Skip to content

feat(oauth): expose sessions expiration errors during QR login #5898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
poljar merged 4 commits into from
Nov 26, 2025
Merged

feat(oauth): expose sessions expiration errors during QR login #5898

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e0978eb
fix(oauth): expose client API errors when receiving messages on rende…
Johennes Nov 25, 2025
013fffc
feat(testing): allow specifying expiration duration in MockedRendezvo…
Johennes Nov 25, 2025
fa28ed2
feat(oauth): expose session expiration errors when granting login wit…
Johennes Nov 25, 2025
13b2273
feat(oauth): expose session expiration errors when requesting login w…
Johennes Nov 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions bindings/matrix-sdk-ffi/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ All notable changes to this project will be documented in this file.

### Breaking changes

- Add `HumanQrLoginError::NotFound` for non-existing / expired rendezvous sessions
([#5898](https://github.com/matrix-org/matrix-rust-sdk/pull/5898))
- Add `HumanQrGrantLoginError::NotFound` for non-existing / expired rendezvous sessions
([#5898](https://github.com/matrix-org/matrix-rust-sdk/pull/5898))
- The `LatestEventValue::Local` type gains 2 new fields: `sender` and `profile`.
([#5885](https://github.com/matrix-org/matrix-rust-sdk/pull/5885))
- The `Encryption::user_identity()` method has received a new argument. The
Expand Down
9 changes: 9 additions & 0 deletions bindings/matrix-sdk-ffi/src/qr_code.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,8 @@ pub enum HumanQrLoginError {
CheckCodeAlreadySent,
#[error("The check code could not be sent.")]
CheckCodeCannotBeSent,
#[error("The rendezvous session was not found and might have expired")]
NotFound,
}

impl From<qrcode::QRCodeLoginError> for HumanQrLoginError {
Expand Down Expand Up @@ -331,6 +333,8 @@ impl From<qrcode::QRCodeLoginError> for HumanQrLoginError {
| QRCodeLoginError::UserIdDiscovery(_)
| QRCodeLoginError::SecretImport(_)
| QRCodeLoginError::ServerReset(_) => HumanQrLoginError::Unknown,

QRCodeLoginError::NotFound => HumanQrLoginError::NotFound,
}
}
}
Expand Down Expand Up @@ -363,6 +367,10 @@ pub enum HumanQrGrantLoginError {
#[error("Secrets backup not set up: {0}")]
MissingSecretsBackup(String),

/// The rendezvous session was not found and might have expired.
#[error("The rendezvous session was not found and might have expired")]
NotFound,

/// The device could not be created.
#[error("The device could not be created.")]
UnableToCreateDevice,
Expand All @@ -386,6 +394,7 @@ impl From<qrcode::QRCodeGrantLoginError> for HumanQrGrantLoginError {
QRCodeGrantLoginError::MissingSecretsBackup(error) => {
Self::MissingSecretsBackup(error.map_or("other".to_owned(), |e| e.to_string()))
}
QRCodeGrantLoginError::NotFound => Self::NotFound,
QRCodeGrantLoginError::Unknown(string) => Self::Unknown(string),
}
}
Expand Down
4 changes: 4 additions & 0 deletions crates/matrix-sdk/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ All notable changes to this project will be documented in this file.

### Features

- Add `QRCodeLoginError::NotFound` for non-existing / expired rendezvous sessions
([#5898](https://github.com/matrix-org/matrix-rust-sdk/pull/5898))
- Add `QRCodeGrantLoginError::NotFound` for non-existing / expired rendezvous sessions
([#5898](https://github.com/matrix-org/matrix-rust-sdk/pull/5898))
- Improve logging around key history bundles when joining a room.
([#5866](https://github.com/matrix-org/matrix-rust-sdk/pull/5866))
- Expose the power level required to modify `m.space.child` on
Expand Down
182 changes: 173 additions & 9 deletions crates/matrix-sdk/src/authentication/oauth/qrcode/grant.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -674,7 +674,8 @@ mod test {
#[async_test]
async fn test_grant_login_with_generated_qr_code() {
let server = MatrixMockServer::new().await;
let rendezvous_server = MockedRendezvousServer::new(server.server(), "abcdEFG12345").await;
let rendezvous_server =
MockedRendezvousServer::new(server.server(), "abcdEFG12345", Duration::MAX).await;
debug!("Set up rendezvous server mock at {}", rendezvous_server.rendezvous_url);

let device_authorization_grant = AuthorizationGrant {
Expand Down Expand Up @@ -817,7 +818,8 @@ mod test {
#[async_test]
async fn test_grant_login_with_scanned_qr_code() {
let server = MatrixMockServer::new().await;
let rendezvous_server = MockedRendezvousServer::new(server.server(), "abcdEFG12345").await;
let rendezvous_server =
MockedRendezvousServer::new(server.server(), "abcdEFG12345", Duration::MAX).await;
debug!("Set up rendezvous server mock at {}", rendezvous_server.rendezvous_url);

