Merge pull request #3887 from matrix-org/jryans/user-verif-mismatch

Change user info verification checks to use cross-signing
2020-01-21 13:44:22 +00:00 · 2020-01-21 13:44:22 +00:00 · 224528afd4
parent ddfed32ea9 b3d56b378e
commit 224528afd4
2 changed files with 38 additions and 10 deletions
--- a/src/DeviceListener.js
+++ b/src/DeviceListener.js
@ -75,7 +75,7 @@ export default class DeviceListener {
            if (device.deviceId == cli.deviceId) continue;

            const deviceTrust = await cli.checkDeviceTrust(cli.getUserId(), device.deviceId);
-            if (deviceTrust.isVerified() || this._dismissed.has(device.deviceId)) {
+            if (deviceTrust.isCrossSigningVerified() || this._dismissed.has(device.deviceId)) {
                ToastStore.sharedInstance().dismissToast(toastKey(device));
            } else {
                ToastStore.sharedInstance().addOrReplaceToast({
--- a/src/components/views/right_panel/UserInfo.js
+++ b/src/components/views/right_panel/UserInfo.js
@ -64,10 +64,17 @@ const _getE2EStatus = (cli, userId, devices) => {
        const hasUnverifiedDevice = devices.some((device) => device.isUnverified());
        return hasUnverifiedDevice ? "warning" : "verified";
    }
+    const isMe = userId === cli.getUserId();
    const userVerified = cli.checkUserTrust(userId).isCrossSigningVerified();
    const allDevicesVerified = devices.every(device => {
        const { deviceId } = device;
-        return cli.checkDeviceTrust(userId, deviceId).isCrossSigningVerified();
+        // For your own devices, we use the stricter check of cross-signing
+        // verification to encourage everyone to trust their own devices via
+        // cross-signing so that other users can then safely trust you.
+        // For other people's devices, the more general verified check that
+        // includes locally verified devices can be used.
+        const deviceTrust = cli.checkDeviceTrust(userId, deviceId);
+        return isMe ? deviceTrust.isCrossSigningVerified() : deviceTrust.isVerified();
    });
    if (allDevicesVerified) {
        return userVerified ? "verified" : "normal";
@ -128,19 +135,28 @@ function verifyUser(user) {

 function DeviceItem({userId, device}) {
    const cli = useContext(MatrixClientContext);
+    const isMe = userId === cli.getUserId();
    const deviceTrust = cli.checkDeviceTrust(userId, device.deviceId);
+    // For your own devices, we use the stricter check of cross-signing
+    // verification to encourage everyone to trust their own devices via
+    // cross-signing so that other users can then safely trust you.
+    // For other people's devices, the more general verified check that
+    // includes locally verified devices can be used.
+    const isVerified = (isMe && SettingsStore.isFeatureEnabled("feature_cross_signing")) ?
+        deviceTrust.isCrossSigningVerified() :
+        deviceTrust.isVerified();

    const classes = classNames("mx_UserInfo_device", {
-        mx_UserInfo_device_verified: deviceTrust.isVerified(),
-        mx_UserInfo_device_unverified: !deviceTrust.isVerified(),
+        mx_UserInfo_device_verified: isVerified,
+        mx_UserInfo_device_unverified: !isVerified,
    });
    const iconClasses = classNames("mx_E2EIcon", {
-        mx_E2EIcon_verified: deviceTrust.isVerified(),
-        mx_E2EIcon_warning: !deviceTrust.isVerified(),
+        mx_E2EIcon_verified: isVerified,
+        mx_E2EIcon_warning: !isVerified,
    });

    const onDeviceClick = () => {
-        if (!deviceTrust.isVerified()) {
+        if (!isVerified) {
            verifyDevice(userId, device);
        }
    };
@ -148,7 +164,7 @@ function DeviceItem({userId, device}) {
    const deviceName = device.ambiguous ?
            (device.getDisplayName() ? device.getDisplayName() : "") + " (" + device.deviceId + ")" :
            device.getDisplayName();
-    const trustedLabel = deviceTrust.isVerified() ? _t("Trusted") : _t("Not trusted");
+    const trustedLabel = isVerified ? _t("Trusted") : _t("Not trusted");
    return (<AccessibleButton className={classes} onClick={onDeviceClick}>
        <div className={iconClasses} />
        <div className="mx_UserInfo_device_name">{deviceName}</div>
@ -169,6 +185,7 @@ function DevicesSection({devices, userId, loading}) {
    if (devices === null) {
        return _t("Unable to load device list");
    }
+    const isMe = userId === cli.getUserId();
    const deviceTrusts = devices.map(d => cli.checkDeviceTrust(userId, d.deviceId));

    const unverifiedDevices = [];
@ -177,8 +194,16 @@ function DevicesSection({devices, userId, loading}) {
    for (let i = 0; i < devices.length; ++i) {
        const device = devices[i];
        const deviceTrust = deviceTrusts[i];
+        // For your own devices, we use the stricter check of cross-signing
+        // verification to encourage everyone to trust their own devices via
+        // cross-signing so that other users can then safely trust you.
+        // For other people's devices, the more general verified check that
+        // includes locally verified devices can be used.
+        const isVerified = (isMe && SettingsStore.isFeatureEnabled("feature_cross_signing")) ?
+            deviceTrust.isCrossSigningVerified() :
+            deviceTrust.isVerified();

-        if (deviceTrust.isVerified()) {
+        if (isVerified) {
            verifiedDevices.push(device);
        } else {
            unverifiedDevices.push(device);
@ -1277,7 +1302,10 @@ const UserInfo = ({user, groupId, roomId, onClose}) => {
        text = _t("Messages in this room are end-to-end encrypted.");
    }

-    const userVerified = cli.checkUserTrust(user.userId).isVerified();
+    const userTrust = cli.checkUserTrust(user.userId);
+    const userVerified = SettingsStore.isFeatureEnabled("feature_cross_signing") ?
+        userTrust.isCrossSigningVerified() :
+        userTrust.isVerified();
    const isMe = user.userId === cli.getUserId();
    let verifyButton;
    if (!userVerified && !isMe) {