Details

Reviewers

ashoat
inka
tomek

Commits

rCOMM46995ffde81d: [lib] add olm auth action

Summary

this diff introduces a new olmAuth action which is responsible for calling the olm auth responder (next diff).

Test Plan

tested later in stack by dispatching the action and successfully calling the olm auth responder

Diff Detail

Repository

rCOMM Comm

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

varun created this revision.Dec 29 2023, 8:40 AM

varun added a child revision: D10491: [keyserver] separate olm session creation and persistence.

varun added inline comments.Dec 29 2023, 8:49 AM

lib/types/account-types.js
175–196 ↗	(On Diff #35099)	i think it's better to introduce brand new types since we can enforce stricter checks for some of the fields here

varun published this revision for review.Dec 29 2023, 8:50 AM

varun added inline comments.

lib/actions/user-actions.js
301 ↗	(On Diff #35099)	i took a lot of the multikeyserver logic here from the logIn higher order function. we'll eventually remove that function completely so not deduping

Harbormaster completed remote builds in B25401: Diff 35099.Dec 29 2023, 8:59 AM

ashoat requested changes to this revision.Dec 29 2023, 11:00 AM

ashoat added inline comments.

lib/actions/user-actions.js
301 ↗	(On Diff #35099)	It will be a while before we can deprecate those functions (ENG-6317). That said, I'm not sure how much we can dedup here. Curious for @inka's perspective
309 ↗	(On Diff #35099)	For login, we have `source: logInActionSource` here. The purpose of that is to let us distinguish the callsites triggering the login. I think we'll need the same for `olm_auth`, since an Olm auth can be triggered from a session invalidation, a `connectionIssue`, etc. Curious for @inka's perspective on whether we should reuse `LogInActionSource`, or introduce a new one.
lib/types/account-types.js
166 ↗	(On Diff #35099)	We shouldn't need the client to pass a `username` here. See comments here and here
167 ↗	(On Diff #35099)	Why do we need `walletAddress`? In the existing code, `userID` is set to the `walletAddress` for ETH users. Is this an attempt to future-proof, for a future use case where users can have both a `username` and a `walletAddress`?
171–172 ↗	(On Diff #35099)	Why are the properties here not read-only?
175–196 ↗	(On Diff #35099)	While reviewing this, I thought about trying to factor out the shared parts of some of the existing login types, but it's probably more complicated than it's worth
185–195 ↗	(On Diff #35099)	Rather that specify the encrypted messages individually, I think you should do this The extra `$ReadOnly` is necessary because "spreading" types drops read-only in Flow for some reason

This revision now requires changes to proceed.Dec 29 2023, 11:00 AM

inka requested changes to this revision.Jan 2 2024, 2:52 AM

inka added inline comments.

lib/actions/user-actions.js
279 ↗	(On Diff #35099)	I am already creating this type in D10424. I also wrote a comment there about the name, can you answer either here or there?
301 ↗	(On Diff #35099)	I don't think we should be deduping this code. The code in old `login` action shouldn't be changing anymore, whereas this code will be changed according to needs.
309 ↗	(On Diff #35099)	I think it's fine to use `LogInActionSource`, if it still makes sense to distinguish between From and SIWE logins
376 ↗	(On Diff #35099)	In this action we shouldn't be returning `currentUserInfo`. It should come from the identity service.

inka mentioned this in D10424: [lib] Add new olm auth action types and temporary identity login action types.Jan 2 2024, 2:55 AM

inka added inline comments.Jan 3 2024, 4:26 AM

lib/actions/user-actions.js
376 ↗	(On Diff #35099)	Related discussion

inka added inline comments.Jan 5 2024, 3:41 AM

lib/actions/user-actions.js
376 ↗	(On Diff #35099)	We discussed this in D10424, and for now we will be returning the `currentUserInfo`, because avatars and settings are not yet ready to be handled by services. We will just need to remember when updating the endpoint that some clients expect this data

inka mentioned this in D10552: [lib] Reduce notAcknowledgedPolicies on keyserver login.Jan 5 2024, 3:45 AM

inka added inline comments.Jan 5 2024, 4:45 AM

lib/actions/user-actions.js
376 ↗	(On Diff #35099)	But we should make all fields that use `responses[ashoatKeyserverID]` as optional, since the action may not call Ashoat's keyserver at all

address feedback

varun added a subscriber: atul.Jan 5 2024, 12:54 PM

varun added inline comments.

