Allow user to control if they are signed out of all devices when changing password (#8259)

Co-authored-by: Michael Telatynski <7t3chguy@gmail.com>
This commit is contained in:
Hugh Nimmo-Smith 2022-04-22 18:15:38 +01:00 committed by GitHub
parent ee2ee3c08c
commit bb4064ff43
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 157 additions and 76 deletions

View file

@ -31,6 +31,7 @@ export default class PasswordReset {
private clientSecret: string; private clientSecret: string;
private password: string; private password: string;
private sessionId: string; private sessionId: string;
private logoutDevices: boolean;
/** /**
* Configure the endpoints for password resetting. * Configure the endpoints for password resetting.
@ -50,10 +51,16 @@ export default class PasswordReset {
* sending an email to the provided email address. * sending an email to the provided email address.
* @param {string} emailAddress The email address * @param {string} emailAddress The email address
* @param {string} newPassword The new password for the account. * @param {string} newPassword The new password for the account.
* @param {boolean} logoutDevices Should all devices be signed out after the reset? Defaults to `true`.
* @return {Promise} Resolves when the email has been sent. Then call checkEmailLinkClicked(). * @return {Promise} Resolves when the email has been sent. Then call checkEmailLinkClicked().
*/ */
public resetPassword(emailAddress: string, newPassword: string): Promise<IRequestTokenResponse> { public resetPassword(
emailAddress: string,
newPassword: string,
logoutDevices = true,
): Promise<IRequestTokenResponse> {
this.password = newPassword; this.password = newPassword;
this.logoutDevices = logoutDevices;
return this.client.requestPasswordEmailToken(emailAddress, this.clientSecret, 1).then((res) => { return this.client.requestPasswordEmailToken(emailAddress, this.clientSecret, 1).then((res) => {
this.sessionId = res.sid; this.sessionId = res.sid;
return res; return res;
@ -90,7 +97,7 @@ export default class PasswordReset {
// See https://github.com/matrix-org/matrix-doc/issues/2220 // See https://github.com/matrix-org/matrix-doc/issues/2220
threepid_creds: creds, threepid_creds: creds,
threepidCreds: creds, threepidCreds: creds,
}, this.password); }, this.password, this.logoutDevices);
} catch (err) { } catch (err) {
if (err.httpStatus === 401) { if (err.httpStatus === 401) {
err.message = _t('Failed to verify email address: make sure you clicked the link in the email'); err.message = _t('Failed to verify email address: make sure you clicked the link in the email');

