58,7 @@
 
 		<!-- test dependencies -->
 		<junit.jupiter.version>5.10.0</junit.jupiter.version>
-		<mockito.version>5.5.0</mockito.version>
+		<mockito.version>5.6.0</mockito.version>
 		<hamcrest.version>2.2</hamcrest.version>
 
 		<!-- build-time dependencies -->

From 83879f5cfed647e435d1c9a11569670697e58c68 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 9 Oct 2023 16:19:56 +0200
Subject: [PATCH 61/81] revert 8e9d54b & 6c5ee14 due to bug in JDK 21

see https://bugs.openjdk.org/browse/JDK-8313323
---
 .../org/cryptomator/ipc/IpcMessageListener.java    |  2 +-
 .../org/cryptomator/ui/health/StartController.java | 14 +++++++-------
 .../ui/traymenu/AwtTrayMenuController.java         |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/main/java/org/cryptomator/ipc/IpcMessageListener.java b/src/main/java/org/cryptomator/ipc/IpcMessageListener.java
index 284ed075b..756305cbe 100644
--- a/src/main/java/org/cryptomator/ipc/IpcMessageListener.java
+++ b/src/main/java/org/cryptomator/ipc/IpcMessageListener.java
@@ -6,7 +6,7 @@ public interface IpcMessageListener {
 
 	default void handleMessage(IpcMessage message) {
 		switch (message) {
-			case RevealRunningAppMessage _ -> revealRunningApp();
+			case RevealRunningAppMessage m -> revealRunningApp(); // TODO: rename to _ with JEP 443
 			case HandleLaunchArgsMessage m -> handleLaunchArgs(m.args());
 		}
 	}
diff --git a/src/main/java/org/cryptomator/ui/health/StartController.java b/src/main/java/org/cryptomator/ui/health/StartController.java
index 917ba8095..9ff2502da 100644
--- a/src/main/java/org/cryptomator/ui/health/StartController.java
+++ b/src/main/java/org/cryptomator/ui/health/StartController.java
@@ -101,16 +101,16 @@ public class StartController implements FxController {
 		}
 	}
 
-	private void loadingKeyFailed(Throwable e) {
-		switch (e) {
-			case UnlockCancelledException _ -> {} //ok
-			case VaultKeyInvalidException _ -> {
-				LOG.error("Invalid key"); //TODO: specific error screen
+	private void loadingKeyFailed(Throwable t) {
+		switch (t) {
+			case UnlockCancelledException e -> {} // ok // TODO: rename to _ with JEP 443
+			case VaultKeyInvalidException e -> { // TODO: rename to _ with JEP 443
+				LOG.error("Invalid key"); // TODO: specific error screen
 				appWindows.showErrorWindow(e, window, null);
 			}
 			default -> {
-				LOG.error("Failed to load key.", e);
-				appWindows.showErrorWindow(e, window, null);
+				LOG.error("Failed to load key.", t);
+				appWindows.showErrorWindow(t, window, null);
 			}
 		}
 	}
diff --git a/src/main/java/org/cryptomator/ui/traymenu/AwtTrayMenuController.java b/src/main/java/org/cryptomator/ui/traymenu/AwtTrayMenuController.java
index ba6b2ef74..012097e33 100644
--- a/src/main/java/org/cryptomator/ui/traymenu/AwtTrayMenuController.java
+++ b/src/main/java/org/cryptomator/ui/traymenu/AwtTrayMenuController.java
@@ -109,7 +109,7 @@ public class AwtTrayMenuController implements TrayMenuController {
 					menuItem.setEnabled(a.enabled());
 					menu.add(menuItem);
 				}
-				case SeparatorItem _ -> menu.addSeparator();
+				case SeparatorItem s -> menu.addSeparator(); // TODO: rename to _ with JEP 443
 				case SubMenuItem s -> {
 					var submenu = new Menu(s.title());
 					addChildren(submenu, s.items());

From 9b55f6fc56cb0a91aaa5eb80899fe3225f91eb37 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 11 Oct 2023 12:55:05 +0200
Subject: [PATCH 62/81] Refactor extraction and singing in seperate steps

---
 .github/workflows/win-exe.yml | 72 +++++++++++++++--------------------
 1 file changed, 31 insertions(+), 41 deletions(-)

diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index c6ebdecbb..490c7eafb 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -143,53 +143,29 @@ jobs:
       - name: Fix permissions
         run: attrib -r appdir/Cryptomator/Cryptomator.exe
         shell: pwsh
-      - name: Codesign binaries inside jars
-        run: |
-          $certificate = '${{ secrets.WIN_CODESIGN_P12_BASE64 }}'
-          $password = '${{ secrets.WIN_CODESIGN_P12_PW }}'
-          $certificateSHA1 = '5FC94CE149E5B511E621F53A060AC67CBD446B3A'
-          $description = 'Cryptomator'
-          $timestampUrl = 'http://timestamp.digicert.com'
-          $folder = ".\appdir\Cryptomator\app"
-          $tmpDir = ".\extract"
-          $signtool = $(Get-ChildItem 'C:\Program Files (x86)\Windows Kits\10\bin\' -Recurse -File signtool.exe | Where-Object { $_.Directory.ToString().EndsWith('x64') } | Select-Object -Last 1).FullName
-
-          # preps
-          Install-Module -Name Microsoft.PowerShell.TextUtility -Force -Confirm:$False
-
-          # import certificate
-          $bytes = ConvertFrom-Base64 -EncodedText $certificate -AsByteArray
-          Set-Content -Path ".\certFile" -AsByteStream -Value $bytes
-          & certutil -f -p $password -importpfx ".\certFile"
-
-          # create directory to extract every jar to
-          New-Item -Path $tmpDir -ItemType Directory > $null
-          # iterate over all jars
-          Get-ChildItem -Path $folder -Recurse -File *.jar | ForEach-Object {
-              $jar = Copy-Item $_ -Destination $tmpDir -PassThru
-              Set-Location -Path $tmpDir
-              jar --file=$($_.FullName) --extract
-              Get-ChildItem -Path "." -Recurse -File "*.dll" | ForEach-Object {
-                  # sign
-                  & $signtool sign /sm /tr ${timestampUrl} /td SHA256 /fd SHA256 /d $description /sha1 $certificateSHA1 $_.FullName
-                  # update jar with signed dll
-                  jar --file=$($jar.FullName) --update $(Resolve-Path -Relative -Path $_)
-              }
-              # replace old jar with its update
-              Move-Item -Path $($jar.FullName) -Destination $_ -Force
-              # clear extraction dir
-              Remove-Item -Path ".\*" -Force -Recurse
-              Set-Location -Path ".."
-          }
-          # clean up
-          Remove-Item -Path $tmpDir
+      - name: Extract jars with DLLs for Codesigning
         shell: pwsh
+        run: |
+          Add-Type -AssemblyName "System.io.compression.filesystem"
+          $jarFolder = Resolve-Path ".\appdir\Cryptomator\app\mods"
+          $jarExtractDir = New-Item -Path ".\appdir\jar-extract" -ItemType Directory
+
+          #for all jars inspect
+          Get-ChildItem -Path $jarFolder -Filter "*.jar" | ForEach-Object {
+              $jar = [Io.compression.zipfile]::OpenRead($_.FullName)
+              if (@($jar.Entries | Where-Object {$_.Name.ToString().EndsWith(".dll")} | Select-Object -First 1).Count -gt 0) {
+                  #jars containing dlls extract
+                  Set-Location $jarExtractDir
+                  Expand-Archive -Path $_.FullName
+              }
+              $jar.Dispose()
+          }
       - name: Extract wixhelper.dll for Codesigning #see https://github.com/cryptomator/cryptomator/issues/3130
+        shell: pwsh
         run: |
           New-Item -Path appdir/jpackage-jmod -ItemType Directory
           & $env:JAVA_HOME\bin\jmod.exe extract --dir jpackage-jmod "${env:JAVA_HOME}\jmods\jdk.jpackage.jmod"
           Get-ChildItem -Recurse -Path "jpackage-jmod" -File wixhelper.dll | Select-Object -Last 1 | Copy-Item -Destination "appdir"
-        shell: pwsh
       - name: Codesign
         uses: skymatic/code-sign-action@v2
         with:
@@ -200,6 +176,20 @@ jobs:
           timestampUrl: 'http://timestamp.digicert.com'
           folder: appdir
           recursive: true
+      - name: Replace DLLs inside jars with signed ones
+        shell: pwsh
+        run: |
+          $jarExtractDir = Resolve-Path ".\appdir\jar-extract"
+          $jarFolder = Resolve-Path ".\appdir\Cryptomator\app\mods"
+          Get-ChildItem -Path $jarExtractDir | ForEach-Object {
+              $jarName = $_.Name
+              $jarFile = "${jarFolder}\${jarName}.jar"
+              Set-Location $_
+              Get-ChildItem -Path $_ -Recurse -File "*.dll" | ForEach-Object {
+                  # update jar with signed dll
+                  jar --file="$jarFile" --update $(Resolve-Path -Relative -Path $_)
+              }
+          }
       - name: Generate license for MSI
         run: >
           mvn -B license:add-third-party

From 109f5d1faa1057884445ed16f0b9c16d54dfe845 Mon Sep 17 00:00:00 2001
From: Julian Raufelder <Julian@Raufelder.com>
Date: Thu, 12 Oct 2023 10:56:14 +0200
Subject: [PATCH 63/81] Update the error-db when a discussion is deleted

---
 .github/workflows/error-db.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/error-db.yml b/.github/workflows/error-db.yml
index 09a15fe1f..57c5ca057 100644
--- a/.github/workflows/error-db.yml
+++ b/.github/workflows/error-db.yml
@@ -2,7 +2,7 @@ name: Update Error Database
 
 on:
   discussion:
-    types: [created, edited, category_changed, answered, unanswered]
+    types: [created, edited, deleted, category_changed, answered, unanswered]
   discussion_comment:
     types: [created, edited, deleted]
 

From 7f7f0a099a03d55e1e14ae95c737b0c43c7abf6e Mon Sep 17 00:00:00 2001
From: Julian Raufelder <Julian@Raufelder.com>
Date: Thu, 12 Oct 2023 14:11:54 +0200
Subject: [PATCH 64/81] Propagate deleted discussions to the error database

---
 .github/workflows/error-db.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/error-db.yml b/.github/workflows/error-db.yml
index 57c5ca057..e885af4a2 100644
--- a/.github/workflows/error-db.yml
+++ b/.github/workflows/error-db.yml
@@ -12,6 +12,7 @@ jobs:
     if: github.event.discussion.category.name == 'Errors'
     steps:
       - name: Query Discussion Data
+        if: github.event_name == 'discussion_comment' || github.event_name == 'discussion' && github.event.action != 'deleted'
         id: query-data
         uses: actions/github-script@v6
         with:
@@ -47,8 +48,13 @@ jobs:
       - name: Merge Error Code Data
         run: |
           jq -c '.' ${{ steps.get-gist.outputs.file }} > original.json
-          echo $DISCUSSION | jq -c '.repository.discussion | .comments = .comments.totalCount | {(.id|tostring) : .}' > new.json
-          jq -s '.[0] * .[1]' original.json new.json > merged.json
+          if [ ! -z "$DISCUSSION" ]
+          then
+            echo $DISCUSSION | jq -c '.repository.discussion | .comments = .comments.totalCount | {(.id|tostring) : .}' > new.json
+            jq -s '.[0] * .[1]' original.json new.json > merged.json
+          else
+            cat original.json | jq 'del(.[] | select(.url=="https://github.com/cryptomator/cryptomator/discussions/${{ github.event.discussion.number }}"))' > merged.json
+          fi
         env:
           DISCUSSION: ${{ steps.query-data.outputs.result }}
       - name: Patch Gist

From 2e2aa77727c212a1751c3a0a10c73bda77463e04 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 16 Oct 2023 16:19:11 +0200
Subject: [PATCH 65/81] update dependencies

