Delete the dehydrated device when resetEncryption is called (#4727)

* delete the dehydrated device when resetEncryption is called

* add more tests to improve coverage

Author: uhoreg

spec/unit/rust-crypto/rust-crypto.spec.ts

@@ -2058,6 +2058,41 @@ describe("RustCrypto", () => {
                 expect(await secretStorage.get("org.matrix.msc3814")).not.toEqual(origDehydrationKey);
             });
         });
+
+        it("should handle errors when deleting a dehydrated device", async () => {
+            const rustCrypto = await makeTestRustCrypto(makeMatrixHttpApi());
+            const dehydratedDeviceManager = rustCrypto["dehydratedDeviceManager"];
+            fetchMock.config.overwriteRoutes = true;
+            // if the server doesn't support dehydrated devices, delete should succeed without throwing an error
+            fetchMock.delete("path:/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device", {
+                status: 404,
+                body: {
+                    errcode: "M_UNRECOGNIZED",
+                    error: "Unknown endpoint",
+                },
+            });
+            await dehydratedDeviceManager.delete();
+
+            // if there is no dehydrated device, delete should succeed without throwing an error
+            fetchMock.delete("path:/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device", {
+                status: 404,
+                body: {
+                    errcode: "M_NOT_FOUND",
+                    error: "Not found",
+                },
+            });
+            await dehydratedDeviceManager.delete();
+
+            // for any other error response, delete should throw an error
+            fetchMock.delete("path:/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device", {
+                status: 400,
+                body: {
+                    errcode: "M_UNKNOWN",
+                    error: "Unknown error",
+                },
+            });
+            await expect(dehydratedDeviceManager.delete()).rejects.toThrow();
+        });
     });
 
     describe("import & export secrets bundle", () => {
@@ -2231,7 +2266,7 @@ describe("RustCrypto", () => {
             fetchMock.post("path:/_matrix/client/v3/keys/signatures/upload", {});
         });
 
-        it("reset should reset 4S, backup and cross-signing", async () => {
+        it("reset should reset 4S, backup, cross-signing, and dehydrated device", async () => {
             // When we will delete the key backup
             let backupIsDeleted = false;
             fetchMock.delete("path:/_matrix/client/v3/room_keys/version/1", () => {
@@ -2243,6 +2278,12 @@ describe("RustCrypto", () => {
                 return backupIsDeleted ? {} : testData.SIGNED_BACKUP_DATA;
             });
 
+            let dehydratedDeviceIsDeleted = false;
+            fetchMock.delete("path:/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device", () => {
+                dehydratedDeviceIsDeleted = true;
+                return { device_id: "ADEVICEID" };
+            });
+
             // A new key backup should be created after the reset
             let newKeyBackupInfo!: KeyBackupInfo;
             fetchMock.post("path:/_matrix/client/v3/room_keys/version", (res, options) => {
@@ -2273,6 +2314,8 @@ describe("RustCrypto", () => {
             expect(newKeyBackupInfo.auth_data).toBeTruthy();
             // The new cross signing keys should be uploaded
             expect(authUploadDeviceSigningKeys).toHaveBeenCalledWith(expect.any(Function));
+            // The dehydrated device was deleted
+            expect(dehydratedDeviceIsDeleted).toBeTruthy();
         });
     });
 });

src/crypto-api/index.ts

@@ -436,11 +436,17 @@ export interface CryptoApi {
 
     /**
      * Reset the encryption of the user by going through the following steps:
+     * - Remove the dehydrated device and stop the periodic creation of dehydrated devices.
      * - Disable backing up room keys and delete any existing backups.
      * - Remove the default secret storage key from the account data (ie: the recovery key).
      * - Reset the cross-signing keys.
      * - Create a new key backup.
      *
+     * Note that the dehydrated device will be removed, but will not be replaced
+     * and it will not schedule creating new dehydrated devices.  To do this,
+     * {@link startDehydration} should be called after a new secret storage key
+     * is created.
+     *
      * @param authUploadDeviceSigningKeys - Callback to authenticate the upload of device signing keys.
      *      Used when resetting the cross signing keys.
      *      See {@link BootstrapCrossSigningOpts#authUploadDeviceSigningKeys}.

src/rust-crypto/DehydratedDeviceManager.ts

@@ -340,6 +340,35 @@ export class DehydratedDeviceManager extends TypedEventEmitter<DehydratedDevices
             this.intervalId = undefined;
         }
     }
+
+    /**
+     * Delete the current dehydrated device and stop the dehydrated device manager.
+     */
+    public async delete(): Promise<void> {
+        this.stop();
+        try {
+            await this.http.authedRequest(
+                Method.Delete,
+                "/dehydrated_device",
+                undefined,
+                {},
+                {
+                    prefix: UnstablePrefix,
+                },
+            );
+        } catch (error) {
+            const err = error as MatrixError;
+            // If dehydrated devices aren't supported, or no dehydrated device
+            // is found, we don't consider it an error, because we we'll end up
+            // with no dehydrated device.
+            if (err.errcode === "M_UNRECOGNIZED") {
+                return;
+            } else if (err.errcode === "M_NOT_FOUND") {
+                return;
+            }
+            throw error;
+        }
+    }
 }
 
 /**

src/rust-crypto/rust-crypto.ts

@@ -1440,6 +1440,10 @@ export class RustCrypto extends TypedEventEmitter<RustCryptoEvents, CryptoEventH
     public async resetEncryption(authUploadDeviceSigningKeys: UIAuthCallback<void>): Promise<void> {
         this.logger.debug("resetEncryption: resetting encryption");
 
+        // Delete the dehydrated device, since any existing one will be signed
+        // by the wrong cross-signing key
+        this.dehydratedDeviceManager.delete();
+
         // Disable backup, and delete all the backups from the server
         await this.backupManager.deleteAllKeyBackupVersions();