View file

@ -19,6 +19,7 @@ limitations under the License.
import React from 'react'; import React from 'react';
import classNames from 'classnames'; import classNames from 'classnames';
import { logger } from "matrix-js-sdk/src/logger"; import { logger } from "matrix-js-sdk/src/logger";
import { createClient } from "matrix-js-sdk/src/matrix";
import { _t, _td } from '../../../languageHandler'; import { _t, _td } from '../../../languageHandler';
import Modal from "../../../Modal"; import Modal from "../../../Modal";
@ -37,6 +38,7 @@ import AuthHeader from "../../views/auth/AuthHeader";
import AuthBody from "../../views/auth/AuthBody"; import AuthBody from "../../views/auth/AuthBody";
import PassphraseConfirmField from "../../views/auth/PassphraseConfirmField"; import PassphraseConfirmField from "../../views/auth/PassphraseConfirmField";
import AccessibleButton from '../../views/elements/AccessibleButton'; import AccessibleButton from '../../views/elements/AccessibleButton';
import StyledCheckbox from '../../views/elements/StyledCheckbox';
enum Phase { enum Phase {
// Show the forgot password inputs // Show the forgot password inputs
@ -72,6 +74,9 @@ interface IState {
serverDeadError: string; serverDeadError: string;
currentHttpRequest?: Promise<any>; currentHttpRequest?: Promise<any>;
serverSupportsControlOfDevicesLogout: boolean;
logoutDevices: boolean;
} }
enum ForgotPasswordField { enum ForgotPasswordField {
@ -97,11 +102,14 @@ export default class ForgotPassword extends React.Component<IProps, IState> {
serverIsAlive: true, serverIsAlive: true,
serverErrorIsFatal: false, serverErrorIsFatal: false,
serverDeadError: "", serverDeadError: "",
serverSupportsControlOfDevicesLogout: false,
logoutDevices: false,
}; };
public componentDidMount() { public componentDidMount() {
this.reset = null; this.reset = null;
this.checkServerLiveliness(this.props.serverConfig); this.checkServerLiveliness(this.props.serverConfig);
this.checkServerCapabilities(this.props.serverConfig);
} }
// TODO: [REACT-WARNING] Replace with appropriate lifecycle event // TODO: [REACT-WARNING] Replace with appropriate lifecycle event
@ -112,6 +120,9 @@ export default class ForgotPassword extends React.Component<IProps, IState> {
// Do a liveliness check on the new URLs // Do a liveliness check on the new URLs
this.checkServerLiveliness(newProps.serverConfig); this.checkServerLiveliness(newProps.serverConfig);
// Do capabilities check on new URLs
this.checkServerCapabilities(newProps.serverConfig);
} }
private async checkServerLiveliness(serverConfig): Promise<void> { private async checkServerLiveliness(serverConfig): Promise<void> {
@ -129,12 +140,25 @@ export default class ForgotPassword extends React.Component<IProps, IState> {
} }
} }
public submitPasswordReset(email: string, password: string): void { private async checkServerCapabilities(serverConfig: ValidatedServerConfig): Promise<void> {
const tempClient = createClient({
baseUrl: serverConfig.hsUrl,
});
const serverSupportsControlOfDevicesLogout = await tempClient.doesServerSupportLogoutDevices();
this.setState({
logoutDevices: !serverSupportsControlOfDevicesLogout,
serverSupportsControlOfDevicesLogout,
});
}
public submitPasswordReset(email: string, password: string, logoutDevices = true): void {
this.setState({ this.setState({
phase: Phase.SendingEmail, phase: Phase.SendingEmail,
}); });
this.reset = new PasswordReset(this.props.serverConfig.hsUrl, this.props.serverConfig.isUrl); this.reset = new PasswordReset(this.props.serverConfig.hsUrl, this.props.serverConfig.isUrl);
this.reset.resetPassword(email, password).then(() => { this.reset.resetPassword(email, password, logoutDevices).then(() => {
this.setState({ this.setState({
phase: Phase.EmailSent, phase: Phase.EmailSent,
}); });
@ -174,24 +198,35 @@ export default class ForgotPassword extends React.Component<IProps, IState> {
return; return;
} }
Modal.createTrackedDialog('Forgot Password Warning', '', QuestionDialog, { if (this.state.logoutDevices) {
title: _t('Warning!'), const { finished } = Modal.createTrackedDialog<[boolean]>('Forgot Password Warning', '', QuestionDialog, {
description: title: _t('Warning!'),
<div> description:
{ _t( <div>
"Changing your password will reset any end-to-end encryption keys " + <p>{ !this.state.serverSupportsControlOfDevicesLogout ?
"on all of your sessions, making encrypted chat history unreadable. Set up " + _t(
"Key Backup or export your room keys from another session before resetting your " + "Resetting your password on this homeserver will cause all of your devices to be " +
"password.", "signed out. This will delete the message encryption keys stored on them, " +
) } "making encrypted chat history unreadable.",
</div>, ) :
button: _t('Continue'), _t(
onFinished: (confirmed) => { "Signing out your devices will delete the message encryption keys stored on them, " +
if (confirmed) { "making encrypted chat history unreadable.",
this.submitPasswordReset(this.state.email, this.state.password); )
} }</p>
}, <p>{ _t(
}); "If you want to retain access to your chat history in encrypted rooms, set up Key Backup " +
"or export your message keys from one of your other devices before proceeding.",
) }</p>
</div>,
button: _t('Continue'),
});
const [confirmed] = await finished;
if (!confirmed) return;
}
this.submitPasswordReset(this.state.email, this.state.password, this.state.logoutDevices);
}; };
private async verifyFieldsBeforeSubmit() { private async verifyFieldsBeforeSubmit() {
@ -316,6 +351,13 @@ export default class ForgotPassword extends React.Component<IProps, IState> {
autoComplete="new-password" autoComplete="new-password"
/> />
</div> </div>
{ this.state.serverSupportsControlOfDevicesLogout ?
<div className="mx_AuthBody_fieldRow">
<StyledCheckbox onChange={() => this.setState({ logoutDevices: !this.state.logoutDevices })} checked={this.state.logoutDevices}>
{ _t("Sign out all devices") }
</StyledCheckbox>
</div> : null
}
<span>{ _t( <span>{ _t(
'A verification email will be sent to your inbox to confirm ' + 'A verification email will be sent to your inbox to confirm ' +
'setting your new password.', 'setting your new password.',
@ -355,11 +397,14 @@ export default class ForgotPassword extends React.Component<IProps, IState> {
renderDone() { renderDone() {
return <div> return <div>
<p>{ _t("Your password has been reset.") }</p> <p>{ _t("Your password has been reset.") }</p>
<p>{ _t( { this.state.logoutDevices ?
"You have been logged out of all sessions and will no longer receive " + <p>{ _t(
"push notifications. To re-enable notifications, sign in again on each " + "You have been logged out of all devices and will no longer receive " +
"device.", "push notifications. To re-enable notifications, sign in again on each " +
) }</p> "device.",
) }</p>
: null
}
<input <input
className="mx_Login_submit" className="mx_Login_submit"
type="button" type="button"