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index dbf3967db..d4444149c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -37,7 +37,7 @@
 		<cryptomator.integrations.version>1.3.0</cryptomator.integrations.version>
 		<cryptomator.integrations.win.version>1.2.3</cryptomator.integrations.win.version>
 		<cryptomator.integrations.mac.version>1.2.2</cryptomator.integrations.mac.version>
-		<cryptomator.integrations.linux.version>1.4.0-beta1</cryptomator.integrations.linux.version>
+		<cryptomator.integrations.linux.version>1.4.0-beta2</cryptomator.integrations.linux.version>
 		<cryptomator.fuse.version>4.0.0-beta1</cryptomator.fuse.version>
 		<cryptomator.dokany.version>2.0.0</cryptomator.dokany.version>
 		<cryptomator.webdav.version>2.0.4</cryptomator.webdav.version>
@@ -64,7 +64,7 @@
 		<!-- build-time dependencies -->
 		<jetbrains.annotations.version>24.0.1</jetbrains.annotations.version>
 		<dependency-check.version>8.4.0</dependency-check.version>
-		<jacoco.version>0.8.10</jacoco.version>
+		<jacoco.version>0.8.11</jacoco.version>
 		<license-generator.version>2.2.0</license-generator.version>
 		<junit-tree-reporter.version>1.2.1</junit-tree-reporter.version>
 		<mvn-compiler.version>3.11.0</mvn-compiler.version>

From 1debe4c7c8593e24d6fa8f81db9da6d19913eefc Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 16 Oct 2023 16:20:03 +0200
Subject: [PATCH 66/81] explicitly set Logback `ConfiguratorRank`

---
 src/main/java/org/cryptomator/logging/LogbackConfigurator.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/java/org/cryptomator/logging/LogbackConfigurator.java b/src/main/java/org/cryptomator/logging/LogbackConfigurator.java
index 511599132..3b77993cc 100644
--- a/src/main/java/org/cryptomator/logging/LogbackConfigurator.java
+++ b/src/main/java/org/cryptomator/logging/LogbackConfigurator.java
@@ -5,6 +5,7 @@ import ch.qos.logback.classic.Logger;
 import ch.qos.logback.classic.LoggerContext;
 import ch.qos.logback.classic.encoder.PatternLayoutEncoder;
 import ch.qos.logback.classic.spi.Configurator;
+import ch.qos.logback.classic.spi.ConfiguratorRank;
 import ch.qos.logback.classic.spi.ILoggingEvent;
 import ch.qos.logback.core.Appender;
 import ch.qos.logback.core.ConsoleAppender;
@@ -19,6 +20,7 @@ import org.cryptomator.common.Environment;
 import java.nio.file.Path;
 import java.util.Map;
 
+@ConfiguratorRank(ConfiguratorRank.CUSTOM_NORMAL_PRIORITY)
 public class LogbackConfigurator extends ContextAwareBase implements Configurator {
 
 	private static final String LOG_PATTERN = "%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n";

From 209f60727e5d4329ac6ef22809f847cc9a1bb998 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 16 Oct 2023 16:38:12 +0200
Subject: [PATCH 67/81] fix f4ad7aa43dd36c23a3573bc120e21337753d98f0

---
 .../locationpresets/OneDriveWindowsLocationPresetsProvider.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/cryptomator/common/locationpresets/OneDriveWindowsLocationPresetsProvider.java b/src/main/java/org/cryptomator/common/locationpresets/OneDriveWindowsLocationPresetsProvider.java
index 1d5bffd70..467d7785b 100644
--- a/src/main/java/org/cryptomator/common/locationpresets/OneDriveWindowsLocationPresetsProvider.java
+++ b/src/main/java/org/cryptomator/common/locationpresets/OneDriveWindowsLocationPresetsProvider.java
@@ -62,7 +62,7 @@ public final class OneDriveWindowsLocationPresetsProvider implements LocationPre
 		ProcessBuilder command = new ProcessBuilder(args);
 		Process p = command.start();
 		waitForSuccess(p, 3, "`reg query`");
-		return p.inputReader(StandardCharsets.UTF_8).lines().filter(outputFilter);
+		return p.inputReader(StandardCharsets.ISO_8859_1).lines().filter(outputFilter);
 	}
 
 

From 0cf1f087adf748c848372313984f1e0b199955d3 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 17 Oct 2023 11:36:50 +0200
Subject: [PATCH 68/81] Closes #3113

---
 src/main/java/org/cryptomator/ui/error/ErrorController.java  | 2 ++
 .../java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java   | 4 ++++
 .../java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java | 5 ++++-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/cryptomator/ui/error/ErrorController.java b/src/main/java/org/cryptomator/ui/error/ErrorController.java
index 61f2b0e10..b66d0e779 100644
--- a/src/main/java/org/cryptomator/ui/error/ErrorController.java
+++ b/src/main/java/org/cryptomator/ui/error/ErrorController.java
@@ -31,6 +31,7 @@ import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
+import java.time.Duration;
 import java.util.Comparator;
 import java.util.Map;
 import java.util.Optional;
@@ -154,6 +155,7 @@ public class ErrorController implements FxController {
 		HttpClient httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build();
 		HttpRequest httpRequest = HttpRequest.newBuilder()//
 				.header("User-Agent", userAgent)
+				.timeout(Duration.ofSeconds(5))
 				.uri(URI.create(ERROR_CODES_URL_FORMAT.formatted(URLEncoder.encode(errorCode.toString(),StandardCharsets.UTF_8))))//
 				.build();
 		httpClient.sendAsync(httpRequest, HttpResponse.BodyHandlers.ofInputStream())//
diff --git a/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java b/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java
index d70301e78..4bbe44799 100644
--- a/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java
+++ b/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java
@@ -20,8 +20,11 @@ import java.io.UncheckedIOException;
 import java.net.URI;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
+import java.time.temporal.ChronoUnit;
+import java.time.temporal.TemporalUnit;
 import java.util.Optional;
 import java.util.concurrent.ExecutorService;
+import java.util.concurrent.TimeUnit;
 