let device_authorization_grant = AuthorizationGrant {
Expand Down Expand Up @@ -943,7 +945,8 @@ mod test {
#[async_test]
async fn test_grant_login_with_scanned_qr_code_with_homeserver_swap() {
let server = MatrixMockServer::new().await;
let rendezvous_server = MockedRendezvousServer::new(server.server(), "abcdEFG12345").await;
let rendezvous_server =
MockedRendezvousServer::new(server.server(), "abcdEFG12345", Duration::MAX).await;
debug!("Set up rendezvous server mock at {}", rendezvous_server.rendezvous_url);

let device_authorization_grant = AuthorizationGrant {
Expand Down Expand Up @@ -1072,7 +1075,8 @@ mod test {
async fn test_grant_login_with_generated_qr_code_unexpected_message_instead_of_login_protocol()
{
let server = MatrixMockServer::new().await;
let rendezvous_server = MockedRendezvousServer::new(server.server(), "abcdEFG12345").await;
let rendezvous_server =
MockedRendezvousServer::new(server.server(), "abcdEFG12345", Duration::MAX).await;
debug!("Set up rendezvous server mock at {}", rendezvous_server.rendezvous_url);

server.mock_upload_keys().ok().expect(1).named("upload_keys").mount().await;
Expand Down Expand Up @@ -1188,7 +1192,8 @@ mod test {
#[async_test]
async fn test_grant_login_with_scanned_qr_code_unexpected_message_instead_of_login_protocol() {
let server = MatrixMockServer::new().await;
let rendezvous_server = MockedRendezvousServer::new(server.server(), "abcdEFG12345").await;
let rendezvous_server =
MockedRendezvousServer::new(server.server(), "abcdEFG12345", Duration::MAX).await;
debug!("Set up rendezvous server mock at {}", rendezvous_server.rendezvous_url);

server.mock_upload_keys().ok().expect(1).named("upload_keys").mount().await;
Expand Down Expand Up @@ -1290,7 +1295,8 @@ mod test {
#[async_test]
async fn test_grant_login_with_generated_qr_code_device_already_exists() {
let server = MatrixMockServer::new().await;
let rendezvous_server = MockedRendezvousServer::new(server.server(), "abcdEFG12345").await;
let rendezvous_server =
MockedRendezvousServer::new(server.server(), "abcdEFG12345", Duration::MAX).await;
debug!("Set up rendezvous server mock at {}", rendezvous_server.rendezvous_url);

let device_authorization_grant = AuthorizationGrant {
Expand Down Expand Up @@ -1415,7 +1421,8 @@ mod test {
#[async_test]
async fn test_grant_login_with_scanned_qr_code_device_already_exists() {
let server = MatrixMockServer::new().await;
let rendezvous_server = MockedRendezvousServer::new(server.server(), "abcdEFG12345").await;
let rendezvous_server =
MockedRendezvousServer::new(server.server(), "abcdEFG12345", Duration::MAX).await;
debug!("Set up rendezvous server mock at {}", rendezvous_server.rendezvous_url);

let device_authorization_grant = AuthorizationGrant {
Expand Down Expand Up @@ -1525,7 +1532,8 @@ mod test {
#[async_test]
async fn test_grant_login_with_generated_qr_code_device_not_created() {
let server = MatrixMockServer::new().await;
let rendezvous_server = MockedRendezvousServer::new(server.server(), "abcdEFG12345").await;
let rendezvous_server =
MockedRendezvousServer::new(server.server(), "abcdEFG12345", Duration::MAX).await;
debug!("Set up rendezvous server mock at {}", rendezvous_server.rendezvous_url);

let device_authorization_grant = AuthorizationGrant {
Expand Down Expand Up @@ -1660,7 +1668,8 @@ mod test {
#[async_test]
async fn test_grant_login_with_scanned_qr_code_device_not_created() {
let server = MatrixMockServer::new().await;
let rendezvous_server = MockedRendezvousServer::new(server.server(), "abcdEFG12345").await;
let rendezvous_server =
MockedRendezvousServer::new(server.server(), "abcdEFG12345", Duration::MAX).await;
debug!("Set up rendezvous server mock at {}", rendezvous_server.rendezvous_url);

let device_authorization_grant = AuthorizationGrant {
Expand Down Expand Up @@ -1774,4 +1783,159 @@ mod test {
updates_task.await.expect("Alice should run through all progress states");
bob_task.await.expect("Bob's task should finish");
}

