From 02a4052687c24ed20498fd8fe99a2dd376c9078a Mon Sep 17 00:00:00 2001
From: Chris Duncan <chris@codecow.com>
Date: Tue, 28 Apr 2026 21:05:21 -0700
Subject: [PATCH] Add initial user activation check.

---
 src/lib/wallet/sign.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/lib/wallet/sign.ts b/src/lib/wallet/sign.ts
index 30a6f5f..8d9e1df 100644
--- a/src/lib/wallet/sign.ts
+++ b/src/lib/wallet/sign.ts
@@ -86,6 +86,12 @@ export async function _signBlock (wallet: Wallet, vault: Vault, index: unknown,
 
 async function confirm (id: string, address: string, message: Block | string[]): Promise<string | null> {
 	BROWSER: return new Promise((resolve, reject) => {
+		if (!navigator.userActivation?.isActive) {
+			throw new DOMException(
+				'Signing request was blocked due to lack of user activation',
+				'NotAllowedError'
+			)
+		}
 		const elementId = crypto.randomUUID()
 		const cssContainer = 'background-color:white !important;display:block !important;margin-top:auto !important;margin-right:auto !important;margin-bottom:auto !important;margin-left:auto !important;min-height:100px !important;min-width:100px !important;position:initial !important;opacity:1 !important;padding-top:0 !important;padding-right:0 !important;padding-bottom:0 !important;padding-left:0 !important;visibility:visible !important;'
 		const cssHeading = 'color:black !important;display:block !important;font-family:sans-serif !important;font-size=1rem !important;font-weight:bold !important;margin-top:1rem !important;margin-right:1rem !important;margin-bottom:1rem !important;margin-left:1rem !important;min-height:10px !important;min-width:10px !important;opacity:1 !important;padding-top:0 !important;padding-right:0 !important;padding-bottom:0 !important;padding-left:0 !important;position:initial !important;text-align:center !important;visibility:visible !important;'
@@ -122,7 +128,7 @@ async function confirm (id: string, address: string, message: Block | string[]):
 				resolve(dialog.returnValue === 'yes' ? id : null)
 			} else {
 				reject(new DOMException(
-					'Signing request was blocked due to lack of user activation.',
+					'Signing request was blocked due to untrusted event',
 					'NotAllowedError'
 				))
 			}
-- 
2.47.3