feat(widget): Receive custom to-device messages in widgets in e2ee rooms

Proper support for receiving to-device messages for widgets.

If the widget is in an e2ee room, clear to-device traffic will be excluded. Also filter out internal to-device messages that widgets should not be aware off.

Author: BillCarsonFr

crates/matrix-sdk-crypto/src/olm/account.rs

@@ -1509,6 +1509,11 @@ impl Account {
                     )
                     .into());
                 }
+
+                // TODO: we should have access to some decryption settings here
+                // (TrustRequirement) and use it to manually reject the decryption.
+                // Similar to check_sender_trust_requirement for room events
+
                 sender_device = Some(device);
             }
 

crates/matrix-sdk/Cargo.toml

@@ -55,7 +55,7 @@ sso-login = ["local-server"]
 
 uniffi = ["dep:uniffi", "matrix-sdk-base/uniffi", "dep:matrix-sdk-ffi-macros"]
 
-experimental-widgets = ["dep:uuid"]
+experimental-widgets = ["dep:uuid", "experimental-send-custom-to-device"]
 
 docsrs = ["e2e-encryption", "sqlite", "indexeddb", "sso-login", "qrcode"]
 

crates/matrix-sdk/src/test_utils/mocks/encryption.rs

@@ -17,24 +17,29 @@
 //! tests.
 use std::{
     collections::BTreeMap,
+    future::Future,
     sync::{atomic::Ordering, Arc, Mutex},
 };
 
+use matrix_sdk_test::test_json;
 use ruma::{
-    api::client::keys::upload_signatures::v3::SignedKeys,
+    api::client::{
+        keys::upload_signatures::v3::SignedKeys, to_device::send_event_to_device::v3::Messages,
+    },
     encryption::{CrossSigningKey, DeviceKeys, OneTimeKey},
     owned_device_id, owned_user_id,
     serde::Raw,
-    CrossSigningKeyId, DeviceId, OneTimeKeyAlgorithm, OwnedDeviceId, OwnedOneTimeKeyId,
-    OwnedUserId, UserId,
+    CrossSigningKeyId, DeviceId, MilliSecondsSinceUnixEpoch, OneTimeKeyAlgorithm, OwnedDeviceId,
+    OwnedOneTimeKeyId, OwnedUserId, UserId,
 };
 use serde_json::json;
 use wiremock::{
     matchers::{method, path_regex},
-    Mock, Request, ResponseTemplate,
+    Mock, MockGuard, Request, ResponseTemplate,
 };
 