#[async_test]
async fn test_grant_login_with_generated_qr_code_session_expired() {
let server = MatrixMockServer::new().await;
let rendezvous_server =
MockedRendezvousServer::new(server.server(), "abcdEFG12345", Duration::from_secs(2))
.await;
debug!("Set up rendezvous server mock at {}", rendezvous_server.rendezvous_url);

server.mock_upload_keys().ok().expect(1).named("upload_keys").mount().await;
server
.mock_upload_cross_signing_keys()
.ok()
.expect(1)
.named("upload_xsigning_keys")
.mount()
.await;
server
.mock_upload_cross_signing_signatures()
.ok()
.expect(1)
.named("upload_xsigning_signatures")
.mount()
.await;

// Create the existing client (Alice).
let user_id = owned_user_id!("@alice:example.org");
let device_id = owned_device_id!("ALICE_DEVICE");
let alice = server
.client_builder_for_crypto_end_to_end(&user_id, &device_id)
.logged_in_with_oauth()
.build()
.await;
alice
.encryption()
.bootstrap_cross_signing(None)
.await
.expect("Alice should be able to set up cross signing");

// Prepare the login granting future.
let oauth = alice.oauth();
let grant = oauth
.grant_login_with_qr_code()
.device_creation_timeout(Duration::from_secs(2))
.generate();

// Spawn the updates task.
let mut updates = grant.subscribe_to_progress();
let mut state = grant.state.get();
assert_matches!(state.clone(), GrantLoginProgress::Starting);
let updates_task = spawn(async move {
while let Some(update) = updates.next().await {
match &update {
GrantLoginProgress::Starting => {
assert_matches!(state, GrantLoginProgress::Starting);
}
GrantLoginProgress::EstablishingSecureChannel(
GeneratedQrProgress::QrReady(_),
) => {
assert_matches!(state, GrantLoginProgress::Starting);
}
_ => {
panic!("Alice should abort the process");
}
}
state = update;
}
});

// Bob does not scan the QR code and the channel is never connected.

// Wait for the rendezvous session to time out.
assert_matches!(grant.await, Err(QRCodeGrantLoginError::NotFound));
updates_task.await.expect("Alice should run through all progress states");
}

#[async_test]
async fn test_grant_login_with_scanned_qr_code_session_expired() {
let server = MatrixMockServer::new().await;
let rendezvous_server =
MockedRendezvousServer::new(server.server(), "abcdEFG12345", Duration::from_secs(2))
.await;
debug!("Set up rendezvous server mock at {}", rendezvous_server.rendezvous_url);

server.mock_upload_keys().ok().expect(1).named("upload_keys").mount().await;
server
.mock_upload_cross_signing_keys()
.ok()
.expect(1)
.named("upload_xsigning_keys")
.mount()
.await;
server
.mock_upload_cross_signing_signatures()
.ok()
.expect(1)
.named("upload_xsigning_signatures")
.mount()
.await;

// Create a secure channel on the new client (Bob) and extract the QR code.
let client = HttpClient::new(reqwest::Client::new(), Default::default());
let channel = SecureChannel::login(client, &rendezvous_server.homeserver_url)
.await
.expect("Bob should be able to create a secure channel.");
let qr_code_data = channel.qr_code_data().clone();

// Create the existing client (Alice).
let user_id = owned_user_id!("@alice:example.org");
let device_id = owned_device_id!("ALICE_DEVICE");
let alice = server
.client_builder_for_crypto_end_to_end(&user_id, &device_id)
.logged_in_with_oauth()
.build()
.await;
alice
.encryption()
.bootstrap_cross_signing(None)
.await
.expect("Alice should be able to set up cross signing");

// Prepare the login granting future using the QR code.
let oauth = alice.oauth();
let grant = oauth
.grant_login_with_qr_code()
.device_creation_timeout(Duration::from_secs(2))
.scan(&qr_code_data);

// Spawn the updates task.
let mut updates = grant.subscribe_to_progress();
let mut state = grant.state.get();
assert_matches!(state.clone(), GrantLoginProgress::Starting);
let updates_task = spawn(async move {
while let Some(update) = updates.next().await {
match &update {
GrantLoginProgress::Starting => {
assert_matches!(state, GrantLoginProgress::Starting);
}
GrantLoginProgress::EstablishingSecureChannel(QrProgress { .. }) => {
assert_matches!(state, GrantLoginProgress::Starting);
}
_ => {
panic!("Alice should abort the process");
}
}
state = update;
}
});

// Bob does not connect the channel.

// Wait for the rendezvous session to time out.
assert_matches!(grant.await, Err(QRCodeGrantLoginError::NotFound));
updates_task.await.expect("Alice should run through all progress states");
}
}
Loading
Loading