View file

@ -41,7 +41,11 @@ enum Phase {
} }
interface IProps { interface IProps {
onFinished?: ({ didSetEmail: boolean }?) => void; onFinished?: (outcome: {
didSetEmail?: boolean;
/** Was one or more other devices logged out whilst changing the password */
didLogoutOutOtherDevices: boolean;
}) => void;
onError?: (error: {error: string}) => void; onError?: (error: {error: string}) => void;
rowClassName?: string; rowClassName?: string;
buttonClassName?: string; buttonClassName?: string;
@ -82,48 +86,58 @@ export default class ChangePassword extends React.Component<IProps, IState> {
}; };
} }
private onChangePassword(oldPassword: string, newPassword: string): void { private async onChangePassword(oldPassword: string, newPassword: string): Promise<void> {
const cli = MatrixClientPeg.get(); const cli = MatrixClientPeg.get();
if (!this.props.confirm) { // if the server supports it then don't sign user out of all devices
this.changePassword(cli, oldPassword, newPassword); const serverSupportsControlOfDevicesLogout = await cli.doesServerSupportLogoutDevices();
return; const userHasOtherDevices = (await cli.getDevices()).devices.length > 1;
if (userHasOtherDevices && !serverSupportsControlOfDevicesLogout && this.props.confirm) {
// warn about logging out all devices
const { finished } = Modal.createTrackedDialog<[boolean]>('Change Password', '', QuestionDialog, {
title: _t("Warning!"),
description:
<div>
<p>{ _t(
'Changing your password on this homeserver will cause all of your other devices to be ' +
'signed out. This will delete the message encryption keys stored on them, and may make ' +
'encrypted chat history unreadable.',
) }</p>
<p>{ _t(
'If you want to retain access to your chat history in encrypted rooms you should first ' +
'export your room keys and re-import them afterwards.',
) }</p>
<p>{ _t(
'You can also ask your homeserver admin to upgrade the server to change this behaviour.',
) }</p>
</div>,
button: _t("Continue"),
extraButtons: [
<button
key="exportRoomKeys"
className="mx_Dialog_primary"
onClick={this.onExportE2eKeysClicked}
>
{ _t('Export E2E room keys') }
</button>,
],
});
const [confirmed] = await finished;
if (!confirmed) return;
} }
Modal.createTrackedDialog('Change Password', '', QuestionDialog, { this.changePassword(cli, oldPassword, newPassword, serverSupportsControlOfDevicesLogout, userHasOtherDevices);
title: _t("Warning!"),
description:
<div>
{ _t(
'Changing password will currently reset any end-to-end encryption keys on all sessions, ' +
'making encrypted chat history unreadable, unless you first export your room keys ' +
'and re-import them afterwards. ' +
'In future this will be improved.',
) }
{ ' ' }
<a href="https://github.com/vector-im/element-web/issues/2671" target="_blank" rel="noreferrer noopener">
https://github.com/vector-im/element-web/issues/2671
</a>
</div>,
button: _t("Continue"),
extraButtons: [
<button
key="exportRoomKeys"
className="mx_Dialog_primary"
onClick={this.onExportE2eKeysClicked}
>
{ _t('Export E2E room keys') }
</button>,
],
onFinished: (confirmed) => {
if (confirmed) {
this.changePassword(cli, oldPassword, newPassword);
}
},
});
} }
private changePassword(cli: MatrixClient, oldPassword: string, newPassword: string): void { private changePassword(
cli: MatrixClient,
oldPassword: string,
newPassword: string,
serverSupportsControlOfDevicesLogout: boolean,
userHasOtherDevices: boolean,
): void {
const authDict = { const authDict = {
type: 'm.login.password', type: 'm.login.password',
identifier: { identifier: {
@ -140,15 +154,21 @@ export default class ChangePassword extends React.Component<IProps, IState> {
phase: Phase.Uploading, phase: Phase.Uploading,
}); });
cli.setPassword(authDict, newPassword).then(() => { const logoutDevices = serverSupportsControlOfDevicesLogout ? false : undefined;
// undefined or true mean all devices signed out
const didLogoutOutOtherDevices = !serverSupportsControlOfDevicesLogout && userHasOtherDevices;
cli.setPassword(authDict, newPassword, logoutDevices).then(() => {
if (this.props.shouldAskForEmail) { if (this.props.shouldAskForEmail) {
return this.optionallySetEmail().then((confirmed) => { return this.optionallySetEmail().then((confirmed) => {
this.props.onFinished({ this.props.onFinished({
didSetEmail: confirmed, didSetEmail: confirmed,
didLogoutOutOtherDevices,
}); });
}); });
} else { } else {
this.props.onFinished(); this.props.onFinished({ didLogoutOutOtherDevices });
} }
}, (err) => { }, (err) => {
this.props.onError(err); this.props.onError(err);
@ -279,7 +299,7 @@ export default class ChangePassword extends React.Component<IProps, IState> {
if (err) { if (err) {
this.props.onError(err); this.props.onError(err);
} else { } else {
this.onChangePassword(oldPassword, newPassword); return this.onChangePassword(oldPassword, newPassword);
} }
}; };

