Details

Reviewers

tomek
atul
• jon

Commits

rCOMMe146727f3343: Introduce and implement 'clearSensitiveData' method in CommCoreModule

Summary

This differential introduces and implements method in CommCoreModule that clears Secure Store and SQLite.

Test Plan

Once this differential is applied 'clearSensitiveData' should be callable anywhere in JS and calling it in a random place should crash the app, with an error indicating that SQLite access is corrupted.

Diff Detail

Repository

rCOMM Comm

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

marcin created this revision.Aug 3 2022, 5:50 AM

Herald added subscribers: • abosh, • adrian, ashoat. · View Herald TranscriptAug 3 2022, 5:50 AM

Rebase to upodate diff description with link

Harbormaster completed remote builds in B11079: Diff 15258.Aug 3 2022, 6:02 AM

marcin added a parent revision: D4728: Introduce and implement 'clearSensitiveData' method in DetabaseQueryExecutor and SQLiteQueryExecutor.Aug 3 2022, 6:03 AM

marcin added a child revision: D4730: Implement react component that clears database anbd secure store when user logs out or deletes account.

marcin added 2 blocking reviewer(s): atul, tomek.Aug 3 2022, 6:05 AM

Harbormaster completed remote builds in B11082: Diff 15261.Aug 3 2022, 6:14 AM

marcin requested review of this revision.Aug 3 2022, 6:14 AM

tomek requested changes to this revision.Aug 4 2022, 3:57 AM

tomek added inline comments.

native/cpp/CommonCpp/NativeModules/CommCoreModule.cpp
959–968 ↗	(On Diff #15261)	Why do we need to use a promise when this whole code runs on a single thread?

This revision now requires changes to proceed.Aug 4 2022, 3:57 AM

marcin added inline comments.Aug 4 2022, 6:12 AM

native/cpp/CommonCpp/NativeModules/CommCoreModule.cpp
959–968 ↗	(On Diff #15261)	This is definitely my mistake. When I was working on this code I thought te entire operation should run on `this->databaseThread`. But after deeper testing and considerations I came to a conclusion this operation must run on the main thread, so I removed lines that place this code inside a lambda scheduled on `databaseThread`, but it appears I didn't realize that promise and future programming is no longer needed.

Remove unnecessary promise-future programming since all operations are executed on the same thread.

Harbormaster completed remote builds in B11119: Diff 15310.Aug 4 2022, 6:40 AM

tomek accepted this revision.Aug 4 2022, 6:46 AM

tomek added inline comments.

native/cpp/CommonCpp/NativeModules/CommCoreModule.cpp
962 ↗	(On Diff #15310)	Is it ok to throw `JSError` from this function? In e.g. `createThreadStoreOperations` we throw `runtime_error` and I'm wondering which approach should be preferred.

marcin added inline comments.Aug 4 2022, 7:02 AM

native/cpp/CommonCpp/NativeModules/CommCoreModule.cpp
962 ↗	(On Diff #15310)	I think JSError should be preferred anywhere in CommCoreModule. Methods in CommCoreModule are expected to be called from react components. By throwing JSError we enable ourselves to handle errors from react components where we have much more knowledge and context to handle them properly. Even if we decide not to handle the error and crash the app we still have more information compared to being crashed by C++ error. We observed a crash caused by throwing standard C++ error: https://linear.app/comm/issue/ENG-1444/sqlite-thread-crash-on-ios-build-137, we addressed by re-throwing JSError. Code that is throwing std::runtime_error was written 9 months ago - as was the code for `processThreadStoreOperations` and `processMEssageStoreOperations`. We already have a Linear task to add JSError in those functions: https://linear.app/comm/issue/ENG-1471/change-error-handling-in. Probably the scope of this task should be extended.

Once this differential is applied 'clearSensitiveData' should be callable anywhere in JS and calling it in a random place should crash the app, with an error indicating that SQLite access is corrupted.

Have you tested this to verify the expected behavior? I usually pick a component that's simply and easy to work with (specifically privacy-preferences.react.js) to make calls to CommCoreModule.

Looks good, but we should verify expected behavior in Test Plan before landing.

This revision is now accepted and ready to land.Aug 5 2022, 10:22 AM

marcin removed a child revision: D4730: Implement react component that clears database anbd secure store when user logs out or deletes account.Aug 10 2022, 5:51 AM

marcin added a child revision: D4793: Implement methods in SQLiteQueryExecutor and DatabaseQueryExecutor to store and retrieve current_user_id from SQLite.

marcin removed a parent revision: D4728: Introduce and implement 'clearSensitiveData' method in DetabaseQueryExecutor and SQLiteQueryExecutor.Aug 22 2022, 7:06 AM

marcin added a parent revision: D4896: Implement utility function in WorkerThread class to block temporarily block thread execution once all scheduled tasks complete.

Block database thread execution until database deletion completes

Harbormaster completed remote builds in B11505: Diff 15826.Aug 22 2022, 8:07 AM

Schedule entire datbase cleanup process on databaseThread

marcin mentioned this in D4728: Introduce and implement 'clearSensitiveData' method in DetabaseQueryExecutor and SQLiteQueryExecutor.Aug 25 2022, 8:25 AM

Harbormaster completed remote builds in B11624: Diff 15987.Aug 25 2022, 8:26 AM

Due to the most recent update in D4728 entire database cleanup process is scheduled on databaseThread. We still somehow block the main thread here (we wait on the future to complete) but in a way that we already use (look at getAllMessagesSync method of CommCoreModule https://github.com/CommE2E/comm/blob/master/native/cpp/CommonCpp/NativeModules/CommCoreModule.cpp#L173). Therefore I have an impression that this might be acceptable. But if @ashoat disagrees, then just left me a comment here and I will implement this function asynchronously to return a promise that will be handled in JavaScript (D4730).