Support for MSC4388 for the QR login

Cargo.toml

@@ -46,12 +46,12 @@ eyeball-im-util = { version = "0.10.0", default-features = false }
 futures-core = { version = "0.3.31", default-features = false, features = ["std"] }
 futures-executor = { version = "0.3.31", default-features = false, features = ["std"] }
 futures-util = { version = "0.3.31", default-features = false, features = ["std"] }
-getrandom = { version = "0.3.4", default-features = false }
+getrandom = { version = "0.4.1", default-features = false }
 gloo-timers = { version = "0.3.0", default-features = false }
 gloo-utils = { version = "0.2.0", default-features = false, features = ["serde"] }
 growable-bloom-filter = { version = "2.1.1", default-features = false }
 hkdf = { version = "0.12.4", default-features = false }
-hmac = { version = "0.12.1", default-features = false }
+hmac = { version = "0.12.1", default-features = false, features = ["std"] }
 http = { version = "1.3.1", default-features = false }
 imbl = { version = "6.1.0", default-features = false }
 indexed_db_futures = { version = "0.7.0", package = "matrix_indexed_db_futures", default-features = false }
@@ -72,7 +72,7 @@ regex = { version = "1.12.2", default-features = false }
 reqwest = { version = "0.13.1", default-features = false }
 ring = { version = "0.17.14", default-features = false }
 rmp-serde = { version = "1.3.0", default-features = false }
-ruma = { git = "https://github.com/ruma/ruma", rev = "03ca65151f40304e044f89d8e9e18b68cb9e4f29", features = [
+ruma = { git = "https://github.com/ruma/ruma", rev = "7f461cb0115aeeb98c2167363759ef99d1a565ee", features = [
     "client-api-c",
     "compat-unset-avatar",
     "compat-upload-signatures",
@@ -94,6 +94,7 @@ ruma = { git = "https://github.com/ruma/ruma", rev = "03ca65151f40304e044f89d8e9
     "unstable-msc4306",
     "unstable-msc4308",
     "unstable-msc4310",
+    "unstable-msc4388",
 ] }
 rustls = { version = "0.23.37", default-features = false, features = ["ring"] }
 rustls-pki-types = { version = "1.14.0", default-features = false }
@@ -121,7 +122,7 @@ uniffi_bindgen = { version = "0.31.0", default-features = false, features = ["ca
 url = { version = "2.5.7", default-features = false }
 uuid = { version = "1.18.1", default-features = false }
 vergen-gitcl = { version = "1.0.8", default-features = false }
-vodozemac = { version = "0.9.0", default-features = false, features = ["libolm-compat", "insecure-pk-encryption"] }
+vodozemac = { git = "https://github.com/matrix-org/vodozemac/", rev = "7de70ace", default-features = false, features = ["libolm-compat", "insecure-pk-encryption"] }
 wasm-bindgen = { version = "0.2.105", default-features = false }
 wasm-bindgen-test = { version = "0.3.55", default-features = false, features = ["std"] }
 web-sys = { version = "0.3.82", default-features = false }

bindings/matrix-sdk-ffi/src/client.rs

@@ -74,7 +74,7 @@ use ruma::{
     api::client::{
         alias::get_alias,
         discovery::get_authorization_server_metadata::v1::{
-            AccountManagementActionData, DeviceDeleteData, DeviceViewData,
+            AccountManagementActionData, DeviceDeleteData, DeviceViewData, GrantType,
         },
         error::ErrorKind,
         profile::{AvatarUrl, DisplayName},
@@ -1975,10 +1975,36 @@ impl Client {
             .any(|focus| matches!(focus, RtcFocusInfo::LiveKit(_))))
     }
 
-    /// Checks if the server supports login using a QR code.
+    /// Checks if this client will be able to log in another client using a QR
+    /// code.
+    ///
+    /// This checks if OAuth 2.0 was used to log in this client and if the auth
+    /// and homeserver support all the necessary APIs for the QR code login
+    /// to work.
     pub async fn is_login_with_qr_code_supported(&self) -> Result<bool, ClientError> {
-        Ok(matches!(self.inner.auth_api(), Some(AuthApi::OAuth(_)))
-            && self.inner.unstable_features().await?.contains(&ruma::api::FeatureFlag::Msc4108))
+        // We need to be using OAuth 2.0 API + Device Authorization Grant available
+        // and either MSC4108 or MSC4388 available.
+
+        // We need to be using the OAuth 2.0 API
+        if !matches!(self.inner.auth_api(), Some(AuthApi::OAuth(_))) {
+            return Ok(false);
+        }
+
+        let metadata =
+            self.inner.oauth().cached_server_metadata().await.map_err(ClientError::from_err)?;
+
+        // We need the Device Authorization Grant available
+        if !metadata.grant_types_supported.contains(&GrantType::DeviceCode) {
+            return Ok(false);
+        }
+
+        // We can use MSC4388 (from MSC4108 version 2025) if available:
+        if self.inner.oauth().msc_4388_rendezvous_server_supported().await? {
+            Ok(true)
+        } else {
+            // Otherwise we can use MSC4108 version 2024:
+            Ok(self.inner.unstable_features().await?.contains(&ruma::api::FeatureFlag::Msc4108))
+        }
     }
 