View file

@ -260,14 +260,17 @@ export default class GeneralUserSettingsTab extends React.Component<IProps, ISta
}); });
}; };
private onPasswordChanged = (): void => { private onPasswordChanged = ({ didLogoutOutOtherDevices }: { didLogoutOutOtherDevices: boolean }): void => {
let description = _t("Your password was successfully changed.");
if (didLogoutOutOtherDevices) {
description += " " + _t(
"You will not receive push notifications on other devices until you sign back in to them.",
);
}
// TODO: Figure out a design that doesn't involve replacing the current dialog // TODO: Figure out a design that doesn't involve replacing the current dialog
Modal.createTrackedDialog('Password changed', '', ErrorDialog, { Modal.createTrackedDialog('Password changed', '', ErrorDialog, {
title: _t("Success"), title: _t("Success"),
description: _t( description,
"Your password was successfully changed. You will not receive " +
"push notifications on other sessions until you log back in to them",
) + ".",
}); });
}; };

View file

@ -1213,7 +1213,9 @@
"Upload new:": "Upload new:", "Upload new:": "Upload new:",
"No display name": "No display name", "No display name": "No display name",
"Warning!": "Warning!", "Warning!": "Warning!",
"Changing password will currently reset any end-to-end encryption keys on all sessions, making encrypted chat history unreadable, unless you first export your room keys and re-import them afterwards. In future this will be improved.": "Changing password will currently reset any end-to-end encryption keys on all sessions, making encrypted chat history unreadable, unless you first export your room keys and re-import them afterwards. In future this will be improved.", "Changing your password on this homeserver will cause all of your other devices to be signed out. This will delete the message encryption keys stored on them, and may make encrypted chat history unreadable.": "Changing your password on this homeserver will cause all of your other devices to be signed out. This will delete the message encryption keys stored on them, and may make encrypted chat history unreadable.",
"If you want to retain access to your chat history in encrypted rooms you should first export your room keys and re-import them afterwards.": "If you want to retain access to your chat history in encrypted rooms you should first export your room keys and re-import them afterwards.",
"You can also ask your homeserver admin to upgrade the server to change this behaviour.": "You can also ask your homeserver admin to upgrade the server to change this behaviour.",
"Export E2E room keys": "Export E2E room keys", "Export E2E room keys": "Export E2E room keys",
"New passwords don't match": "New passwords don't match", "New passwords don't match": "New passwords don't match",
"Passwords can't be empty": "Passwords can't be empty", "Passwords can't be empty": "Passwords can't be empty",
@ -1426,8 +1428,9 @@
"Customise your appearance": "Customise your appearance", "Customise your appearance": "Customise your appearance",
"Appearance Settings only affect this %(brand)s session.": "Appearance Settings only affect this %(brand)s session.", "Appearance Settings only affect this %(brand)s session.": "Appearance Settings only affect this %(brand)s session.",
"Failed to change password. Is your password correct?": "Failed to change password. Is your password correct?", "Failed to change password. Is your password correct?": "Failed to change password. Is your password correct?",
"Your password was successfully changed.": "Your password was successfully changed.",
"You will not receive push notifications on other devices until you sign back in to them.": "You will not receive push notifications on other devices until you sign back in to them.",
"Success": "Success", "Success": "Success",
"Your password was successfully changed. You will not receive push notifications on other sessions until you log back in to them": "Your password was successfully changed. You will not receive push notifications on other sessions until you log back in to them",
"Email addresses": "Email addresses", "Email addresses": "Email addresses",
"Phone numbers": "Phone numbers", "Phone numbers": "Phone numbers",
"Set a new account password...": "Set a new account password...", "Set a new account password...": "Set a new account password...",
@ -3177,18 +3180,21 @@
"Really reset verification keys?": "Really reset verification keys?", "Really reset verification keys?": "Really reset verification keys?",
