riot-web/src/IdentityAuthClient.js

/*
Copyright 2019 The Matrix.org Foundation C.I.C.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

import { createClient, SERVICE_TYPES } from 'matrix-js-sdk';

import MatrixClientPeg from './MatrixClientPeg';
import { Service, startTermsFlow, TermsNotSignedError } from './Terms';

export default class IdentityAuthClient {
    /**
     * Creates a new identity auth client
     * @param {string} identityUrl The URL to contact the identity server with.
     * When provided, this class will operate solely within memory, refusing to
     * persist any information such as tokens. Default null (not provided).
     */
    constructor(identityUrl = null) {
        this.accessToken = null;
        this.authEnabled = true;

        if (identityUrl) {
            // XXX: We shouldn't have to create a whole new MatrixClient just to
            // do identity server auth. The functions don't take an identity URL
            // though, and making all of them take one could lead to developer
            // confusion about what the idBaseUrl does on a client. Therefore, we
            // just make a new client and live with it.
            this.tempClient = createClient({
                baseUrl: "", // invalid by design
                idBaseUrl: identityUrl,
            });
        } else {
            // Indicates that we're using the real client, not some workaround.
            this.tempClient = null;
        }
    }

    get _matrixClient() {
        return this.tempClient ? this.tempClient : MatrixClientPeg.get();
    }

    _writeToken() {
        if (this.tempClient) return; // temporary client: ignore
        window.localStorage.setItem("mx_is_access_token", this.accessToken);
    }

    _readToken() {
        if (this.tempClient) return null; // temporary client: ignore
        return window.localStorage.getItem("mx_is_access_token");
    }

    hasCredentials() {
        return this.accessToken != null; // undef or null
    }

    // Returns a promise that resolves to the access_token string from the IS
    async getAccessToken(check=true) {
        if (!this.authEnabled) {
            // The current IS doesn't support authentication
            return null;
        }

        let token = this.accessToken;
        if (!token) {
            token = this._readToken();
        }

        if (!token) {
            token = await this.registerForToken(check);
            if (token) {
                this.accessToken = token;
                this._writeToken();
            }
            return token;
        }

        if (check) {
            try {
                await this._checkToken(token);
            } catch (e) {
                if (e instanceof TermsNotSignedError) {
                    // Retrying won't help this
                    throw e;
                }
                // Retry in case token expired
                token = await this.registerForToken();
                if (token) {
                    this.accessToken = token;
                    this._writeToken();
                }
            }
        }

        return token;
    }

    async _checkToken(token) {
        try {
            await this._matrixClient.getIdentityAccount(token);
        } catch (e) {
            if (e.errcode === "M_TERMS_NOT_SIGNED") {
                console.log("Identity Server requires new terms to be agreed to");
                await startTermsFlow([new Service(
                    SERVICE_TYPES.IS,
                    this._matrixClient.getIdentityServerUrl(),
                    token,
                )]);
                return;
            }
            throw e;
        }

        // We should ensure the token in `localStorage` is cleared
        // appropriately. We already clear storage on sign out, but we'll need
        // additional clearing when changing ISes in settings as part of future
        // privacy work.
        // See also https://github.com/vector-im/riot-web/issues/10455.
    }

    async registerForToken(check=true) {
        try {
            const hsOpenIdToken = await MatrixClientPeg.get().getOpenIdToken();
            const { access_token: identityAccessToken } =
                await this._matrixClient.registerWithIdentityServer(hsOpenIdToken);
            if (check) await this._checkToken(identityAccessToken);
            return identityAccessToken;
        } catch (e) {
            if (e.cors === "rejected" || e.httpStatus === 404) {
                // Assume IS only supports deprecated v1 API for now
                // TODO: Remove this path once v2 is only supported version
                // See https://github.com/vector-im/riot-web/issues/10443
                console.warn("IS doesn't support v2 auth");
                this.authEnabled = false;
                return;
            }
            throw e;
        }
    }
}
Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00			`/*`
			`Copyright 2019 The Matrix.org Foundation C.I.C.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

