Don't no-op logouts #439
Don't no-op logouts #439
Conversation
commands.go
Outdated
| Name: "logout", | ||
| Help: commands.HelpMeta{ | ||
| Section: commands.HelpSectionAuth, | ||
| Description: "Unlink the bridge from your Signal account.", |
There was a problem hiding this comment.
There shouldn't be a logout command before logging out is actually supported, but delete-session should probably actually delete the session, not sure why it wasn't made to do that in the first place
There was a problem hiding this comment.
Perhaps the name delete-session isn't aligned with other mautrix bridges, but the intent behind that command is to delete the Signal encryption session (by wiping out all the keys) but leave the rest of the state intact to allow relinking a new Signal device to the bridge and get all new encryption sessions without losing group keys, profile data, etc.
Resetting encryption sessions is often necessary with Signal due to bugs in the Signal mobile apps.
There was a problem hiding this comment.
Hmm, keeping those things sounds unnecessary since they're resynced from the phone anyway
There was a problem hiding this comment.
Maybe, but the phone sync is best effort. I figured why not have a command that retains this data if the user's intent is to immediately reconnect the same account. But if you don't want this command to exist I don't feel strongly about it, a user can achieve the same behaviour by deleting the device in the Signal app (the bridge will wipe encryption keys and keep everything else)
There was a problem hiding this comment.
So is the main purpose of the current delete-session to fix occasional issues with encryption keys, and to typically be followed up immediately with login?
In any case, would it be appropriate for (*User).Logout to also delete the encryption session like delete-session does?
There was a problem hiding this comment.
Expressed differently: when would a user want to log out of the bridge without deleting their Signal encryption session? Intuitively, I'd expect a bridge logout to also delete the session (but now I understand why delete-session should not also trigger a logout, for the reasons you explained).
There was a problem hiding this comment.
Yup, you're correct about delete-session. The main reason I didn't make logout actually logout is because I didn't need it to at the time. I was implementing the provisioning API, trying to make it behave identical to the old Signal bridge (to avoid making changes to the Signal provisioning flow in Beeper), and during the provisioning flow Beeper called logout a bunch of times before logging in, and I didn't want to break the reconnection logic, so I just made it no-op.
The ideal would be to change the logout endpoint in the provisioning API to be a more obvious no-op (and eventually fix Beeper to be more sane during Signal provisioning so we don't need the no-op at all), then properly implement the logout command (delete keys and session in bridge, and delete device from Signal). But I don't currently have bandwidth to be a lot of help with this at the moment ;)
Disconnect bridge users from their accounts on logout. This does not actually delete the Signal device being logged out of, though.
Pass it a context, and call it in fnDeleteSession
Treat a failure to delete the device from the store as fatal, because otherwise credentials would remain in the store & might be reused accidentally on the next read from the store (like on bridge restart).
as the condition for this response has false positives
Make logouts delete the device from the database (not just clear sessions and keys) and update the users store & user-to-uuid map.
AndrewFerr
force-pushed
the
go/logout-bridge
branch
from
1135703
to
ff16ef4
Compare
|
The latest batch of commits tries to delete devices on "hard" logout situations (like Logging out from the bridge still doesn't unlink the bridge from the primary Signal device, though -- I did some testing and it seems like it's still the case that only the primary device can unlink other devices, and a non-primary device can't unlink itself. This still has the provisioning API's |
|
I don't know about the bridge being unlinked in the Signal app being a "hard-logout" situation. If a user accidentally unlinks (perhaps not knowing what they're doing) it's nice for them to be able to relink with few consequences. I've also told users to unlink in the app then relink their bridge to fix situations where the Signal apps encryption gets jammed up (happens shockingly often). |
I think this should be fine :) |
|
Ah right, Signal doesn't allow real logouts, then it should be fine to have logout just delete the session. Should maybe also rename |
The reason I went for a "hard-logout" on remote unlinking is that changing it to do a "soft-logout" makes future login attempts kick me out right away. i.e. this happens:
|
That's really strange, perhaps there's some difference in how |
Disconnect bridge users from their accounts on logout. This does not
actually delete the Signal device being logged out of, though.