Page MenuHomePhabricator

Initialize olm sessions for notifications on web and keyserver via socket requests
ClosedPublic

Authored by marcin on Oct 19 2023, 3:37 AM.
Tags
None
Referenced Files
F3367925: D9535.id32460.diff
Mon, Nov 25, 5:13 PM
Unknown Object (File)
Mon, Nov 25, 4:40 AM
Unknown Object (File)
Tue, Nov 19, 10:04 PM
Unknown Object (File)
Tue, Nov 19, 9:27 PM
Unknown Object (File)
Fri, Nov 15, 10:37 AM
Unknown Object (File)
Mon, Nov 11, 10:50 PM
Unknown Object (File)
Sun, Nov 10, 3:56 AM
Unknown Object (File)
Sun, Oct 27, 9:02 PM
Subscribers

Details

Summary

This differential initialises olm session for notifications on web via server request mechanism. The keyserver checks whether the web client has the olm session. If it doesn't it requests session intialisation. The web client uses the shared logic to get necessary keys from the keyserver and web specific logic to create the session and store it in IndexedDB.

Test Plan
  1. Checkout to master.
  2. Log-out.
  3. Log-in.
  4. Checkout to the branch with this diff stack.

Then:

  1. Using mariadb console ensure that new olm session was created on the keyserver.
  2. Using Developer Tools ensure that new entry was created in IndexedDB and that it contains pickled olm session for notifs.
  3. Log-out.
  4. Using Developer Tools ensure that entry with olm session for notifs was removed (it is not implemented in this differential but this line(https://github.com/CommE2E/comm/blob/master/web/database/worker/db-worker.js#L154) should clear entire IndexedDB on log-out).

Diff Detail

Repository
rCOMM Comm
Branch
marcin/eng-5191
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

Rebase to update commit message

Update invariant error message

web/account/account-hooks.js
168 ↗(On Diff #32188)

If we try to initialize olm session for notifications but there are no olm accounts it means that we either:

  1. Didn't include SignedIdentityKeysBlob in log in data.

or

  1. We try to answer server request to create olm session for notifs but we haven't answered yet the request to upload SignedIdentityKeysBlob.

Both are programmer errors. Theoretically we could use gerOrCreateCryptoStore here but I am afraid it would aallow programmers to introduce errors described above.

marcin edited the test plan for this revision. (Show Details)
keyserver/src/session/cookies.js
838 ↗(On Diff #32188)

Note that this will need to be updated to NEXT_CODE_VERSION in order for me to update it before a deploy (I think you're aware of this though)

web/account/account-hooks.js
154 ↗(On Diff #32188)

Same concern as I outlined here: https://phab.comm.dev/D9532#inline-60149

marcin edited the test plan for this revision. (Show Details)

Ensure that there are no two notifications session creations promises running at the same time.

Correctly "contextify" web notifications session creator

Looks good, might be good to have someone with more knowledge about crypto system take another look

This revision is now accepted and ready to land.Oct 26 2023, 10:35 AM

Bundle picling key and pickled notifications session together and persist encrypted in IndexedDB.
This is necessary since we can't access redux (needed for pickling key of notifications account) and persisting pickling key in IndexedDB without additional
encryption is not acceptable either (due to securoty issues).

Handle Safari bug when storing CryptoKey

web/account/account-hooks.js
230 ↗(On Diff #32765)

Might be good to explain why Safari is special-cased here with a comment

Add comment to explain special treatment of Safari browser

Change the structure of created notifications olm data for "debounce" approach.

This seems like a significant change. @marcin, should you consider re-requesting review?

Substantial changes are actually done to D9661. Logics of this differential remains unchanged - we just change the structure of data kept in IndexedDB. But for better safety I can re-request review.

keyserver/src/session/cookies.js
838 ↗(On Diff #32188)

Yes, I understand this. I always start with FURUTRE_CODE_VERSION to handle the possibility that we will not be able to release the feature immediately after landing. If I now that the feature can be released immediately after landing I replace it with NEXT_CODE_VERSION.

Make pendingSessionUpdate and updateCreationTimestamp fialds mandatory and initialize them with a copy of mainSession and Date.now() respectively.

michal added inline comments.
keyserver/src/session/cookies.js
836 ↗(On Diff #33377)

(reminder about NEXT_CODE_VERSION)

This revision is now accepted and ready to land.Nov 22 2023, 6:05 AM