Details

Reviewers

tomek
kamil
michal

Commits

rCOMM676b627236a3: Suffix web olm notifs session with cookieID to avoid race condition during…

Summary

This differential implements solution for a bug described in https://linear.app/comm/issue/ENG-5911/olmbad-message-mac-on-web. The solution works as follows:

Web client creates olm session and corresponding encryption key and persists it under key that is suffixed with its cookieID.
When notifications arrives all keys in IndexedDB are retrieved and filtered against those that keep olm sessions and their encryption keys.
Keys are sorted lexicographically and last ones are used to actually perform decryption. This means that for decryption we will use olm session that was created by lexicographically largest cookie ID. We have strong reasons to believe that keyserver uses olm session associated with the largest cookie ID for encryption.
Other sessions are deleted

It is important to review this code closely since it implements quite complex solution for rather infrequent bug.

Test Plan

Open three pages with logged-out modal. Paste credentials for the same user in each and start log in process in each card. Initially this was the way to reproduce the issue.
Open developer tools in one page and see that there are multiple sessions and encryption keys and each of them is suffixed with cookie id that exists in your MariaDB instance.
Send notification. Ensure that:
- it is correctly decrypted
- once it is received there is just one olm session in IndexedDB and it is the one that initially had largest cookie ID

Diff Detail

Repository

rCOMM Comm

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

marcin created this revision.Dec 8 2023, 4:19 AM

Herald added a subscriber: ashoat. · View Herald TranscriptDec 8 2023, 4:19 AM

marcin edited the summary of this revision. (Show Details)Dec 8 2023, 4:31 AM

marcin edited the test plan for this revision. (Show Details)

marcin added inline comments.Dec 8 2023, 4:40 AM

web/push-notif/notif-crypto-utils.js
310 ↗	(On Diff #34411)	This scenario can occur when notification is received but there is olm session creation process in progress - for example encryption key was created and persisted but olm session hasn't been persisted yet. I spent some time thinking what should we do in such case. Intuitively we could use encryption key and olm session associated with lower cookieID (the highest cookie ID for which we have both encryption key and olm session). but in fact we can't assume that the keyserver used this session to encrypt notification. I actually think that if there is olm session creation process in progress then the keyserver has already associated `device_token` with cookie ID that we are creating session for. In such case the keyserver will probably see that there is no olm session for this cookie ID and notificaion won't be encrypted.
350 ↗	(On Diff #34411)	We need to cover the case of users that won't log-out and log-in after this code is landed and release. They will have session and encryption key without cookie ID suffix. We could return `undefined` or empty string from this function but intuitively I thought that returning some string (such as `no cookie`) should be safest.

Harbormaster completed remote builds in B24882: Diff 34411.Dec 8 2023, 4:56 AM

marcin requested review of this revision.Dec 8 2023, 4:56 AM

I talked to @inka and was advices to refactor this code so that session creator function takes keyserver id as an argument and ashoatKeyserverID is hardcoded in web/socket.react.js

Address inka's advice

Rebase

Harbormaster completed remote builds in B24903: Diff 34437.Dec 8 2023, 9:09 AM

Harbormaster completed remote builds in B24904: Diff 34438.Dec 8 2023, 9:19 AM

Keys are sorted lexicographically

Are you sure about that? Aren't the cookie ids numerically increasing?

web/push-notif/notif-crypto-utils.js
284–285 ↗	(On Diff #34438)	Nit: I would have preferred for them to have the same naming convention (either either `DBLabel` or `DBKey`)
296 ↗	(On Diff #34438)	It's not good practice in JS to throw non-Error values. In particular the `try catch` in `decryptWebNotification` depends on the error value to have `.message`.
348 ↗	(On Diff #34438)	This won't give us any more type safety, but is a bit more explicit.

This revision now requires changes to proceed.Dec 11 2023, 3:13 AM

In D10245#297865, @michal wrote:

Keys are sorted lexicographically

Are you sure about that? Aren't the cookie ids numerically increasing?

In this code we use cookieID strings which are stringified numbers. We sort stringified numbers lexicographically which has the same effect as sorting original numbers.

Throw Error instance instead of raw string.
Rename encryptionKeyDBLabel -> encryptionKeyDBKey
Enhance typing of getCookieIDFromOlmDBKey

@michal point is valid - if cookieIDs differ in length lexicographic sort can fail to match numerical sort. We need to address this issue by temporarily converting cookieIDs to numbers.

Temporarily convert cookieIDs to numbers during sorting stage.

Harbormaster completed remote builds in B25072: Diff 34637.Dec 14 2023, 7:02 AM

Harbormaster completed remote builds in B25074: Diff 34639.Dec 14 2023, 7:22 AM

michal accepted this revision.Dec 14 2023, 7:55 AM

michal added inline comments.

web/push-notif/notif-crypto-utils.js
358–367 ↗	(On Diff #34639)	We probably don't need to keep the original string cookie here and just convert the resulting number to string again, but that's fine.

This revision is now accepted and ready to land.Dec 14 2023, 7:55 AM

marcin added inline comments.Dec 15 2023, 2:47 AM

web/push-notif/notif-crypto-utils.js
358–367 ↗	(On Diff #34639)	Why do we need to convert `cookieID` to string back? This function doesn't return any numbers. It returns string keys suffixed by `cookieID` in the same form as they entered this function. The only difference is that they are sorted according to numerical order of `cookieIDs` they are suffixed with.

Address inka's advice

Thank you!

Rebase before landing

Harbormaster completed remote builds in B25160: Diff 34771.Dec 18 2023, 1:47 AM

Closed by commit rCOMM676b627236a3: Suffix web olm notifs session with cookieID to avoid race condition during… (authored by marcin). · Explain WhyDec 18 2023, 1:50 AM

This revision was automatically updated to reflect the committed changes.

marcin added a commit: rCOMM676b627236a3: Suffix web olm notifs session with cookieID to avoid race condition during….

tomek mentioned this in D10831: [lib] Run the keyserver auth only when it isn't running and a user isn't already authenticated.Jan 30 2024, 5:18 AM

Suffix web olm notifs session with cookieID to avoid race condition during multiple simultaneous log-in processes.
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 34772

lib/types/crypto-types.js

lib/utils/cookie-utils.js

web/account/account-hooks.js

web/push-notif/notif-crypto-utils.js

web/socket.react.js

Suffix web olm notifs session with cookieID to avoid race condition during multiple simultaneous log-in processes.ClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 34772

lib/types/crypto-types.js

lib/utils/cookie-utils.js

web/account/account-hooks.js

web/push-notif/notif-crypto-utils.js

web/socket.react.js

Suffix web olm notifs session with cookieID to avoid race condition during multiple simultaneous log-in processes.
ClosedPublic
Actions

Revision Contents
Changeset List