matrix-org · poljar · Jun 17, 2025 · May 22, 2025 · May 22, 2025 · May 26, 2025
diff --git a/crates/matrix-sdk-crypto/src/machine/mod.rs b/crates/matrix-sdk-crypto/src/machine/mod.rs
@@ -1444,6 +1444,11 @@ impl OlmMachine {
                     Ok(event) => {
                         self.handle_to_device_event(changes, &event).await;
 
+                        // TODO: we should have access to some decryption settings here
+                        // (TrustRequirement) and use it (at least for
+                        // custom to-devices) to manually reject the decryption.
+                        // Similar to check_sender_trust_requirement for room events
+
                         raw_event = event
                             .serialize_zeroized()
                             .expect("Zeroizing and reserializing our events should always work")

@@ -55,7 +55,7 @@ sso-login = ["local-server"]
 
 uniffi = ["dep:uniffi", "matrix-sdk-base/uniffi", "dep:matrix-sdk-ffi-macros"]
 
-experimental-widgets = ["dep:uuid"]
+experimental-widgets = ["dep:uuid", "experimental-send-custom-to-device"]
 
 docsrs = ["e2e-encryption", "sqlite", "indexeddb", "sso-login", "qrcode"]
 

@@ -17,21 +17,25 @@
 //! tests.
 use std::{
     collections::BTreeMap,
+    future::Future,
     sync::{atomic::Ordering, Arc, Mutex},
 };
 
+use matrix_sdk_test::test_json;
 use ruma::{
-    api::client::keys::upload_signatures::v3::SignedKeys,
+    api::client::{
+        keys::upload_signatures::v3::SignedKeys, to_device::send_event_to_device::v3::Messages,
+    },
     encryption::{CrossSigningKey, DeviceKeys, OneTimeKey},
     owned_device_id, owned_user_id,
     serde::Raw,
-    CrossSigningKeyId, DeviceId, OneTimeKeyAlgorithm, OwnedDeviceId, OwnedOneTimeKeyId,
-    OwnedUserId, UserId,
+    CrossSigningKeyId, DeviceId, MilliSecondsSinceUnixEpoch, OneTimeKeyAlgorithm, OwnedDeviceId,
+    OwnedOneTimeKeyId, OwnedUserId, UserId,
 };
-use serde_json::json;
+use serde_json::{json, Value};
 use wiremock::{
     matchers::{method, path_regex},
-    Mock, Request, ResponseTemplate,
+    Mock, MockGuard, Request, ResponseTemplate,
 };
 
 use crate::{
@@ -178,6 +182,70 @@ impl MatrixMockServer {
             .mount(&self.server)
             .await;
     }
+
+    /// Creates a response handler for mocking encrypted to-device message
+    /// requests.
+    ///
+    /// This function creates a response handler that captures encrypted
+    /// to-device messages sent via the `/sendToDevice` endpoint.
+    ///
+    /// # Arguments
+    ///
+    /// * `sender` - The user ID of the message sender
+    ///
+    /// # Returns
+    ///
+    /// Returns a tuple containing:
+    /// - A `MockGuard` the end-point mock is scoped to this guard
+    /// - A `Future` that resolves to a `Value` containing the captured
+    ///   encrypted to-device message.
+    pub async fn mock_capture_put_to_device(
+        &self,
+        sender_user_id: &UserId,
+    ) -> (MockGuard, impl Future<Output = Value>) {
+        let (tx, rx) = tokio::sync::oneshot::channel();
+        let tx = Arc::new(Mutex::new(Some(tx)));
+
+        let sender = sender_user_id.to_owned();
+        let guard = Mock::given(method("PUT"))
+            .and(path_regex(r"^/_matrix/client/.*/sendToDevice/m.room.encrypted/.*"))
+            .respond_with(move |req: &Request| {
+                #[derive(Debug, serde::Deserialize)]
+                struct Parameters {
+                    messages: Messages,
+                }
+
+                let params: Parameters = req.body_json().unwrap();
+
+                let (_, device_to_content) = params.messages.first_key_value().unwrap();
+                let content = device_to_content.first_key_value().unwrap().1;
+
+                let event = json!({
+                    "origin_server_ts": MilliSecondsSinceUnixEpoch::now(),
+                    "sender": sender,
+                    "type": "m.room.encrypted",
+                    "content": content,
+                });
+
+                if let Ok(mut guard) = tx.lock() {
+                    if let Some(tx) = guard.take() {
+                        let _ = tx.send(event);
+                    }
+                }
+
+                ResponseTemplate::new(200).set_body_json(&*test_json::EMPTY)
+            })
+            // Should be called once
+            .expect(1)
+            .named("send_to_device")
+            .mount_as_scoped(self.server())
+            .await;
+
+        let future =
+            async move { rx.await.expect("Failed to receive captured value - sender was dropped") };
+
+        (guard, future)
+    }
 }
 
