1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186
// Copyright 2023 Kévin Commaille
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//! Types and functions related to authentication in Matrix.
// TODO:(pixlwave) Move AuthenticationService from the FFI into this module.
// TODO:(poljar) Move the oidc and matrix_auth modules under this module.
use as_variant::as_variant;
use matrix_sdk_base::SessionMeta;
use tokio::sync::{broadcast, Mutex, OnceCell};
#[cfg(feature = "experimental-oidc")]
use crate::oidc::{self, Oidc, OidcAuthData, OidcCtx};
use crate::{
matrix_auth::{self, MatrixAuth, MatrixAuthData},
Client, RefreshTokenError, SessionChange,
};
#[cfg(all(feature = "experimental-oidc", feature = "e2e-encryption", not(target_arch = "wasm32")))]
pub mod qrcode;
/// Session tokens, for any kind of authentication.
#[allow(missing_debug_implementations, clippy::large_enum_variant)]
pub enum SessionTokens {
/// Tokens for a [`matrix_auth`] session.
Matrix(matrix_auth::MatrixSessionTokens),
#[cfg(feature = "experimental-oidc")]
/// Tokens for an [`oidc`] session.
Oidc(oidc::OidcSessionTokens),
}
pub(crate) type SessionCallbackError = Box<dyn std::error::Error + Send + Sync>;
pub(crate) type SaveSessionCallback =
dyn Fn(Client) -> Result<(), SessionCallbackError> + Send + Sync;
pub(crate) type ReloadSessionCallback =
dyn Fn(Client) -> Result<SessionTokens, SessionCallbackError> + Send + Sync;
/// All the data relative to authentication, and that must be shared between a
/// client and all its children.
pub(crate) struct AuthCtx {
#[cfg(feature = "experimental-oidc")]
pub(crate) oidc: OidcCtx,
/// Whether to try to refresh the access token automatically when an
/// `M_UNKNOWN_TOKEN` error is encountered.
pub(crate) handle_refresh_tokens: bool,
/// Lock making sure we're only doing one token refresh at a time.
pub(crate) refresh_token_lock: Mutex<Result<(), RefreshTokenError>>,
/// Session change publisher. Allows the subscriber to handle changes to the
/// session such as logging out when the access token is invalid or
/// persisting updates to the access/refresh tokens.
pub(crate) session_change_sender: broadcast::Sender<SessionChange>,
/// Authentication data to keep in memory.
pub(crate) auth_data: OnceCell<AuthData>,
/// A callback called whenever we need an absolute source of truth for the
/// current session tokens.
///
/// This is required only in multiple processes setups.
pub(crate) reload_session_callback: OnceCell<Box<ReloadSessionCallback>>,
/// A callback to save a session back into the app's secure storage.
///
/// This is always called, independently of the presence of a cross-process
/// lock.
///
/// Internal invariant: this must be called only after `set_session_tokens`
/// has been called, not before.
pub(crate) save_session_callback: OnceCell<Box<SaveSessionCallback>>,
}
/// An enum over all the possible authentication APIs.
#[derive(Debug, Clone)]
#[non_exhaustive]
pub enum AuthApi {
/// The native Matrix authentication API.
Matrix(MatrixAuth),
/// The OpenID Connect API.
#[cfg(feature = "experimental-oidc")]
Oidc(Oidc),
}
/// A user session using one of the available authentication APIs.
#[derive(Debug, Clone)]
#[non_exhaustive]
pub enum AuthSession {
/// A session using the native Matrix authentication API.
Matrix(matrix_auth::MatrixSession),
/// A session using the OpenID Connect API.
#[cfg(feature = "experimental-oidc")]
Oidc(oidc::OidcSession),
}
impl AuthSession {
/// Get the matrix user information of this session.
pub fn meta(&self) -> &SessionMeta {
match self {
AuthSession::Matrix(session) => &session.meta,
#[cfg(feature = "experimental-oidc")]
AuthSession::Oidc(session) => &session.user.meta,
}
}
/// Take the matrix user information of this session.
pub fn into_meta(self) -> SessionMeta {
match self {
AuthSession::Matrix(session) => session.meta,
#[cfg(feature = "experimental-oidc")]
AuthSession::Oidc(session) => session.user.meta,
}
}
/// Get the access token of this session.
pub fn access_token(&self) -> &str {
match self {
AuthSession::Matrix(session) => &session.tokens.access_token,
#[cfg(feature = "experimental-oidc")]
AuthSession::Oidc(session) => &session.user.tokens.access_token,
}
}
/// Get the refresh token of this session.
pub fn get_refresh_token(&self) -> Option<&str> {
match self {
AuthSession::Matrix(session) => session.tokens.refresh_token.as_deref(),
#[cfg(feature = "experimental-oidc")]
AuthSession::Oidc(session) => session.user.tokens.refresh_token.as_deref(),
}
}
}
impl From<matrix_auth::MatrixSession> for AuthSession {
fn from(session: matrix_auth::MatrixSession) -> Self {
Self::Matrix(session)
}
}
#[cfg(feature = "experimental-oidc")]
impl From<oidc::OidcSession> for AuthSession {
fn from(session: oidc::OidcSession) -> Self {
Self::Oidc(session)
}
}
/// Data for an authentication API.
#[derive(Debug)]
pub(crate) enum AuthData {
/// Data for the native Matrix authentication API.
Matrix(MatrixAuthData),
/// Data for the OpenID Connect API.
#[cfg(feature = "experimental-oidc")]
Oidc(OidcAuthData),
}
impl AuthData {
pub(crate) fn as_matrix(&self) -> Option<&MatrixAuthData> {
as_variant!(self, Self::Matrix)
}
pub(crate) fn access_token(&self) -> Option<String> {
let token = match self {
Self::Matrix(d) => d.tokens.get().access_token,
#[cfg(feature = "experimental-oidc")]
Self::Oidc(d) => d.tokens.get()?.get().access_token,
};
Some(token)
}
}