"Skip verification for now": "Skip verification for now", "Skip verification for now": "Skip verification for now",
"Failed to send email": "Failed to send email", "Failed to send email": "Failed to send email",
"Changing your password will reset any end-to-end encryption keys on all of your sessions, making encrypted chat history unreadable. Set up Key Backup or export your room keys from another session before resetting your password.": "Changing your password will reset any end-to-end encryption keys on all of your sessions, making encrypted chat history unreadable. Set up Key Backup or export your room keys from another session before resetting your password.", "Resetting your password on this homeserver will cause all of your devices to be signed out. This will delete the message encryption keys stored on them, making encrypted chat history unreadable.": "Resetting your password on this homeserver will cause all of your devices to be signed out. This will delete the message encryption keys stored on them, making encrypted chat history unreadable.",
"Signing out your devices will delete the message encryption keys stored on them, making encrypted chat history unreadable.": "Signing out your devices will delete the message encryption keys stored on them, making encrypted chat history unreadable.",
"If you want to retain access to your chat history in encrypted rooms, set up Key Backup or export your message keys from one of your other devices before proceeding.": "If you want to retain access to your chat history in encrypted rooms, set up Key Backup or export your message keys from one of your other devices before proceeding.",
"The email address linked to your account must be entered.": "The email address linked to your account must be entered.", "The email address linked to your account must be entered.": "The email address linked to your account must be entered.",
"The email address doesn't appear to be valid.": "The email address doesn't appear to be valid.", "The email address doesn't appear to be valid.": "The email address doesn't appear to be valid.",
"A new password must be entered.": "A new password must be entered.", "A new password must be entered.": "A new password must be entered.",
"New passwords must match each other.": "New passwords must match each other.", "New passwords must match each other.": "New passwords must match each other.",
"Sign out all devices": "Sign out all devices",
"A verification email will be sent to your inbox to confirm setting your new password.": "A verification email will be sent to your inbox to confirm setting your new password.", "A verification email will be sent to your inbox to confirm setting your new password.": "A verification email will be sent to your inbox to confirm setting your new password.",
"Send Reset Email": "Send Reset Email", "Send Reset Email": "Send Reset Email",
"Sign in instead": "Sign in instead", "Sign in instead": "Sign in instead",
"An email has been sent to %(emailAddress)s. Once you've followed the link it contains, click below.": "An email has been sent to %(emailAddress)s. Once you've followed the link it contains, click below.", "An email has been sent to %(emailAddress)s. Once you've followed the link it contains, click below.": "An email has been sent to %(emailAddress)s. Once you've followed the link it contains, click below.",
"I have verified my email address": "I have verified my email address", "I have verified my email address": "I have verified my email address",
"Your password has been reset.": "Your password has been reset.", "Your password has been reset.": "Your password has been reset.",
"You have been logged out of all sessions and will no longer receive push notifications. To re-enable notifications, sign in again on each device.": "You have been logged out of all sessions and will no longer receive push notifications. To re-enable notifications, sign in again on each device.", "You have been logged out of all devices and will no longer receive push notifications. To re-enable notifications, sign in again on each device.": "You have been logged out of all devices and will no longer receive push notifications. To re-enable notifications, sign in again on each device.",
"Return to login screen": "Return to login screen", "Return to login screen": "Return to login screen",
"Set a new password": "Set a new password", "Set a new password": "Set a new password",
"Invalid homeserver discovery response": "Invalid homeserver discovery response", "Invalid homeserver discovery response": "Invalid homeserver discovery response",