lib/actions/user-actions.js
301 ↗	(On Diff #35099)	not going to dedup for now
309 ↗	(On Diff #35099)	i could be wrong, but it doesn't appear that we actually use `source` anywhere on the keyserver... i think @atul omitted `source` from `SIWEAuthRequest` for this reason.
376 ↗	(On Diff #35099)	introducing `KeyserverAuthResult` type where `currentUserInfo` is optional. will use this type instead of `LogInResult`.
lib/types/account-types.js
167 ↗	(On Diff #35099)	yeah that's right, i was trying to future-proof this type. we can't trust the user to provide their `walletAddress` for the same reason that we can't trust them to provide their `username`, though, so we'll have to get this data directly from the identity service.
171–172 ↗	(On Diff #35099)	they should be, thanks

Harbormaster failed remote builds in B25553: Diff 35308!Jan 5 2024, 1:08 PM

resolve lint issue

Harbormaster failed remote builds in B25557: Diff 35312!Jan 5 2024, 1:36 PM

resolve prettier issue

varun mentioned this in D10560: [identity] return user identifier in InboundKeysForUserResponse.Jan 5 2024, 10:33 PM

Harbormaster completed remote builds in B25562: Diff 35328.Jan 5 2024, 10:54 PM

Please address inline comments before landing

lib/actions/user-actions.js
294 ↗	(On Diff #35328)	I actually would like us to pass the `logInActionSource` up to the keyserver. I know it's not used, but when I initially introduced it, my thinking was it could potentially aid in live debugging, or allow us to treat certain kinds of logins differently in the future
297 ↗	(On Diff #35328)	I think it would be good to pull out `deviceTokenUpdateRequest` here too, so that it's not part of `restLogInInfo` `restLogInInfo` is only used in one place below, where `deviceTokenUpdateRequest` ends up getting overriden... so technically, there's no difference. But I think it improves readability to remove it from `restLogInInfo`... that way, the reader doesn't have to consider what happens to it later when `restLogInInfo` is used

ashoat added inline comments.Jan 6 2024, 1:09 PM

lib/types/account-types.js
166 ↗	(On Diff #35328)	Technically this should be, since it's always specified, but can be undefined/null What you said is that it's sometimes specified, but when it's specified it's never undefined/null
172 ↗	(On Diff #35328)	Same here

michal added a subscriber: michal.Jan 8 2024, 3:35 AM

michal added inline comments.

lib/types/account-types.js
166 ↗	(On Diff #35328)	Wouldn't it be better if we used `?:` so we could stop sending it completely in the future (and not the `null` dummy value)?

Can you explain why we don't need signedIdentityKeysBlob anymore?

lib/types/account-types.js
99–100 ↗	(On Diff #35328)	You left the olm names here, we probably want to update them too?

ashoat added inline comments.Jan 8 2024, 4:36 AM

lib/types/account-types.js
166 ↗	(On Diff #35328)	Yes, I guess we could have both +currentUserInfo?: ?LoggedInUserInfo,

In D10490#305637, @inka wrote:

Can you explain why we don't need signedIdentityKeysBlob anymore?

the keyserver will pull the keys from the identity service now

lib/types/account-types.js
99–100 ↗	(On Diff #35328)	good point. will change these to `keyserverAuthFromNative: KEYSERVER_AUTH_FROM_NATIVE` and `keyserverAuthFromWeb: KEYSERVER_AUTH_FROM_WEB`