Import createClient instead 2019-08-19 18:25:20 +02:00			`import { createClient, SERVICE_TYPES } from 'matrix-js-sdk';`
Show terms modal when inviting by email This invokes the terms modal flow when inviting someone by email. Entering an email triggers a lookup to the IS, and if it has terms you need to agree to, then a separate modal is shown to complete this activity. You then come back to invite screen after agreeing to the terms. Fixes https://github.com/vector-im/riot-web/issues/10093 2019-08-01 13:46:59 +02:00
Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00			`import MatrixClientPeg from './MatrixClientPeg';`
Tweak control flow to avoid duplicate terms prompts 2019-08-02 16:21:53 +02:00			`import { Service, startTermsFlow, TermsNotSignedError } from './Terms';`
Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00
			`export default class IdentityAuthClient {`
Prompt for terms of service on identity server changes Part of https://github.com/vector-im/riot-web/issues/10539 2019-08-15 23:59:44 +02:00			`/**`
			`* Creates a new identity auth client`
			`* @param {string} identityUrl The URL to contact the identity server with.`
			`* When provided, this class will operate solely within memory, refusing to`
			`* persist any information such as tokens. Default null (not provided).`
			`*/`
			`constructor(identityUrl = null) {`
Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00			`this.accessToken = null;`
Improve error handling for IS auth 2019-07-29 15:41:57 +02:00			`this.authEnabled = true;`
Prompt for terms of service on identity server changes Part of https://github.com/vector-im/riot-web/issues/10539 2019-08-15 23:59:44 +02:00
			`if (identityUrl) {`
			`// XXX: We shouldn't have to create a whole new MatrixClient just to`
			`// do identity server auth. The functions don't take an identity URL`
			`// though, and making all of them take one could lead to developer`
			`// confusion about what the idBaseUrl does on a client. Therefore, we`
			`// just make a new client and live with it.`
Import createClient instead 2019-08-19 18:25:20 +02:00			`this.tempClient = createClient({`
Prompt for terms of service on identity server changes Part of https://github.com/vector-im/riot-web/issues/10539 2019-08-15 23:59:44 +02:00			`baseUrl: "", // invalid by design`
			`idBaseUrl: identityUrl,`
			`});`
			`} else {`
			`// Indicates that we're using the real client, not some workaround.`
			`this.tempClient = null;`
			`}`
			`}`

			`get _matrixClient() {`
			`return this.tempClient ? this.tempClient : MatrixClientPeg.get();`
			`}`

			`_writeToken() {`
			`if (this.tempClient) return; // temporary client: ignore`
tfw the linter finds bugs for you 2019-08-16 00:08:18 +02:00			`window.localStorage.setItem("mx_is_access_token", this.accessToken);`
Prompt for terms of service on identity server changes Part of https://github.com/vector-im/riot-web/issues/10539 2019-08-15 23:59:44 +02:00			`}`

			`_readToken() {`
			`if (this.tempClient) return null; // temporary client: ignore`
			`return window.localStorage.getItem("mx_is_access_token");`
Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00			`}`

			`hasCredentials() {`
			`return this.accessToken != null; // undef or null`
			`}`

			`// Returns a promise that resolves to the access_token string from the IS`
Support IS token handling without checking terms This is so we can optionally do our own terms handling. 2019-08-20 06:54:23 +02:00			`async getAccessToken(check=true) {`
Improve error handling for IS auth 2019-07-29 15:41:57 +02:00			`if (!this.authEnabled) {`
			`// The current IS doesn't support authentication`
			`return null;`
			`}`

Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00			`let token = this.accessToken;`
			`if (!token) {`
Prompt for terms of service on identity server changes Part of https://github.com/vector-im/riot-web/issues/10539 2019-08-15 23:59:44 +02:00			`token = this._readToken();`
Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00			`}`

			`if (!token) {`
Support IS token handling without checking terms This is so we can optionally do our own terms handling. 2019-08-20 06:54:23 +02:00			`token = await this.registerForToken(check);`
Tweak control flow to avoid duplicate terms prompts 2019-08-02 16:21:53 +02:00			`if (token) {`
			`this.accessToken = token;`
Prompt for terms of service on identity server changes Part of https://github.com/vector-im/riot-web/issues/10539 2019-08-15 23:59:44 +02:00			`this._writeToken();`
Tweak control flow to avoid duplicate terms prompts 2019-08-02 16:21:53 +02:00			`}`
			`return token;`
Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00			`}`

Support IS token handling without checking terms This is so we can optionally do our own terms handling. 2019-08-20 06:54:23 +02:00			`if (check) {`
			`try {`
			`await this._checkToken(token);`
			`} catch (e) {`
			`if (e instanceof TermsNotSignedError) {`
			`// Retrying won't help this`
			`throw e;`
			`}`
			`// Retry in case token expired`
			`token = await this.registerForToken();`
			`if (token) {`
			`this.accessToken = token;`
			`this._writeToken();`
			`}`
Tweak control flow to avoid duplicate terms prompts 2019-08-02 16:21:53 +02:00			`}`
Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00			`}`
Improve error handling for IS auth 2019-07-29 15:41:57 +02:00
			`return token;`
Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00			`}`