 @Module
 public abstract class UpdateCheckerModule {
@@ -63,6 +66,7 @@ public abstract class UpdateCheckerModule {
 		return HttpRequest.newBuilder() //
 				.uri(LATEST_VERSION_URI) //
 				.header("User-Agent", userAgent) //
+				.timeout(java.time.Duration.ofSeconds(3))
 				.build();
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
index 0379d4331..4f9609aa7 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
@@ -8,6 +8,8 @@ import io.github.coffeelibs.tinyoauth2client.http.response.Response;
 import javafx.concurrent.Task;
 import java.io.IOException;
 import java.net.URI;
+import java.net.http.HttpClient;
+import java.time.Duration;
 import java.util.function.Consumer;
 
 class AuthFlowTask extends Task<String> {
@@ -37,7 +39,8 @@ class AuthFlowTask extends Task<String> {
 				.authFlow(URI.create(hubConfig.authEndpoint)) //
 				.setSuccessResponse(Response.redirect(URI.create(hubConfig.authSuccessUrl + "&device=" + authFlowContext.deviceId()))) //
 				.setErrorResponse(Response.redirect(URI.create(hubConfig.authErrorUrl + "&device=" + authFlowContext.deviceId()))) //
-				.authorize(redirectUriConsumer);
+				.authorize(HttpClient.newBuilder().connectTimeout(Duration.ofSeconds(3)).build(),
+						redirectUriConsumer);
 		if (response.statusCode() != 200) {
 			throw new NotOkResponseException("Authorization returned status code " + response.statusCode());
 		}

From 3567c036c3842c2092d5e4c0b6421bb65cc315db Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 17 Oct 2023 17:25:38 +0200
Subject: [PATCH 69/81] remove unused imports

---
 .../java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java     | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java b/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java
index 4bbe44799..cfd48935f 100644
--- a/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java
+++ b/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java
@@ -20,11 +20,8 @@ import java.io.UncheckedIOException;
 import java.net.URI;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
-import java.time.temporal.ChronoUnit;
-import java.time.temporal.TemporalUnit;
 import java.util.Optional;
 import java.util.concurrent.ExecutorService;
-import java.util.concurrent.TimeUnit;
 
 @Module
 public abstract class UpdateCheckerModule {

From 86f3cb7288f191aaf90210b91aba1d4811794ad6 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 18 Oct 2023 09:40:34 +0200
Subject: [PATCH 70/81] applied suggestions from code review

---
 .../keyloading/hub/ReceiveKeyController.java  | 22 ++++++++-----------
 .../ui/keyloading/hub/ReceivedKey.java        |  2 +-
 .../keyloading/hub/SetupDeviceController.java |  8 ++++---
 3 files changed, 15 insertions(+), 17 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index ac80f0302..1f42e008b 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -98,16 +98,12 @@ public class ReceiveKeyController implements FxController {
 	 */
 	private void receivedVaultMasterkey(HttpResponse<String> response) {
 		LOG.debug("GET {} -> Status Code {}", response.request().uri(), response.statusCode());
-		try {
-			switch (response.statusCode()) {
-				case 200 -> requestUserKey(response.body());
-				case 402 -> licenseExceeded();
-				case 403, 410 -> accessNotGranted(); // or vault has been archived, effectively disallowing access - TODO: add specific dialog?
-				case 404 -> requestLegacyAccessToken();
-				default -> throw new IOException("Unexpected response " + response.statusCode());
-			}
-		} catch (IOException e) {
-			throw new UncheckedIOException(e);
+		switch (response.statusCode()) {
+			case 200 -> requestUserKey(response.body());
+			case 402 -> licenseExceeded();
+			case 403, 410 -> accessNotGranted(); // or vault has been archived, effectively disallowing access - TODO: add specific dialog?
+			case 404 -> requestLegacyAccessToken();
+			default -> throw new IllegalStateException("Unexpected response " + response.statusCode());
 		}
 	}
 
@@ -115,7 +111,7 @@ public class ReceiveKeyController implements FxController {
 	 * STEP 2 (Request): GET user key for this device
 	 */
 	private void requestUserKey(String encryptedVaultKey) {
-		var deviceTokenUri = appendPath(URI.create(hubConfig.devicesResourceUrl), "/%s".formatted(deviceId));
+		var deviceTokenUri = appendPath(URI.create(hubConfig.devicesResourceUrl), "/" + deviceId);
 		var request = HttpRequest.newBuilder(deviceTokenUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
@@ -139,7 +135,7 @@ public class ReceiveKeyController implements FxController {
 					receivedBothEncryptedKeys(encryptedVaultKey, device.userPrivateKey);
 				}
 				case 404 -> needsDeviceSetup(); // TODO: using the setup code, we can theoretically immediately unlock
-				default -> throw new IOException("Unexpected response " + response.statusCode());
+				default -> throw new IllegalStateException("Unexpected response " + response.statusCode());
 			}
 		} catch (IOException e) {
 			throw new UncheckedIOException(e);
@@ -166,7 +162,7 @@ public class ReceiveKeyController implements FxController {
 	 */
 	@Deprecated
 	private void requestLegacyAccessToken() {
-		var legacyAccessTokenUri = appendPath(vaultBaseUri, "/keys/%s".formatted(deviceId));
+		var legacyAccessTokenUri = appendPath(vaultBaseUri, "/keys/" + deviceId);
 		var request = HttpRequest.newBuilder(legacyAccessTokenUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java
index f59f6ead2..74da388d7 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java
@@ -17,7 +17,7 @@ interface ReceivedKey {
 	Masterkey decryptMasterkey(ECPrivateKey deviceKey);
 
 	/**
-	 * Creates an unlock response object from the received legacy "access token" JWE.
+	 * Creates an unlock response object from the user key + vault key.
 	 *
 	 * @param vaultKeyJwe a JWE containing the symmetric vault key, encrypted for this device's user.
 	 * @param userKeyJwe a JWE containing the user's private key, encrypted for this device.
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
index 5340f6295..a00e8947d 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
@@ -85,11 +85,13 @@ public class SetupDeviceController implements FxController {
 
 	public void initialize() {
 		deviceNameField.setText(determineHostname());
-		deviceNameField.textProperty().addListener(observable -> deviceNameAlreadyExists.set(false));
+		deviceNameField.textProperty().addListener(_ -> deviceNameAlreadyExists.set(false));
 		deviceNameField.disableProperty().bind(workInProgress);
-		setupCodeField.textProperty().addListener(observable -> invalidSetupCode.set(false));
+		setupCodeField.textProperty().addListener(_ -> invalidSetupCode.set(false));
 		setupCodeField.disableProperty().bind(workInProgress);
-		registerBtn.disableProperty().bind(workInProgress.or(setupCodeField.textProperty().isEmpty()).or(deviceNameField.textProperty().isEmpty()));
+		var missingSetupCode = setupCodeField.textProperty().isEmpty();
+		var missingDeviceName = deviceNameField.textProperty().isEmpty();
+		registerBtn.disableProperty().bind(workInProgress.or(missingSetupCode).or(missingDeviceName));
 		registerBtn.contentDisplayProperty().bind(Bindings.when(workInProgress).then(ContentDisplay.LEFT).otherwise(ContentDisplay.TEXT_ONLY));
 	}
 

