Access token stored as device ID
Categories
(Chat Core :: Matrix, defect)
Tracking
(thunderbird_esr78 unaffected)
| Tracking | Status | |
|---|---|---|
| thunderbird_esr78 | --- | unaffected |
People
(Reporter: freaktechnik, Assigned: freaktechnik)
References
Details
Attachments
(1 file)
We stored the access token as the device ID on accident. Luckily, the device ID is never sent anywhere without crypto enabled. As such, the access token shouldn't have leaked.
We can invalidate the access token for everyone that chose to store their token, since the values will be equal. Users that don't store their access token override the device ID every time they connect either way, so it will at least be overridden after the patch lands.
Either way, everyone will have to log in again, which means SSO will prompt again once the patch for this lands.
|
Assignee | |
Comment 1•3 years ago
|
||
|
||
Comment 2•3 years ago
|
||
Talked to some folks about this and it seems that device IDs are considered public info and can be queried from the /keys/query endpoint.
So what is happening is that we:
- Login and store the access token as the device ID (and access token). (https://searchfox.org/comm-central/rev/7893eeaf930fcc8923c0ca59d5ed4e3be455d5a5/chat/protocols/matrix/matrix.jsm#1093)
- Pull the stored "device ID" (actually the access token) and pass it to
MatrixClient: https://searchfox.org/comm-central/rev/7893eeaf930fcc8923c0ca59d5ed4e3be455d5a5/chat/protocols/matrix/matrix.jsm#955
It is unclear to me when MatrixClient will use this though since? Maybe if you log the device out from another device you'd end up with that as your device ID or something?
|
|
Assignee | |
Comment 3•3 years ago
|
||
We let the server generate a device ID on login, which is the one that the server then has on file (you can verify this with an account that has an affected session in element web).
Looking through all uses of deviceId within the js SDK I couldn't see one that wasn't related to the crypto features or WebRTC, both of which we don't touch so far.
|
|
Assignee | |
Comment 4•3 years ago
•
|
||
(In reply to Patrick Cloke [:clokep] from comment #2)
It is unclear to me when
MatrixClientwill use this though since? Maybe if you log the device out from another device you'd end up with that as your device ID or something?
No, the SDK doesn't set the device_id for the login request see https://github.com/matrix-org/matrix-js-sdk/blob/4b8f47e2b430f84bbfb4c65fd3007703cac93cb4/src/client.ts#L5921 (plus any of the higher level login methods) and
https://github.com/matrix-org/matrix-js-sdk/blob/4b8f47e2b430f84bbfb4c65fd3007703cac93cb4/src/http-api.js#L463
(this actually leads to some issues with crypto that I have to address in the other patch - we have to create a new client once we get the device ID)
|
|
Assignee | |
Updated•3 years ago
|
Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/339d0208fb01
Store correct Matrix device ID and revoke incorrectly stored access tokens. r=clokep
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Description
•