Details
- Reviewers
kamil
Tested locally:
- Set the TTL to a short value (1 minute)
- Sent a few messages to a device that wasn't currently connected (to keep them stored in DDB)
- Called the DeleteDeviceData RPC
- Used awslocal dynamodb scan to see that the TTL attribute was added
- Waited a minute, then ran 4. again. Messages were gone
Diff Detail
- Repository
- rCOMM Comm
- Lint
No Lint Coverage - Unit
No Test Coverage
Event Timeline
services/tunnelbroker/src/constants.rs | ||
---|---|---|
22–24 | What should the value of this TTL be? This is for how long we store undelivered messages after device logout and account deletion. | |
services/tunnelbroker/src/database/mod.rs | ||
157–163 | Not sure if I should do TransactUpdate instead (which is more involved).
|
services/tunnelbroker/src/constants.rs | ||
---|---|---|
22–24 | I think it could stay longer, e.g. one week but not sure what is the best number here | |
services/tunnelbroker/src/database/mod.rs | ||
157–163 | I think there is a really low chance for the message to be received again, even if most of our communication is encrypted, that being said this message will fail to decrypt and the client will ignore this anyway. I think this is fine and an additional mechanism is not worth it. |
services/tunnelbroker/src/constants.rs | ||
---|---|---|
22–24 | Can you explain the implications of this decision? We should make sure that if a primary device logs out, the secondary device always "receives the message" in the sense that it knows it is logged out It would be very broken if a user logs out of their primary device, and then opens their secondary a week later and it appears as if it's still logged in Perhaps the risk will be mitigated because the device will attempt to connect with identity using its CSAT and find out that it's invalidated? Not sure if this check happens on every app open or not |
services/tunnelbroker/src/constants.rs | ||
---|---|---|
22–24 | Is there a risk that a primary will miss a message about a secondary logging out, and then not update the device list? |
services/tunnelbroker/src/constants.rs | ||
---|---|---|
22–24 | In fact, the time required for the message to be delivered to the device being removed is a few seconds max, assuming the removed device is connected to Tunnelbroker. So to address my concern from this comment, the TTL could be e.g. 1 minute as well. If the device is not connected to Tunnelbroker and it's been logged out on Identity, it actually won't have a chance to connect to Tunnelbroker because of revoked CSAT. So it won't receive any further messages.
Yes, this is the mechanism that will log out the devices if they don't receive the message. It should work already (IIRC we have some handlers that log out on missing CSAT).
No, this scenario is safe here. Both primary and secondary are still logged in when the message is sent; moreover, the recipient (primary) won't be logged out so its messages won't be deleted. It'll receive the message as soon as it becomes online. |
Something we should add to the test plan:
- User logs out of primary
- We wait some time, enough for Tunnelbroker to delete the messages
- We open a secondary device. The secondary device should be logged out
My impression is that this won't work without first addressing ENG-8401, in which case that might need to be considered in-scope here.