 /// Intercepts a `/keys/query` request and mock its results as returned by an

@@ -40,12 +40,12 @@ use tokio::sync::{
     broadcast::{error::RecvError, Receiver},
     mpsc::{unbounded_channel, UnboundedReceiver},
 };
-use tracing::error;
+use tracing::{error, trace, warn};
 
 use super::{machine::SendEventResponse, StateKeySelector};
 use crate::{
-    event_handler::EventHandlerDropGuard, room::MessagesOptions, sync::RoomUpdate, Error, Result,
-    Room,
+    event_handler::EventHandlerDropGuard, room::MessagesOptions, sync::RoomUpdate, Client, Error,
+    Result, Room,
 };
 
 /// Thin wrapper around a [`Room`] that provides functionality relevant for
@@ -235,21 +235,86 @@ impl MatrixDriver {
     pub(crate) fn to_device_events(&self) -> EventReceiver<Raw<AnyToDeviceEvent>> {
         let (tx, rx) = unbounded_channel();
 
+        let room_id = self.room.room_id().to_owned();
         let to_device_handle = self.room.client().add_event_handler(
-            // TODO: encryption support for to-device is not yet supported. Needs an Olm
-            // EncryptionInfo. The widgetAPI expects a boolean `encrypted` to be added
-            // (!) to the raw content to know if the to-device message was encrypted or
-            // not (as per MSC3819).
-            move |raw: Raw<AnyToDeviceEvent>, _: Option<EncryptionInfo>| {
-                let _ = tx.send(raw);
-                async {}
+
+            async move |raw: Raw<AnyToDeviceEvent>, encryption_info: Option<EncryptionInfo>, client: Client| {
+
+                // Some to-device traffic is used by the sdk for internal machinery.
+                // They should not be exposed to widgets.
+                if Self::should_filter_message_to_widget(&raw) {
+                    trace!("Internal or UTD to-device message filtered out by widget driver.");
+                    return;
+                }
+
+                // Encryption can be enabled after the widget has been instantiated,
+                // we want to keep track of the latest status
+                let Some(room) = client.get_room(&room_id) else {
+                    warn!("Room {} not found in client.", room_id);
+                    return;
+                };
+
+                let room_encrypted = room.latest_encryption_state().await
+                    .map(|s| s.is_encrypted())
+                    // Default consider encrypted
+                    .unwrap_or(true);
+                if room_encrypted {
+                    // The room is encrypted so the to-device traffic should be too.
+                    if encryption_info.is_none() {
+                        warn!(
+                            ?room_id,
+                            "Received to-device event in clear for a widget in an e2e room, dropping."
+                        );
+                        return;
+                    };
+
+                    // There no per-room specific decryption setting, so we can just send to the
+                    // widget
+                    let _ = tx.send(raw);
+                } else {
+                    // forward to the widget
+                    // It is ok to send an encrypted to-device message even if the room is clear.
+                    let _ = tx.send(raw);
+                }
             },
         );
 
         let drop_guard = self.room.client().event_handler_drop_guard(to_device_handle);
         EventReceiver { rx, _drop_guard: drop_guard }
     }
 