From 1f7ab03bbbb1287392974bcfcb5518fdeb4a9767 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 18 Oct 2023 11:01:26 +0200
Subject: [PATCH 71/81] undo JEP 443 changes due to bug in javac

leads to invalid class files when built via Maven due to specific combination of javac arguments
---
 .../cryptomator/ui/keyloading/hub/SetupDeviceController.java  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
index a00e8947d..1762e3b78 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
@@ -85,9 +85,9 @@ public class SetupDeviceController implements FxController {
 
 	public void initialize() {
 		deviceNameField.setText(determineHostname());
-		deviceNameField.textProperty().addListener(_ -> deviceNameAlreadyExists.set(false));
+		deviceNameField.textProperty().addListener(observable -> deviceNameAlreadyExists.set(false));
 		deviceNameField.disableProperty().bind(workInProgress);
-		setupCodeField.textProperty().addListener(_ -> invalidSetupCode.set(false));
+		setupCodeField.textProperty().addListener(observable -> invalidSetupCode.set(false));
 		setupCodeField.disableProperty().bind(workInProgress);
 		var missingSetupCode = setupCodeField.textProperty().isEmpty();
 		var missingDeviceName = deviceNameField.textProperty().isEmpty();

From 25e8e81686da6832aa3541a72b61cff652c768cf Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 18 Oct 2023 11:08:42 +0200
Subject: [PATCH 72/81] support `apiBaseUrl` in hub config

---
 .../ui/keyloading/hub/HubConfig.java            | 17 ++++++++++++++++-
 .../ui/keyloading/hub/ReceiveKeyController.java | 10 +++++-----
 .../keyloading/hub/SetupDeviceController.java   |  4 ++--
 3 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
index 5f462b170..ef1fe30df 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
@@ -1,6 +1,10 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+import java.net.URI;
 
 // needs to be accessible by JSON decoder
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -9,8 +13,19 @@ public class HubConfig {
 	public String clientId;
 	public String authEndpoint;
 	public String tokenEndpoint;
-	public String devicesResourceUrl;
 	public String authSuccessUrl;
 	public String authErrorUrl;
+	public @Nullable String apiBaseUrl;
+	@Deprecated // use apiBaseUrl + "/devices/"
+	public String devicesResourceUrl;
 
+	public URI getApiBaseUrl() {
+		if (apiBaseUrl != null) {
+			return URI.create(apiBaseUrl);
+		} else {
+			// legacy approach
+			assert devicesResourceUrl != null;
+			return URI.create(devicesResourceUrl + "/..").normalize();
+		}
+	}
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 1f42e008b..88cd0bb45 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -111,7 +111,7 @@ public class ReceiveKeyController implements FxController {
 	 * STEP 2 (Request): GET user key for this device
 	 */
 	private void requestUserKey(String encryptedVaultKey) {
-		var deviceTokenUri = appendPath(URI.create(hubConfig.devicesResourceUrl), "/" + deviceId);
+		var deviceTokenUri = URI.create(hubConfig.getApiBaseUrl() + "/devices/" + deviceId);
 		var request = HttpRequest.newBuilder(deviceTokenUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
@@ -241,10 +241,10 @@ public class ReceiveKeyController implements FxController {
 
 	private static URI getVaultBaseUri(Vault vault) {
 		try {
-			var kid = vault.getVaultConfigCache().get().getKeyId();
-			assert kid.getScheme().startsWith(SCHEME_PREFIX);
-			var hubUriScheme = kid.getScheme().substring(SCHEME_PREFIX.length());
-			return new URI(hubUriScheme, kid.getSchemeSpecificPart(), kid.getFragment());
+			var url = vault.getVaultConfigCache().get().getKeyId();
+			assert url.getScheme().startsWith(SCHEME_PREFIX);
+			var correctedScheme = url.getScheme().substring(SCHEME_PREFIX.length());
+			return new URI(correctedScheme, url.getSchemeSpecificPart(), url.getFragment());
 		} catch (IOException e) {
 			throw new UncheckedIOException(e);
 		} catch (URISyntaxException e) {
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
index 1762e3b78..537afaa28 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
@@ -108,8 +108,7 @@ public class SetupDeviceController implements FxController {
 	public void register() {
 		workInProgress.set(true);
 
-		var apiRootUrl = URI.create(hubConfig.devicesResourceUrl + "/..").normalize(); // TODO: add url to vault config file, only use this as a fallback for legacy vaults
-		var deviceUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
+		var apiRootUrl = hubConfig.getApiBaseUrl();
 		var deviceKey = deviceKeyPair.getPublic().getEncoded();
 
 		var userReq = HttpRequest.newBuilder(apiRootUrl.resolve("users/me")) //
@@ -137,6 +136,7 @@ public class SetupDeviceController implements FxController {
 					var now = Instant.now().toString();
 					var dto = new CreateDeviceDto(deviceId, deviceNameField.getText(), BaseEncoding.base64().encode(deviceKey), "DESKTOP", jwe.serialize(), now);
 					var json = toJson(dto);
+					var deviceUri = apiRootUrl.resolve("devices/" + deviceId);
 					var putDeviceReq = HttpRequest.newBuilder(deviceUri) //
 							.PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
 							.header("Authorization", "Bearer " + bearerToken) //

From 5dedd6b1c192a4e6d55addeebeef2e6f5e91713e Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 18 Oct 2023 11:30:22 +0200
Subject: [PATCH 73/81] renamed class again

---
 .../ui/keyloading/hub/HubKeyLoadingModule.java            | 4 ++--
 ...eviceController.java => RegisterDeviceController.java} | 8 +++-----
 src/main/resources/fxml/hub_setup_device.fxml             | 2 +-
 3 files changed, 6 insertions(+), 8 deletions(-)
 rename src/main/java/org/cryptomator/ui/keyloading/hub/{SetupDeviceController.java => RegisterDeviceController.java} (93%)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index d31641580..bdb3e092c 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -169,8 +169,8 @@ public abstract class HubKeyLoadingModule {
 
