This repository has been archived by the owner on Sep 11, 2024. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 829
OIDC: persist refresh token #11249
Merged
Merged
OIDC: persist refresh token #11249
Changes from 3 commits
Commits
Show all changes
24 commits
Select commit
Hold shift + click to select a range
2607997
test persistCredentials without a pickle key
3506c06
Merge branch 'develop' into kerry/25708/test-persist-credentials
609f790
test setLoggedIn with pickle key
f3092c7
lint
fad7f33
type error
32d5fb0
extract token persisting code into function, persist refresh token
e6529f1
store has_refresh_token too
66d57e5
pass refreshToken from oidcAuthGrant into credentials
b33e347
rest restore session with pickle key
823ba2e
Merge branch 'kerry/25708/test-persist-credentials' into kerry/25708/…
b7e0603
Merge branch 'develop' into kerry/25708/test-persist-credentials
b8b0c86
Merge branch 'kerry/25708/test-persist-credentials' into kerry/25708/…
f059642
Merge branch 'develop' into kerry/25708/test-persist-credentials
9272110
Merge branch 'kerry/25708/test-persist-credentials' into kerry/25708/…
d24fbd0
Merge branch 'develop' into kerry/25708/save-refresh-token
880c258
Merge branch 'kerry/25708/save-refresh-token' of https://github.com/m…
65c0734
Merge branch 'develop' into kerry/25708/save-refresh-token
70ddb4a
comments
56441dc
Merge branch 'develop' into kerry/25708/save-refresh-token
af481b2
prettier
e2d2d33
Update src/Lifecycle.ts
678815d
Merge branch 'develop' into kerry/25708/save-refresh-token
1f903c9
comments
777dbba
Merge branch 'develop' into kerry/25708/save-refresh-token
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -71,19 +71,19 @@ import GenericToast from "./components/views/toasts/GenericToast"; | |
const HOMESERVER_URL_KEY = "mx_hs_url"; | ||
const ID_SERVER_URL_KEY = "mx_is_url"; | ||
|
||
/** | ||
* Used as storage key | ||
/* | ||
* Keys used when storing the tokens in indexeddb or localstorage | ||
*/ | ||
const ACCESS_TOKEN_STORAGE_KEY = "mx_access_token"; | ||
const REFRESH_TOKEN_STORAGE_KEY = "mx_refresh_token"; | ||
/** | ||
/* | ||
* Used as initialization vector during encryption in persistTokenInStorage | ||
* And decryption in restoreFromLocalStorage | ||
*/ | ||
const ACCESS_TOKEN_NAME = "access_token"; | ||
const REFRESH_TOKEN_NAME = "refresh_token"; | ||
/** | ||
* Used in localstorage to store whether we expect a token in idb | ||
const ACCESS_TOKEN_IV = "access_token"; | ||
const REFRESH_TOKEN_IV = "refresh_token"; | ||
/* | ||
* Keys for localstorage items which indicate whether we expect a token in indexeddb. | ||
*/ | ||
const HAS_ACCESS_TOKEN_STORAGE_KEY = "mx_has_access_token"; | ||
const HAS_REFRESH_TOKEN_STORAGE_KEY = "mx_has_refresh_token"; | ||
|
@@ -555,7 +555,7 @@ export async function getStoredSessionVars(): Promise<Partial<IStoredSession>> { | |
|
||
// The pickle key is a string of unspecified length and format. For AES, we | ||
// need a 256-bit Uint8Array. So we HKDF the pickle key to generate the AES | ||
// key. The AES key should be zeroed after it is used | ||
// key. The AES key should be zeroed after it is used. | ||
async function pickleKeyToAesKey(pickleKey: string): Promise<Uint8Array> { | ||
const pickleKeyBuffer = new Uint8Array(pickleKey.length); | ||
for (let i = 0; i < pickleKey.length; i++) { | ||
|
@@ -624,7 +624,7 @@ export async function restoreFromLocalStorage(opts?: { ignoreGuest?: boolean }): | |
logger.log("Got pickle key"); | ||
if (typeof accessToken !== "string") { | ||
const encrKey = await pickleKeyToAesKey(pickleKey); | ||
decryptedAccessToken = await decryptAES(accessToken, encrKey, ACCESS_TOKEN_NAME); | ||
decryptedAccessToken = await decryptAES(accessToken, encrKey, ACCESS_TOKEN_IV); | ||
encrKey.fill(0); | ||
} | ||
} else { | ||
|
@@ -869,17 +869,16 @@ class AbortLoginAndRebuildStorage extends Error {} | |
* Stores in idb, falling back to localStorage | ||
* | ||
* @param storageKey key used to store the token | ||
* @param name eg "access_token" used as initialization vector during encryption | ||
* only used when pickleKey is present to encrypt with | ||
* @param initializationVector Initialization vector for encrypting the token. Only used when `pickleKey` is present | ||
* @param token the token to store, when undefined any existing token at the storageKey is removed from storage | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this could still use clarification |
||
* @param pickleKey optional pickle key used to encrypt token | ||
* @param hasTokenStorageKey used to store in localstorage whether we expect to have a token in idb, eg "mx_has_access_token" | ||
* @param hasTokenStorageKey Localstorage key for an item which stores whether we expect to have a token in indexeddb, eg "mx_has_access_token". | ||
*/ | ||
async function persistTokenInStorage( | ||
storageKey: string, | ||
name: string, | ||
initializationVector: string, | ||
token: string | undefined, | ||
pickleKey: IMatrixClientCreds["pickleKey"], | ||
pickleKey: string | undefined, | ||
hasTokenStorageKey: string, | ||
): Promise<void> { | ||
// store whether we expect to find a token, to detect the case | ||
|
@@ -898,7 +897,7 @@ async function persistTokenInStorage( | |
} | ||
// try to encrypt the access token using the pickle key | ||
const encrKey = await pickleKeyToAesKey(pickleKey); | ||
encryptedToken = await encryptAES(token, encrKey, name); | ||
encryptedToken = await encryptAES(token, encrKey, initializationVector); | ||
encrKey.fill(0); | ||
} catch (e) { | ||
logger.warn("Could not encrypt access token", e); | ||
|
@@ -941,14 +940,14 @@ async function persistCredentials(credentials: IMatrixClientCreds): Promise<void | |
|
||
await persistTokenInStorage( | ||
ACCESS_TOKEN_STORAGE_KEY, | ||
ACCESS_TOKEN_NAME, | ||
ACCESS_TOKEN_IV, | ||
credentials.accessToken, | ||
credentials.pickleKey, | ||
HAS_ACCESS_TOKEN_STORAGE_KEY, | ||
); | ||
await persistTokenInStorage( | ||
REFRESH_TOKEN_STORAGE_KEY, | ||
REFRESH_TOKEN_NAME, | ||
REFRESH_TOKEN_IV, | ||
credentials.refreshToken, | ||
credentials.pickleKey, | ||
HAS_REFRESH_TOKEN_STORAGE_KEY, | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.