Page MenuHomePhabricator

[identity] add optional force param to password login RPC
ClosedPublic

Authored by varun on Mar 7 2024, 11:57 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 16, 1:42 PM
Unknown Object (File)
Mon, Dec 16, 1:42 PM
Unknown Object (File)
Mon, Dec 16, 1:42 PM
Unknown Object (File)
Mon, Dec 16, 1:41 PM
Unknown Object (File)
Mon, Dec 16, 1:41 PM
Unknown Object (File)
Fri, Nov 22, 5:22 PM
Unknown Object (File)
Nov 13 2024, 4:35 AM
Unknown Object (File)
Nov 13 2024, 4:35 AM
Subscribers

Details

Summary

context here

tl;dr we neeed an optional force param so that we can determine when a user is intentionally replacing their existing keyserver with a new one

Test Plan

logged in to local identity from local keyserver. then tried logging in from docker keyserver with the same credentials -- this failed. then tried logging in again from the docker keyserver with the same credentials AND force set to true -- this succeeded. The old keyserver device id was removed from DDB and the new one was added

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Harbormaster returned this revision to the author for changes because remote builds failed.Mar 8 2024, 12:03 AM
Harbormaster failed remote builds in B27395: Diff 37939!

fix CI and add integration test

services/commtest/tests/identity_device_list_tests.rs
219 ↗(On Diff #37943)

should we avoid generating this extra update? it occurs because we remove keyserver 1 and add keyserver 2 in separate transactions in log_in_password_user_finish

services/identity/src/client_service.rs
360–378 ↗(On Diff #37943)

related to the question above -- can/should these be a single transaction?

varun requested review of this revision.Mar 8 2024, 1:19 AM
services/commtest/tests/identity_device_list_tests.rs
219 ↗(On Diff #37943)

Good question - it depends on how we understand Whitepaper section 5.2.3:

  • At most one device was added and at most one device was removed via this update

If we can do one addition OR one deletion, there it should be two transactions. But if the above means that a device can be replaced, then I think it should be done in a single transaction.


However, if this RPC is going to be deprecated, and replaced by a primary-device-managed device list, then we don't have to care much about this now. Identity service is managing the device list only temporarily

services/identity/src/client_service.rs
360–378 ↗(On Diff #37943)

Not in this way.
If you want to do it in a single transaction, you need to create a separate function next to add_user_device() and remove_device() that directly calls transact_update_devicelist() and does the replacement there

varun added inline comments.
services/commtest/tests/identity_device_list_tests.rs
219 ↗(On Diff #37943)

However, if this RPC is going to be deprecated, and replaced by a primary-device-managed device list, then we don't have to care much about this now. Identity service is managing the device list only temporarily

i think this is correct. probably not worth spending time making keyserver replacement a single device list update, then. what do you think, @ashoat ?

ashoat added inline comments.
services/commtest/tests/identity_device_list_tests.rs
219 ↗(On Diff #37943)

In the eventual system, it's actually important that this is one transaction. It can't be validated as two transactions, since in the first transaction the old primary would be removed, and there should be a new primary signing the device list, but the new primary isn't there yet.

In the current system, we don't have signing so it doesn't seem that important.

varun removed a reviewer: ashoat. varun added 1 blocking reviewer(s): bartek.Mar 11 2024, 12:18 PM
bartek added inline comments.
services/commtest/src/identity/device.rs
122 ↗(On Diff #37943)

It's pointless to create an option each time we call this

155 ↗(On Diff #37943)
services/commtest/tests/identity_device_list_tests.rs
219 ↗(On Diff #37943)

As identity-managed device list updates aren't going to be signed, I think we can leave two transactions now

services/identity/src/client_service.rs
307 ↗(On Diff #37943)

Instead of passing reference to option, can we simply unwrap_or(false)?

This revision is now accepted and ready to land.Mar 12 2024, 2:17 AM
varun added inline comments.
services/commtest/src/identity/device.rs
122 ↗(On Diff #37943)

i actually prefer Option<bool> here because this only applies to keyservers, so it makes more sense to me to provide None when calling this function to log in, say, an iOS device. i don't feel too strongly, though, so i've made the change you requested

services/identity/src/client_service.rs
360–378 ↗(On Diff #37943)

going to leave it as two transactions

This revision was automatically updated to reflect the committed changes.
varun marked 2 inline comments as done.