 	@Binds
 	@IntoMap
-	@FxControllerKey(SetupDeviceController.class)
-	abstract FxController bindSetupDeviceController(SetupDeviceController controller);
+	@FxControllerKey(RegisterDeviceController.class)
+	abstract FxController bindSetupDeviceController(RegisterDeviceController controller);
 
 	@Binds
 	@IntoMap
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
similarity index 93%
rename from src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
rename to src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 537afaa28..545455353 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/SetupDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -14,7 +14,6 @@ import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
-import org.jetbrains.annotations.Nullable;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -33,7 +32,6 @@ import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
 import java.io.IOException;
 import java.net.InetAddress;
-import java.net.URI;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
@@ -47,9 +45,9 @@ import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
 
 @KeyLoadingScoped
-public class SetupDeviceController implements FxController {
+public class RegisterDeviceController implements FxController {
 
-	private static final Logger LOG = LoggerFactory.getLogger(SetupDeviceController.class);
+	private static final Logger LOG = LoggerFactory.getLogger(RegisterDeviceController.class);
 	private static final ObjectMapper JSON = new ObjectMapper().setDefaultLeniency(true);
 
 	private final Stage window;
@@ -70,7 +68,7 @@ public class SetupDeviceController implements FxController {
 	public Button registerBtn;
 
 	@Inject
-	public SetupDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<ReceivedKey> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene, @FxmlScene(FxmlFile.HUB_REGISTER_FAILED) Lazy<Scene> registerFailedScene) {
+	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<ReceivedKey> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene, @FxmlScene(FxmlFile.HUB_REGISTER_FAILED) Lazy<Scene> registerFailedScene) {
 		this.window = window;
 		this.hubConfig = hubConfig;
 		this.deviceId = deviceId;
diff --git a/src/main/resources/fxml/hub_setup_device.fxml b/src/main/resources/fxml/hub_setup_device.fxml
index 708abbae8..e5807c230 100644
--- a/src/main/resources/fxml/hub_setup_device.fxml
+++ b/src/main/resources/fxml/hub_setup_device.fxml
@@ -15,7 +15,7 @@
 <?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
 <HBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
-	  fx:controller="org.cryptomator.ui.keyloading.hub.SetupDeviceController"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.RegisterDeviceController"
 	  minWidth="400"
 	  maxWidth="400"
 	  minHeight="145"

From 34c17be4747b17c88bfb2280b26edbc810a4e648 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 19 Oct 2023 10:00:03 +0200
Subject: [PATCH 74/81] add request timeouts

---
 .../cryptomator/ui/keyloading/hub/ReceiveKeyController.java  | 5 +++++
 .../ui/keyloading/hub/RegisterDeviceController.java          | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 88cd0bb45..66566a98a 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -31,6 +31,7 @@ import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
+import java.time.Duration;
 import java.time.Instant;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
@@ -43,6 +44,7 @@ public class ReceiveKeyController implements FxController {
 	private static final Logger LOG = LoggerFactory.getLogger(ReceiveKeyController.class);
 	private static final String SCHEME_PREFIX = "hub+";
 	private static final ObjectMapper JSON = new ObjectMapper().setDefaultLeniency(true);
+	private static final Duration REQ_TIMEOUT = Duration.ofSeconds(10);
 
 	private final Stage window;
 	private final HubConfig hubConfig;
@@ -85,6 +87,7 @@ public class ReceiveKeyController implements FxController {
 		var request = HttpRequest.newBuilder(accessTokenUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
+				.timeout(REQ_TIMEOUT) //
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.US_ASCII)) //
 				.thenAcceptAsync(this::receivedVaultMasterkey, Platform::runLater) //
@@ -115,6 +118,7 @@ public class ReceiveKeyController implements FxController {
 		var request = HttpRequest.newBuilder(deviceTokenUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
+				.timeout(REQ_TIMEOUT) //
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8)) //
 				.thenAcceptAsync(response -> receivedUserKey(encryptedVaultKey, response), Platform::runLater) //
@@ -166,6 +170,7 @@ public class ReceiveKeyController implements FxController {
 		var request = HttpRequest.newBuilder(legacyAccessTokenUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
+				.timeout(REQ_TIMEOUT) //
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.US_ASCII)) //
 				.thenAcceptAsync(this::receivedLegacyAccessTokenResponse, Platform::runLater) //
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 545455353..cd75be501 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -37,6 +37,7 @@ import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
+import java.time.Duration;
 import java.time.Instant;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
@@ -49,6 +50,7 @@ public class RegisterDeviceController implements FxController {
 
 	private static final Logger LOG = LoggerFactory.getLogger(RegisterDeviceController.class);
 	private static final ObjectMapper JSON = new ObjectMapper().setDefaultLeniency(true);
+	private static final Duration REQ_TIMEOUT = Duration.ofSeconds(10);
 
 	private final Stage window;
 	private final HubConfig hubConfig;
@@ -111,6 +113,7 @@ public class RegisterDeviceController implements FxController {
 
 		var userReq = HttpRequest.newBuilder(apiRootUrl.resolve("users/me")) //
 				.GET() //
+				.timeout(REQ_TIMEOUT) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.header("Content-Type", "application/json") //
 				.build();
@@ -137,6 +140,7 @@ public class RegisterDeviceController implements FxController {
 					var deviceUri = apiRootUrl.resolve("devices/" + deviceId);
 					var putDeviceReq = HttpRequest.newBuilder(deviceUri) //
 							.PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
+							.timeout(REQ_TIMEOUT) //
 							.header("Authorization", "Bearer " + bearerToken) //
 							.header("Content-Type", "application/json") //
 							.build();

From 468eed58d5c0ffb29aa32f71e49c01ea70907794 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 19 Oct 2023 10:00:14 +0200
Subject: [PATCH 75/81] cleanup

---
 .../cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java  | 6 +++---
 .../ui/keyloading/hub/RegisterDeviceController.java         | 3 +--
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index bdb3e092c..c8d308e8e 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -115,7 +115,7 @@ public abstract class HubKeyLoadingModule {
 	@Provides
 	@FxmlScene(FxmlFile.HUB_LEGACY_REGISTER_DEVICE)
 	@KeyLoadingScoped
-	static Scene provideHubRegisterDeviceScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+	static Scene provideHubLegacyRegisterDeviceScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
 		return fxmlLoaders.createScene(FxmlFile.HUB_LEGACY_REGISTER_DEVICE);
 	}
 