     /// Get server vendor information from the federation API.

bindings/matrix-sdk-ffi/src/qr_code.rs

@@ -120,7 +120,8 @@ impl LoginWithQrCodeHandler {
             .registration_data()
             .map_err(|_| HumanQrLoginError::OidcMetadataInvalid)?;
 
-        let login = self.oauth.login_with_qr_code(Some(&registration_data)).generate();
+        let mut login = self.oauth.login_with_qr_code(Some(&registration_data)).generate();
+        login.with_msc4388_support();
 
         let mut progress = login.subscribe_to_progress();
 
@@ -214,7 +215,8 @@ impl GrantLoginWithQrCodeHandler {
         self: Arc<Self>,
         progress_listener: Box<dyn GrantGeneratedQrLoginProgressListener>,
     ) -> Result<(), HumanQrGrantLoginError> {
-        let grant = self.oauth.grant_login_with_qr_code().generate();
+        let mut grant = self.oauth.grant_login_with_qr_code().generate();
+        grant.with_msc4388_support();
 
         let mut progress = grant.subscribe_to_progress();
 
@@ -361,15 +363,14 @@ impl From<qrcode::QRCodeLoginError> for HumanQrLoginError {
             }
 
             QRCodeLoginError::SecureChannel(e) => match e {
-                SecureChannelError::Utf8(_)
-                | SecureChannelError::MessageDecode(_)
-                | SecureChannelError::Json(_)
-                | SecureChannelError::RendezvousChannel(_) => HumanQrLoginError::Unknown,
+                SecureChannelError::MessageDecode(_) | SecureChannelError::RendezvousChannel(_) => {
+                    HumanQrLoginError::Unknown
+                }
                 SecureChannelError::UnsupportedQrCodeType => {
                     HumanQrLoginError::UnsupportedQrCodeType
                 }
                 SecureChannelError::SecureChannelMessage { .. }
-                | SecureChannelError::Ecies(_)
+                | SecureChannelError::Decryption(_)
                 | SecureChannelError::InvalidCheckCode
                 | SecureChannelError::CannotReceiveCheckCode => {
                     HumanQrLoginError::ConnectionInsecure
@@ -468,13 +469,12 @@ impl From<qrcode::QRCodeGrantLoginError> for HumanQrGrantLoginError {
             }
             QRCodeGrantLoginError::NotFound => Self::NotFound,
             QRCodeGrantLoginError::SecureChannel(e) => match e {
-                SecureChannelError::Utf8(_)
-                | SecureChannelError::MessageDecode(_)
-                | SecureChannelError::Json(_)
-                | SecureChannelError::RendezvousChannel(_) => Self::Unknown(e.to_string()),
+                SecureChannelError::MessageDecode(_) | SecureChannelError::RendezvousChannel(_) => {
+                    Self::Unknown(e.to_string())
+                }
                 SecureChannelError::UnsupportedQrCodeType => Self::UnsupportedQrCodeType,
                 SecureChannelError::SecureChannelMessage { .. }
-                | SecureChannelError::Ecies(_)
+                | SecureChannelError::Decryption(_)
                 | SecureChannelError::InvalidCheckCode
                 | SecureChannelError::CannotReceiveCheckCode => Self::ConnectionInsecure,
                 SecureChannelError::InvalidIntent => Self::OtherDeviceAlreadySignedIn,
@@ -531,8 +531,6 @@ impl From<qrcode::LoginProgress<QrProgress>> for QrLoginProgress {
         match value {
             LoginProgress::Starting => Self::Starting,
             LoginProgress::EstablishingSecureChannel(QrProgress { check_code }) => {
-                let check_code = check_code.to_digit();
-
                 Self::EstablishingSecureChannel {
                     check_code,
                     check_code_string: format!("{check_code:02}"),
@@ -633,8 +631,6 @@ impl From<qrcode::GrantLoginProgress<QrProgress>> for GrantQrLoginProgress {
         match value {
             GrantLoginProgress::Starting => Self::Starting,
             GrantLoginProgress::EstablishingSecureChannel(QrProgress { check_code }) => {
-                let check_code = check_code.to_digit();
-
                 Self::EstablishingSecureChannel {
                     check_code,
                     check_code_string: format!("{check_code:02}"),