+    fn should_filter_message_to_widget(raw_message: &Raw<AnyToDeviceEvent>) -> bool {
+        let Ok(Some(event_type)) = raw_message.get_field::<String>("type") else {
+            return true;
+        };
+
+        if event_type == "m.room.encrypted" {
+            // Unable to decrypt,
+            return true;
+        }
+
+        // Filter out all the internal crypto related traffic.
+        // The SDK has already zeroized the critical data, but let's not leak any
+        // information
+        matches!(
+            event_type.as_str(),
+            "m.dummy"
+                | "m.room_key"
+                | "m.room_key_request"
+                | "m.forwarded_room_key"
+                | "m.key.verification.request"
+                | "m.key.verification.ready"
+                | "m.key.verification.start"
+                | "m.key.verification.cancel"
+                | "m.key.verification.accept"
+                | "m.key.verification.key"
+                | "m.key.verification.mac"
+                | "m.key.verification.done"
+                | "m.secret.request"
+                | "m.secret.send"
+        )
+    }
+
     /// It will ignore all devices where errors occurred or where the device is
     /// not verified or where th user has a has_verification_violation.
     pub(crate) async fn send_to_device(

@@ -10,14 +10,11 @@ use matrix_sdk_common::{
     locks::Mutex,
 };
 use matrix_sdk_test::{async_test, test_json};
-use ruma::{
-    api::client::to_device::send_event_to_device::v3::Messages, events::AnyToDeviceEvent,
-    serde::Raw, MilliSecondsSinceUnixEpoch, OwnedUserId,
-};
-use serde_json::{json, Value};
+use ruma::{events::AnyToDeviceEvent, serde::Raw};
+use serde_json::json;
 use wiremock::{
     matchers::{method, path_regex},
-    Mock, Request, ResponseTemplate,
+    Mock, ResponseTemplate,
 };
 
 #[async_test]
@@ -128,37 +125,6 @@ async fn test_encrypt_and_send_to_device_report_failures_server() {
     assert_eq!(bob_device_id.to_owned(), failure.1);
 }
 
-// A simple mock to capture an encrypted to device message via `sendToDevice`.
-// Expect the request payload to be for an encrypted event and to only have one
-// message.
-fn mock_send_encrypted_to_device_responder(
-    sender: OwnedUserId,
-    to_device: Arc<Mutex<Option<Value>>>,
-) -> impl Fn(&Request) -> ResponseTemplate {
-    move |req: &Request| {
-        #[derive(Debug, serde::Deserialize)]
-        struct Parameters {
-            messages: Messages,
-        }
-
-        let params: Parameters = req.body_json().unwrap();
-
-        let (_, device_to_content) = params.messages.first_key_value().unwrap();
-        let content = device_to_content.first_key_value().unwrap().1;
-
-        let event = json!({
-            "origin_server_ts": MilliSecondsSinceUnixEpoch::now(),
-            "sender": sender,
-            "type": "m.room.encrypted",
-            "content": content,
-        });
-
-        *to_device.lock() = Some(event);
-
-        ResponseTemplate::new(200).set_body_json(&*test_json::EMPTY)
-    }
-}
-
 #[async_test]
 async fn test_to_device_event_handler_olm_encryption_info() {
     // ===========
@@ -194,18 +160,9 @@ async fn test_to_device_event_handler_olm_encryption_info() {
     .cast();
 
     // Capture the event sent by Alice to feed it back to Bob's client later.
-    let event_as_sent_by_alice: Arc<Mutex<Option<Value>>> = Default::default();
-    Mock::given(method("PUT"))
-        .and(path_regex(r"^/_matrix/client/.*/sendToDevice/m.room.encrypted/.*"))
-        .respond_with(mock_send_encrypted_to_device_responder(
-            alice.user_id().unwrap().to_owned(),
-            event_as_sent_by_alice.clone(),
-        ))
-        // Should be called once
-        .expect(1)
-        .named("send_to_device")
-        .mount(&server.server())
-        .await;
+
+    let (guard, event_as_sent_by_alice) =
+        server.mock_capture_put_to_device(alice.user_id().unwrap()).await;
 
     alice
         .encryption()
@@ -225,7 +182,8 @@ async fn test_to_device_event_handler_olm_encryption_info() {
     });
 
     // feed back the event to Bob's client
-    let event_as_sent_by_alice = event_as_sent_by_alice.lock().clone().unwrap();
+    let event_as_sent_by_alice = event_as_sent_by_alice.await;
+    drop(guard);
     server
         .mock_sync()
         .ok_and_run(&bob, |builder| {