 use crate::{
+    crypto::types::events::room::encrypted::EncryptedToDeviceEvent,
     test_utils::{
         client::MockClientBuilder,
         mocks::{Keys, MatrixMockServer},
@@ -178,6 +183,156 @@ impl MatrixMockServer {
             .mount(&self.server)
             .await;
     }
+
+    /// Creates a response handler for mocking encrypted to-device message
+    /// requests.
+    ///
+    /// This function creates a response handler that captures encrypted
+    /// to-device messages sent via the `/sendToDevice` endpoint.
+    ///
+    /// # Arguments
+    ///
+    /// * `sender` - The user ID of the message sender
+    ///
+    /// # Returns
+    ///
+    /// Returns a tuple containing:
+    /// - A `MockGuard` the end-point mock is scoped to this guard
+    /// - A `Future` that resolves to a `Raw<EncryptedToDeviceEvent>>`
+    ///   containing the captured encrypted to-device message.
+    ///
+    /// # Examples
+    ///
+    /// ```rust
+    /// # use ruma::{ device_id,  user_id, serde::Raw};
+    /// # use serde_json::json;
+    ///
+    /// # use matrix_sdk_test::async_test;
+    /// # use matrix_sdk::test_utils::mocks::MatrixMockServer;
+    /// #
+    /// #[async_test]
+    /// async fn test_mock_capture_put_to_device() {
+    ///     let server = MatrixMockServer::new().await;
+    ///     server.mock_crypto_endpoints_preset().await;
+    ///
+    ///     let (alice, bob) = server.set_up_alice_and_bob_for_encryption().await;
+    ///     let bob_user_id = bob.user_id().unwrap();
+    ///     let bob_device_id = bob.device_id().unwrap();
+    ///
+    ///     // From the point of view of Alice, Bob now has a device.
+    ///     let alice_bob_device = alice
+    ///         .encryption()
+    ///         .get_device(bob_user_id, bob_device_id)
+    ///         .await
+    ///         .unwrap()
+    ///         .expect("alice sees bob's device");
+    ///
+    ///     let content_raw = Raw::new(&json!({ /*...*/ })).unwrap().cast();
+    ///
+    ///     // Set up the mock to capture encrypted to-device messages
+    ///     let (guard, captured) =
+    ///         server.mock_capture_put_to_device(alice.user_id().unwrap()).await;
+    ///
+    ///     alice
+    ///         .encryption()
+    ///         .encrypt_and_send_raw_to_device(
+    ///             vec![&alice_bob_device],
+    ///             "call.keys",
+    ///             content_raw,
+    ///         )
+    ///         .await
+    ///         .unwrap();
+    ///
+    ///     // this is the captured event as sent by alice!
+    ///     let sent_event = captured.await;
+    ///     drop(guard);
+    /// }
+    /// ```
+    pub async fn mock_capture_put_to_device(
+        &self,
+        sender_user_id: &UserId,
+    ) -> (MockGuard, impl Future<Output = Raw<EncryptedToDeviceEvent>>) {
+        let (tx, rx) = tokio::sync::oneshot::channel();
+        let tx = Arc::new(Mutex::new(Some(tx)));
+
+        let sender = sender_user_id.to_owned();
+        let guard = Mock::given(method("PUT"))
+            .and(path_regex(r"^/_matrix/client/.*/sendToDevice/m.room.encrypted/.*"))
+            .respond_with(move |req: &Request| {
+                #[derive(Debug, serde::Deserialize)]
+                struct Parameters {
+                    messages: Messages,
+                }
+
+                let params: Parameters = req.body_json().unwrap();
+
+                let (_, device_to_content) = params.messages.first_key_value().unwrap();
+                let content = device_to_content.first_key_value().unwrap().1;
+
+                let event = json!({
+                    "origin_server_ts": MilliSecondsSinceUnixEpoch::now(),
+                    "sender": sender,
+                    "type": "m.room.encrypted",
+                    "content": content,
+                });
+                let event: Raw<EncryptedToDeviceEvent> = serde_json::from_value(event).unwrap();
+
+                if let Ok(mut guard) = tx.lock() {
+                    if let Some(tx) = guard.take() {
+                        let _ = tx.send(event);
+                    }
+                }
+
+                ResponseTemplate::new(200).set_body_json(&*test_json::EMPTY)
+            })
+            // Should be called once
+            .expect(1)
+            .named("send_to_device")
+            .mount_as_scoped(self.server())
+            .await;
+
+        let future =
+            async move { rx.await.expect("Failed to receive captured value - sender was dropped") };
+
+        (guard, future)
+    }
+
+    /// Captures a to-device message when it is sent to the mock server and then
+    /// injects it into the recipient's sync response.
+    ///
+    /// This is a utility function that combines capturing an encrypted
+    /// to-device message and delivering it to the recipient through a sync
+    /// response. It's useful for testing end-to-end encryption scenarios
+    /// where you need to verify message delivery and processing.
+    ///
+    /// # Arguments
+    ///
+    /// * `sender_user_id` - The user ID of the message sender
+    /// * `recipient` - The client that will receive the message through sync
+    ///
+    /// # Returns
+    ///
+    /// Returns a `Future` that will resolve when the captured event has been
+    /// fed back down the recipient sync.
+    pub async fn mock_capture_put_to_device_then_sync_back<'a>(
+        &'a self,
+        sender_user_id: &UserId,
+        recipient: &'a Client,
+    ) -> impl Future<Output = Raw<EncryptedToDeviceEvent>> + 'a {
+        let (guard, sent_event) = self.mock_capture_put_to_device(sender_user_id).await;
+
+        async {
+            let sent_event = sent_event.await;
+            drop(guard);
+            self.mock_sync()
+                .ok_and_run(recipient, |sync_builder| {
+                    sync_builder.add_to_device_event(sent_event.deserialize_as().unwrap());
+                })
+                .await;
+
+            sent_event
+        }
+    }
 }
 