@@ -136,7 +136,7 @@ public abstract class HubKeyLoadingModule {
 	@Provides
 	@FxmlScene(FxmlFile.HUB_SETUP_DEVICE)
 	@KeyLoadingScoped
-	static Scene provideHubSetupDeviceScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+	static Scene provideHubRegisterDeviceScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
 		return fxmlLoaders.createScene(FxmlFile.HUB_SETUP_DEVICE);
 	}
 
@@ -170,7 +170,7 @@ public abstract class HubKeyLoadingModule {
 	@Binds
 	@IntoMap
 	@FxControllerKey(RegisterDeviceController.class)
-	abstract FxController bindSetupDeviceController(RegisterDeviceController controller);
+	abstract FxController bindRegisterDeviceController(RegisterDeviceController controller);
 
 	@Binds
 	@IntoMap
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index cd75be501..837dc5032 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -109,7 +109,6 @@ public class RegisterDeviceController implements FxController {
 		workInProgress.set(true);
 
 		var apiRootUrl = hubConfig.getApiBaseUrl();
-		var deviceKey = deviceKeyPair.getPublic().getEncoded();
 
 		var userReq = HttpRequest.newBuilder(apiRootUrl.resolve("users/me")) //
 				.GET() //
@@ -135,7 +134,7 @@ public class RegisterDeviceController implements FxController {
 					}
 				}).thenCompose(jwe -> {
 					var now = Instant.now().toString();
-					var dto = new CreateDeviceDto(deviceId, deviceNameField.getText(), BaseEncoding.base64().encode(deviceKey), "DESKTOP", jwe.serialize(), now);
+					var dto = new CreateDeviceDto(deviceId, deviceNameField.getText(), BaseEncoding.base64().encode(deviceKeyPair.getPublic().getEncoded()), "DESKTOP", jwe.serialize(), now);
 					var json = toJson(dto);
 					var deviceUri = apiRootUrl.resolve("devices/" + deviceId);
 					var putDeviceReq = HttpRequest.newBuilder(deviceUri) //

From 5b85d7859a4a9ae37b6421f9c52b30d1dd904f4d Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 19 Oct 2023 11:28:54 +0200
Subject: [PATCH 76/81] bump webdav-nio-adapter version

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index d4444149c..578988401 100644
--- a/pom.xml
+++ b/pom.xml
@@ -40,7 +40,7 @@
 		<cryptomator.integrations.linux.version>1.4.0-beta2</cryptomator.integrations.linux.version>
 		<cryptomator.fuse.version>4.0.0-beta1</cryptomator.fuse.version>
 		<cryptomator.dokany.version>2.0.0</cryptomator.dokany.version>
-		<cryptomator.webdav.version>2.0.4</cryptomator.webdav.version>
+		<cryptomator.webdav.version>2.0.5</cryptomator.webdav.version>
 
 		<!-- 3rd party dependencies -->
 		<commons-lang3.version>3.13.0</commons-lang3.version>

From b0dfa229038b4664b751ac5f9ddbece30aca9beb Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 19 Oct 2023 12:49:19 +0200
Subject: [PATCH 77/81] removed unused class

---
 .../ui/keyloading/hub/HttpHelper.java         | 19 -------------------
 1 file changed, 19 deletions(-)
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java
deleted file mode 100644
index 0077467cc..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java
+++ /dev/null
@@ -1,19 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import com.google.common.io.CharStreams;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.net.http.HttpResponse;
-import java.nio.charset.StandardCharsets;
-
-class HttpHelper {
-
-	public static String readBody(HttpResponse<InputStream> response) throws IOException {
-		try (var in = response.body(); var reader = new InputStreamReader(in, StandardCharsets.UTF_8)) {
-			return CharStreams.toString(reader);
-		}
-	}
-
-}

From 3b2d455b4a6ff3ef51c3e10ab67fb0adb77d4ed5 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 19 Oct 2023 17:31:52 +0200
Subject: [PATCH 78/81] Update dependencies

---
 pom.xml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pom.xml b/pom.xml
index 578988401..99cf4961f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -35,7 +35,7 @@
 		<!-- cryptomator dependencies -->
 		<cryptomator.cryptofs.version>2.6.7</cryptomator.cryptofs.version>
 		<cryptomator.integrations.version>1.3.0</cryptomator.integrations.version>
-		<cryptomator.integrations.win.version>1.2.3</cryptomator.integrations.win.version>
+		<cryptomator.integrations.win.version>1.2.4</cryptomator.integrations.win.version>
 		<cryptomator.integrations.mac.version>1.2.2</cryptomator.integrations.mac.version>
 		<cryptomator.integrations.linux.version>1.4.0-beta2</cryptomator.integrations.linux.version>
 		<cryptomator.fuse.version>4.0.0-beta1</cryptomator.fuse.version>
@@ -44,13 +44,13 @@
 
 		<!-- 3rd party dependencies -->
 		<commons-lang3.version>3.13.0</commons-lang3.version>
-		<dagger.version>2.48</dagger.version>
+		<dagger.version>2.48.1</dagger.version>
 		<easybind.version>2.2</easybind.version>
-		<guava.version>32.1.2-jre</guava.version>
-		<jackson.version>2.15.2</jackson.version>
+		<guava.version>32.1.3-jre</guava.version>
+		<jackson.version>2.15.3</jackson.version>
 		<javafx.version>20.0.2</javafx.version>
 		<jwt.version>4.4.0</jwt.version>
-		<nimbus-jose.version>9.31</nimbus-jose.version>
+		<nimbus-jose.version>9.36</nimbus-jose.version>
 		<logback.version>1.4.11</logback.version>
 		<slf4j.version>2.0.9</slf4j.version>
 		<tinyoauth2.version>0.6.0</tinyoauth2.version>

From 174225c60ecb10f50f38421090a365b0907b7fdb Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 20 Oct 2023 12:03:07 +0200
Subject: [PATCH 79/81] add timeout to OAuth2 requests