crates/matrix-sdk-common/Cargo.toml

@@ -53,6 +53,7 @@ tracing-subscriber = { workspace = true, features = ["fmt", "ansi"] }
 wasm-bindgen.workspace = true
 wasm-bindgen-futures = { version = "0.4.33", optional = true }
 web-sys = { workspace = true, features = ["console"] }
+getrandom03 = { package = "getrandom", version = "0.3.4", default-features = false, features = ["wasm_js"] }
 
 [dev-dependencies]
 assert_matches.workspace = true

crates/matrix-sdk-crypto/Cargo.toml

@@ -26,7 +26,7 @@ experimental-encrypted-state-events = [
     "ruma/unstable-msc4362"
 ]
 
-js = ["ruma/js", "vodozemac/js", "matrix-sdk-common/js"]
+js = ["ruma/js", "vodozemac/wasm_js", "matrix-sdk-common/js"]
 qrcode = ["dep:matrix-sdk-qrcode"]
 experimental-algorithms = []
 uniffi = ["dep:uniffi"]

crates/matrix-sdk-crypto/src/olm/session.rs

@@ -369,7 +369,7 @@ mod tests {
         let one_time_key = *bob.one_time_keys().values().next().unwrap();
         let sender_key = bob.identity_keys().curve25519;
         let mut alice_session = alice.create_outbound_session_helper(
-            SessionConfig::default(),
+            SessionConfig::version_2(),
             sender_key,
             one_time_key,
             false,

crates/matrix-sdk-qrcode/Cargo.toml

@@ -16,7 +16,7 @@ all-features = true
 rustdoc-args = ["--cfg", "docsrs", "--generate-link-to-definition"]
 
 [features]
-js = ["vodozemac/js"]
+js = ["vodozemac/wasm_js"]
 
 [dependencies]
 byteorder.workspace = true

crates/matrix-sdk/src/authentication/oauth/mod.rs

@@ -368,6 +368,33 @@ impl OAuth {
         as_variant!(data, AuthData::OAuth)
     }
 
+    /// Check if the homeserver supports the [MSC4388] variant of the rendezvous
+    /// server.
+    ///
+    /// Returns `Ok(true)` if the rendezvous discovery endpoint returns a 200 OK
+    /// HTTP response, `Ok(false)` if the endpoint returns a 404 NOT_FOUND or
+    /// 403 FORBIDDEN HTTP response, otherwise an error is returned.
+    ///
+    /// [MSC4388]: https://github.com/matrix-org/matrix-spec-proposals/pull/4388
+    #[cfg(feature = "e2e-encryption")]
+    pub async fn msc_4388_rendezvous_server_supported(&self) -> Result<bool, HttpError> {
+        use http::StatusCode;
+        use ruma::api::client::rendezvous::discover_rendezvous;
+
+        match self.client.send(discover_rendezvous::unstable::Request::new()).await {
+            Ok(response) => Ok(response.create_available),
+            Err(e) => {
+                if e.as_client_api_error().is_some_and(|err| {
+                    matches!(err.status_code, StatusCode::NOT_FOUND | StatusCode::FORBIDDEN)
+                }) {
+                    Ok(false)
+                } else {
+                    Err(e)
+                }
+            }
+        }
+    }
+
     /// Log in this device using a QR code.
     ///
     /// # Arguments
@@ -1381,8 +1408,7 @@ impl<'a> LoginWithQrCodeBuilder<'a> {
     ///         match state {
     ///             LoginProgress::Starting | LoginProgress::SyncingSecrets => (),
     ///             LoginProgress::EstablishingSecureChannel(QrProgress { check_code }) => {
-    ///                 let code = check_code.to_digit();
-    ///                 println!("Please enter the following code into the other device {code:02}");
+    ///                 println!("Please enter the following code into the other device {check_code:02}");
     ///             },
     ///             LoginProgress::WaitingForToken { user_code } => {
     ///                 println!("Please use your other device to confirm the log in {user_code}")