Check IS v2 account tokens for validity Fixes https://github.com/vector-im/riot-web/issues/10452 2019-07-31 18:30:10 +02:00			`async _checkToken(token) {`
Show terms modal when inviting by email This invokes the terms modal flow when inviting someone by email. Entering an email triggers a lookup to the IS, and if it has terms you need to agree to, then a separate modal is shown to complete this activity. You then come back to invite screen after agreeing to the terms. Fixes https://github.com/vector-im/riot-web/issues/10093 2019-08-01 13:46:59 +02:00			`try {`
Prompt for terms of service on identity server changes Part of https://github.com/vector-im/riot-web/issues/10539 2019-08-15 23:59:44 +02:00			`await this._matrixClient.getIdentityAccount(token);`
Show terms modal when inviting by email This invokes the terms modal flow when inviting someone by email. Entering an email triggers a lookup to the IS, and if it has terms you need to agree to, then a separate modal is shown to complete this activity. You then come back to invite screen after agreeing to the terms. Fixes https://github.com/vector-im/riot-web/issues/10093 2019-08-01 13:46:59 +02:00			`} catch (e) {`
			`if (e.errcode === "M_TERMS_NOT_SIGNED") {`
			`console.log("Identity Server requires new terms to be agreed to");`
			`await startTermsFlow([new Service(`
Tweak import 2019-08-02 15:43:36 +02:00			`SERVICE_TYPES.IS,`
Prompt for terms of service on identity server changes Part of https://github.com/vector-im/riot-web/issues/10539 2019-08-15 23:59:44 +02:00			`this._matrixClient.getIdentityServerUrl(),`
Show terms modal when inviting by email This invokes the terms modal flow when inviting someone by email. Entering an email triggers a lookup to the IS, and if it has terms you need to agree to, then a separate modal is shown to complete this activity. You then come back to invite screen after agreeing to the terms. Fixes https://github.com/vector-im/riot-web/issues/10093 2019-08-01 13:46:59 +02:00			`token,`
			`)]);`
			`return;`
			`}`
			`throw e;`
			`}`
Add note to test tokens 2019-07-30 17:56:19 +02:00
Check IS v2 account tokens for validity Fixes https://github.com/vector-im/riot-web/issues/10452 2019-07-31 18:30:10 +02:00			// We should ensure the token in `localStorage` is cleared
Extend comment about checking tokens 2019-07-30 11:09:38 +02:00			`// appropriately. We already clear storage on sign out, but we'll need`
			`// additional clearing when changing ISes in settings as part of future`
			`// privacy work.`
Add note to log out from IS 2019-07-30 18:19:59 +02:00			`// See also https://github.com/vector-im/riot-web/issues/10455.`
Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00			`}`

Support IS token handling without checking terms This is so we can optionally do our own terms handling. 2019-08-20 06:54:23 +02:00			`async registerForToken(check=true) {`
Improve error handling for IS auth 2019-07-29 15:41:57 +02:00			`try {`
			`const hsOpenIdToken = await MatrixClientPeg.get().getOpenIdToken();`
Rename isAccessToken to identityAccessToken 2019-07-30 11:05:57 +02:00			`const { access_token: identityAccessToken } =`
Prompt for terms of service on identity server changes Part of https://github.com/vector-im/riot-web/issues/10539 2019-08-15 23:59:44 +02:00			`await this._matrixClient.registerWithIdentityServer(hsOpenIdToken);`
Support IS token handling without checking terms This is so we can optionally do our own terms handling. 2019-08-20 06:54:23 +02:00			`if (check) await this._checkToken(identityAccessToken);`
Rename isAccessToken to identityAccessToken 2019-07-30 11:05:57 +02:00			`return identityAccessToken;`
Tweak control flow to avoid duplicate terms prompts 2019-08-02 16:21:53 +02:00			`} catch (e) {`
			`if (e.cors === "rejected" \|\| e.httpStatus === 404) {`
Improve error handling for IS auth 2019-07-29 15:41:57 +02:00			`// Assume IS only supports deprecated v1 API for now`
			`// TODO: Remove this path once v2 is only supported version`
Note cleanup issue 2019-07-30 11:39:07 +02:00			`// See https://github.com/vector-im/riot-web/issues/10443`
Improve error handling for IS auth 2019-07-29 15:41:57 +02:00			`console.warn("IS doesn't support v2 auth");`
			`this.authEnabled = false;`
Check IS v2 account tokens for validity Fixes https://github.com/vector-im/riot-web/issues/10452 2019-07-31 18:30:10 +02:00			`return;`
Improve error handling for IS auth 2019-07-29 15:41:57 +02:00			`}`
Tweak control flow to avoid duplicate terms prompts 2019-08-02 16:21:53 +02:00			`throw e;`
Improve error handling for IS auth 2019-07-29 15:41:57 +02:00			`}`
Move auth steps to IdentityAuthClient 2019-07-29 12:58:47 +02:00			`}`
			`}`