MSC3861: MAS support

[mdnight]

Pull Request Checklist

• I have added Go unit tests or Complement integration tests for this PR or I have justified why this PR doesn't need tests
• Pull request includes a sign off below using a legally identifiable name or I have already signed off privately

Signed-off-by: Roman Isaev <[email protected]>

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 50.32258% with 770 lines in your changes missing coverage. Please review.

Project coverage is 49.44%. Comparing base (a41f9cc) to head (641f5b5).
Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
clientapi/routing/admin.go	52.26%	153 Missing and 37 partials ⚠️
setup/mscs/msc3861/msc3861_user_verifier.go	48.27%	106 Missing and 29 partials ⚠️
clientapi/routing/routing.go	54.35%	24 Missing and 65 partials ⚠️
clientapi/routing/key_crosssigning.go	25.24%	74 Missing and 3 partials ⚠️
...erapi/storage/postgres/cross_signing_keys_table.go	42.37%	30 Missing and 4 partials ⚠️
...serapi/storage/sqlite3/cross_signing_keys_table.go	42.37%	30 Missing and 4 partials ⚠️
...as/2024123101150000_drop_primary_key_constraint.go	44.44%	29 Missing and 1 partial ⚠️
clientapi/routing/profile.go	12.50%	18 Missing and 3 partials ⚠️
userapi/storage/shared/storage.go	54.34%	15 Missing and 6 partials ⚠️
setup/config/config_clientapi.go	54.28%	14 Missing and 2 partials ⚠️
... and 19 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3493      +/-   ##
==========================================
- Coverage   49.44%   49.44%   -0.01%     
==========================================
  Files         524      533       +9     
  Lines       59799    60996    +1197     
==========================================
+ Hits        29569    30159     +590     
- Misses      26750    27251     +501     
- Partials     3480     3586     +106     

Flag	Coverage Δ
unittests	49.44% <50.32%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[S7evinK]

From what I've seen so far (and tested), this is awesome! Thanks a lot for this!

The requested changes are only minor, still need to go through 34 changed files 🙃

[S7evinK]

We should add a default message instead of returning nothing, I think.

[mdnight]

We need the message field only once, when we want to show this: To reset your end-to-end encryption cross-signing identity, you first need to approve it at ${URL} and then try again.
For other cases, we simply ignore the empty field and do not return it in the response.

type userInteractiveResponse struct {
	Flows     []authtypes.Flow       `json:"flows"`
        ...
	Msg       string                 `json:"msg,omitempty"`      <--- this
}

Also, I can't find msg in the spec 🤷

[S7evinK]

🙃 Ooops.

[S7evinK]

Suggested change

	CreatedTs int64
	CreatedTS int64

[S7evinK]

Suggested change

	// Once we migrate to MAS completely, these edndpoints should be removed
	// Once we migrate to MAS completely, these endpoints should be removed

[S7evinK]

What is m? (more descriptive field name please, something like accessTokenToDeviceAndResponse, maybe?)

[S7evinK]

As mentioned OOB, we probably don't need this migration and can instead use

dendrite/clientapi/routing/register.go

Lines 57 to 69 in f4506a0

	// sessionsDict keeps track of completed auth stages for each session.
	// It shouldn't be passed by value because it contains a mutex.
	type sessionsDict struct {
	sync.RWMutex
	sessions map[string][]authtypes.LoginType
	sessionCompletedResult map[string]registerResponse
	params map[string]registerRequest
	timer map[string]*time.Timer
	// deleteSessionToDeviceID protects requests to DELETE /devices/{deviceID} from being abused.
	// If a UIA session is started by trying to delete device1, and then UIA is completed by deleting device2,
	// the delete request will fail for device2 since the UIA was initiated by trying to delete device1.
	deleteSessionToDeviceID map[string]string
	}

instead? (same goes for the SQLite migration etc.)

[mdnight]

Not sure I have a clear understanding of how this structure might apply to our case. I need to reflect on it a bit. 🤔

[mdnight]

Done. Added a new map to the structure for managing this kind of session and covered new methods with tests. Also deleted xsigning_updatable_without_uia_before_ms column from the database and reverted all related logic

[S7evinK]

Yes we can! :)

As a followup PR, use spec.AsTimestamp(time.Now()) which does the same, and update AsTimestamp in gomatrixserverlib to use UnixMilli().

[mdnight]

created a pull requests for gomatrixserverlib 🙂 matrix-org/gomatrixserverlib#447

[S7evinK]

Suggested change

	// MSC3861 contains config related to the experimental feature MSC3861. It takes effect only if 'msc3861' is included in 'MSCs' array
	// MSC3861 contains config related to the experimental feature MSC3861.
	// It takes effect only if 'msc3861' is included in 'MSCs' array.

[S7evinK]

Maybe just me, but I prefer reading the "not" path first.

Suggested change

	if c.RecaptchaEnabled || !c.RegistrationDisabled {
	if !c.RegistrationDisabled || c.RecaptchaEnabled {

For a different PR: We should only have either Enabled or Disabled in our config. Otherwise stuff like this might become confusing.

[mdnight]

I don't have any preferences regarding the "not" path, but I agree that registration should go first. 😄

[S7evinK]

Didn't want to request changes again, just wanted to add a few more comments..

[S7evinK]

This doesn't look like a DELETE. (same for SQLite)

[mdnight]

🤦

[S7evinK]

httpClient should probably be a fclient.Client, see https://github.com/matrix-org/gomatrixserverlib/blob/0a1b2bafb5cf72727787359d39653493b3318398/fclient/client.go#L44-L50

And it should be an error if it is not set, we shouldn't use http.DefaultClient.

[mdnight]

@S7evinK the PR is ready for review again. I believe I have addressed all the comments. Please have another look when you have a moment. 🙏