---
 .idea/compiler.xml                                        | 8 ++++----
 pom.xml                                                   | 2 +-
 .../org/cryptomator/ui/keyloading/hub/AuthFlowTask.java   | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.idea/compiler.xml b/.idea/compiler.xml
index df360a26d..a3e38d3aa 100644
--- a/.idea/compiler.xml
+++ b/.idea/compiler.xml
@@ -14,10 +14,10 @@
         <option name="dagger.fastInit" value="enabled" />
         <option name="dagger.formatGeneratedSource" value="enabled" />
         <processorPath useClasspath="false">
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.48/dagger-compiler-2.48.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.48/dagger-2.48.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.48.1/dagger-compiler-2.48.1.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.48.1/dagger-2.48.1.jar" />
           <entry name="$MAVEN_REPOSITORY$/javax/inject/javax.inject/1/javax.inject-1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-producers/2.48/dagger-producers-2.48.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-producers/2.48.1/dagger-producers-2.48.1.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/guava/31.0.1-jre/guava-31.0.1-jre.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar" />
@@ -26,7 +26,7 @@
           <entry name="$MAVEN_REPOSITORY$/com/google/errorprone/error_prone_annotations/2.7.1/error_prone_annotations-2.7.1.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar" />
           <entry name="$MAVEN_REPOSITORY$/org/checkerframework/checker-compat-qual/2.5.5/checker-compat-qual-2.5.5.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.48/dagger-spi-2.48.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.48.1/dagger-spi-2.48.1.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/devtools/ksp/symbol-processing-api/1.9.0-1.0.12/symbol-processing-api-1.9.0-1.0.12.jar" />
           <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib/1.9.0/kotlin-stdlib-1.9.0.jar" />
           <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-common/1.9.0/kotlin-stdlib-common-1.9.0.jar" />
diff --git a/pom.xml b/pom.xml
index 99cf4961f..bab8b0afb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -53,7 +53,7 @@
 		<nimbus-jose.version>9.36</nimbus-jose.version>
 		<logback.version>1.4.11</logback.version>
 		<slf4j.version>2.0.9</slf4j.version>
-		<tinyoauth2.version>0.6.0</tinyoauth2.version>
+		<tinyoauth2.version>0.7.0</tinyoauth2.version>
 		<zxcvbn.version>1.8.2</zxcvbn.version>
 
 		<!-- test dependencies -->
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
index 4f9609aa7..b85e98cd4 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
@@ -36,11 +36,11 @@ class AuthFlowTask extends Task<String> {
 	protected String call() throws IOException, InterruptedException {
 		var response = TinyOAuth2.client(hubConfig.clientId) //
 				.withTokenEndpoint(URI.create(hubConfig.tokenEndpoint)) //
+				.withRequestTimeout(Duration.ofSeconds(10)) //
 				.authFlow(URI.create(hubConfig.authEndpoint)) //
 				.setSuccessResponse(Response.redirect(URI.create(hubConfig.authSuccessUrl + "&device=" + authFlowContext.deviceId()))) //
 				.setErrorResponse(Response.redirect(URI.create(hubConfig.authErrorUrl + "&device=" + authFlowContext.deviceId()))) //
-				.authorize(HttpClient.newBuilder().connectTimeout(Duration.ofSeconds(3)).build(),
-						redirectUriConsumer);
+				.authorize(redirectUriConsumer);
 		if (response.statusCode() != 200) {
 			throw new NotOkResponseException("Authorization returned status code " + response.statusCode());
 		}

From 92ece4dfb6f656ffd3207f49c38f5de1b8665ae4 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 20 Oct 2023 12:06:10 +0200
Subject: [PATCH 80/81] increased request timeout to 10s

---
 src/main/java/org/cryptomator/ui/error/ErrorController.java     | 2 +-
 src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/error/ErrorController.java b/src/main/java/org/cryptomator/ui/error/ErrorController.java
index b66d0e779..45c940bcb 100644
--- a/src/main/java/org/cryptomator/ui/error/ErrorController.java
+++ b/src/main/java/org/cryptomator/ui/error/ErrorController.java
@@ -155,7 +155,7 @@ public class ErrorController implements FxController {
 		HttpClient httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build();
 		HttpRequest httpRequest = HttpRequest.newBuilder()//
 				.header("User-Agent", userAgent)
-				.timeout(Duration.ofSeconds(5))
+				.timeout(Duration.ofSeconds(10))
 				.uri(URI.create(ERROR_CODES_URL_FORMAT.formatted(URLEncoder.encode(errorCode.toString(),StandardCharsets.UTF_8))))//
 				.build();
 		httpClient.sendAsync(httpRequest, HttpResponse.BodyHandlers.ofInputStream())//
diff --git a/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java b/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java
index cfd48935f..b5f06d7e5 100644
--- a/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java
+++ b/src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java
@@ -63,7 +63,7 @@ public abstract class UpdateCheckerModule {
 		return HttpRequest.newBuilder() //
 				.uri(LATEST_VERSION_URI) //
 				.header("User-Agent", userAgent) //
-				.timeout(java.time.Duration.ofSeconds(3))
+				.timeout(java.time.Duration.ofSeconds(10))
 				.build();
 	}
 

From ed975b459ed0de7d755e703f8c6ab89e1f17eaa5 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 20 Oct 2023 14:00:08 +0200
Subject: [PATCH 81/81] bump dependencies

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index bab8b0afb..1c67c597b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -38,7 +38,7 @@
 		<cryptomator.integrations.win.version>1.2.4</cryptomator.integrations.win.version>
 		<cryptomator.integrations.mac.version>1.2.2</cryptomator.integrations.mac.version>
 		<cryptomator.integrations.linux.version>1.4.0-beta2</cryptomator.integrations.linux.version>
-		<cryptomator.fuse.version>4.0.0-beta1</cryptomator.fuse.version>
+		<cryptomator.fuse.version>4.0.0-beta4</cryptomator.fuse.version>
 		<cryptomator.dokany.version>2.0.0</cryptomator.dokany.version>
 		<cryptomator.webdav.version>2.0.5</cryptomator.webdav.version>
 
@@ -50,7 +50,7 @@
 		<jackson.version>2.15.3</jackson.version>
 		<javafx.version>20.0.2</javafx.version>
 		<jwt.version>4.4.0</jwt.version>
-		<nimbus-jose.version>9.36</nimbus-jose.version>
+		<nimbus-jose.version>9.37</nimbus-jose.version>
 		<logback.version>1.4.11</logback.version>
 		<slf4j.version>2.0.9</slf4j.version>
 		<tinyoauth2.version>0.7.0</tinyoauth2.version>