 /// Intercepts a `/keys/query` request and mock its results as returned by an

crates/matrix-sdk/src/widget/matrix.rs

@@ -40,12 +40,12 @@ use tokio::sync::{
     broadcast::{error::RecvError, Receiver},
     mpsc::{unbounded_channel, UnboundedReceiver},
 };
-use tracing::error;
+use tracing::{error, trace, warn};
 
 use super::{machine::SendEventResponse, StateKeySelector};
 use crate::{
-    event_handler::EventHandlerDropGuard, room::MessagesOptions, sync::RoomUpdate, Error, Result,
-    Room,
+    event_handler::EventHandlerDropGuard, room::MessagesOptions, sync::RoomUpdate, Client, Error,
+    Result, Room,
 };
 
 /// Thin wrapper around a [`Room`] that provides functionality relevant for
@@ -235,21 +235,88 @@ impl MatrixDriver {
     pub(crate) fn to_device_events(&self) -> EventReceiver<Raw<AnyToDeviceEvent>> {
         let (tx, rx) = unbounded_channel();
 
+        let room_id = self.room.room_id().to_owned();
         let to_device_handle = self.room.client().add_event_handler(
-            // TODO: encryption support for to-device is not yet supported. Needs an Olm
-            // EncryptionInfo. The widgetAPI expects a boolean `encrypted` to be added
-            // (!) to the raw content to know if the to-device message was encrypted or
-            // not (as per MSC3819).
-            move |raw: Raw<AnyToDeviceEvent>, _: Option<EncryptionInfo>| {
-                let _ = tx.send(raw);
-                async {}
+
+            async move |raw: Raw<AnyToDeviceEvent>, encryption_info: Option<EncryptionInfo>, client: Client| {
+
+                // Some to-device traffic is used by the SDK for internal machinery.
+                // They should not be exposed to widgets.
+                if Self::should_filter_message_to_widget(&raw) {
+                    return;
+                }
+
+                // Encryption can be enabled after the widget has been instantiated,
+                // we want to keep track of the latest status
+                let Some(room) = client.get_room(&room_id) else {
+                    warn!("Room {room_id} not found in client.");
+                    return;
+                };
+
+                let room_encrypted = room.latest_encryption_state().await
+                    .map(|s| s.is_encrypted())
+                    // Default consider encrypted
+                    .unwrap_or(true);
+                if room_encrypted {
+                    // The room is encrypted so the to-device traffic should be too.
+                    if encryption_info.is_none() {
+                        warn!(
+                            ?room_id,
+                            "Received to-device event in clear for a widget in an e2e room, dropping."
+                        );
+                        return;
+                    };
+
+                    // There are no per-room specific decryption settings, so we can just send to the
+                    // widget
+                    let _ = tx.send(raw);
+                } else {
+                    // forward to the widget
+                    // It is ok to send an encrypted to-device message even if the room is clear.
+                    let _ = tx.send(raw);
+                }
             },
         );
 
         let drop_guard = self.room.client().event_handler_drop_guard(to_device_handle);
         EventReceiver { rx, _drop_guard: drop_guard }
     }
 
+    fn should_filter_message_to_widget(raw_message: &Raw<AnyToDeviceEvent>) -> bool {
+        let Ok(Some(event_type)) = raw_message.get_field::<String>("type") else {
+            trace!("Invalid to-device message (no type) filtered out by widget driver.");
+            return true;
+        };
+
+        // Filter out all the internal crypto related traffic.
+        // The SDK has already zeroized the critical data, but let's not leak any
+        // information
+        let filtered = matches!(
+            event_type.as_str(),
+            "m.dummy"
+                | "m.room_key"
+                | "m.room_key_request"
+                | "m.forwarded_room_key"
+                | "m.key.verification.request"
+                | "m.key.verification.ready"
+                | "m.key.verification.start"
+                | "m.key.verification.cancel"
+                | "m.key.verification.accept"
+                | "m.key.verification.key"
+                | "m.key.verification.mac"
+                | "m.key.verification.done"
+                | "m.secret.request"
+                | "m.secret.send"
+                // drop utd traffic
+                | "m.room.encrypted"
+        );
+
+        if filtered {
+            trace!("To-device message of type <{event_type}> filtered out by widget driver.",);
+        }
+        filtered
+    }
+
     /// It will ignore all devices where errors occurred or where the device is
     /// not verified or where th user has a has_verification_violation.
     pub(crate) async fn send_to_device(