Page MenuHomePhabricator

[lib] add olm auth action
ClosedPublic

Authored by varun on Dec 29 2023, 8:40 AM.
Tags
None
Referenced Files
F3551303: D10490.id.diff
Thu, Dec 26, 7:17 PM
F3550944: D10490.id35442.diff
Thu, Dec 26, 7:05 PM
F3550943: D10490.id35400.diff
Thu, Dec 26, 7:05 PM
F3550942: D10490.id35328.diff
Thu, Dec 26, 7:05 PM
F3550940: D10490.id35312.diff
Thu, Dec 26, 7:05 PM
F3550939: D10490.id35308.diff
Thu, Dec 26, 7:05 PM
F3550938: D10490.id35099.diff
Thu, Dec 26, 7:05 PM
Unknown Object (File)
Thu, Dec 26, 9:02 AM
Subscribers

Details

Summary

this diff introduces a new olmAuth action which is responsible for calling the olm auth responder (next diff).

Test Plan

tested later in stack by dispatching the action and successfully calling the olm auth responder

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

lib/types/account-types.js
175–196 ↗(On Diff #35099)

i think it's better to introduce brand new types since we can enforce stricter checks for some of the fields here

varun published this revision for review.Dec 29 2023, 8:50 AM
varun added inline comments.
lib/actions/user-actions.js
301 ↗(On Diff #35099)

i took a lot of the multikeyserver logic here from the logIn higher order function. we'll eventually remove that function completely so not deduping

ashoat requested changes to this revision.Dec 29 2023, 11:00 AM
ashoat added inline comments.
lib/actions/user-actions.js
301 ↗(On Diff #35099)

It will be a while before we can deprecate those functions (ENG-6317). That said, I'm not sure how much we can dedup here. Curious for @inka's perspective

309 ↗(On Diff #35099)

For login, we have source: logInActionSource here. The purpose of that is to let us distinguish the callsites triggering the login.

I think we'll need the same for olm_auth, since an Olm auth can be triggered from a session invalidation, a connectionIssue, etc.

Curious for @inka's perspective on whether we should reuse LogInActionSource, or introduce a new one.

lib/types/account-types.js
166 ↗(On Diff #35099)

We shouldn't need the client to pass a username here. See comments here and here

167 ↗(On Diff #35099)

Why do we need walletAddress? In the existing code, userID is set to the walletAddress for ETH users. Is this an attempt to future-proof, for a future use case where users can have both a username and a walletAddress?

171–172 ↗(On Diff #35099)

Why are the properties here not read-only?

175–196 ↗(On Diff #35099)

While reviewing this, I thought about trying to factor out the shared parts of some of the existing login types, but it's probably more complicated than it's worth

185–195 ↗(On Diff #35099)

Rather that specify the encrypted messages individually, I think you should do this

The extra $ReadOnly is necessary because "spreading" types drops read-only in Flow for some reason

This revision now requires changes to proceed.Dec 29 2023, 11:00 AM
inka requested changes to this revision.Jan 2 2024, 2:52 AM
inka added inline comments.
lib/actions/user-actions.js
279 ↗(On Diff #35099)

I am already creating this type in D10424. I also wrote a comment there about the name, can you answer either here or there?

301 ↗(On Diff #35099)

I don't think we should be deduping this code. The code in old login action shouldn't be changing anymore, whereas this code will be changed according to needs.

309 ↗(On Diff #35099)

I think it's fine to use LogInActionSource, if it still makes sense to distinguish between From and SIWE logins

376 ↗(On Diff #35099)

In this action we shouldn't be returning currentUserInfo. It should come from the identity service.

lib/actions/user-actions.js
376 ↗(On Diff #35099)
lib/actions/user-actions.js
376 ↗(On Diff #35099)

We discussed this in D10424, and for now we will be returning the currentUserInfo, because avatars and settings are not yet ready to be handled by services.

We will just need to remember when updating the endpoint that some clients expect this data

lib/actions/user-actions.js
376 ↗(On Diff #35099)

But we should make all fields that use responses[ashoatKeyserverID] as optional, since the action may not call Ashoat's keyserver at all

varun added inline comments.
lib/actions/user-actions.js
301 ↗(On Diff #35099)

not going to dedup for now

309 ↗(On Diff #35099)

i could be wrong, but it doesn't appear that we actually use source anywhere on the keyserver...

i think @atul omitted source from SIWEAuthRequest for this reason.

376 ↗(On Diff #35099)

introducing KeyserverAuthResult type where currentUserInfo is optional. will use this type instead of LogInResult.

lib/types/account-types.js
167 ↗(On Diff #35099)

yeah that's right, i was trying to future-proof this type. we can't trust the user to provide their walletAddress for the same reason that we can't trust them to provide their username, though, so we'll have to get this data directly from the identity service.

171–172 ↗(On Diff #35099)

they should be, thanks

Please address inline comments before landing

lib/actions/user-actions.js
294

I actually would like us to pass the logInActionSource up to the keyserver. I know it's not used, but when I initially introduced it, my thinking was it could potentially aid in live debugging, or allow us to treat certain kinds of logins differently in the future

297

I think it would be good to pull out deviceTokenUpdateRequest here too, so that it's not part of restLogInInfo

restLogInInfo is only used in one place below, where deviceTokenUpdateRequest ends up getting overriden... so technically, there's no difference. But I think it improves readability to remove it from restLogInInfo... that way, the reader doesn't have to consider what happens to it later when restLogInInfo is used

lib/types/account-types.js
166

Technically this should be, since it's always specified, but can be undefined/null

What you said is that it's sometimes specified, but when it's specified it's never undefined/null

172

Same here

michal added inline comments.
lib/types/account-types.js
166

Wouldn't it be better if we used ?: so we could stop sending it completely in the future (and not the null dummy value)?

Can you explain why we don't need signedIdentityKeysBlob anymore?

lib/types/account-types.js
99–100

You left the olm names here, we probably want to update them too?

lib/types/account-types.js
166

Yes, I guess we could have both

+currentUserInfo?: ?LoggedInUserInfo,
In D10490#305637, @inka wrote:

Can you explain why we don't need signedIdentityKeysBlob anymore?

the keyserver will pull the keys from the identity service now

lib/types/account-types.js
99–100

good point. will change these to keyserverAuthFromNative: KEYSERVER_AUTH_FROM_NATIVE and keyserverAuthFromWeb: KEYSERVER_AUTH_FROM_WEB

varun marked 7 inline comments as done.

address feedback

This revision is now accepted and ready to land.Jan 9 2024, 1:28 AM
This revision was landed with ongoing or failed builds.Jan 9 2024, 9:31 PM
This revision was automatically updated to reflect the committed changes.