OIDC: persist refresh token

src/Lifecycle.ts

@@ -71,13 +71,22 @@ import { persistOidcAuthenticatedSettings } from "./utils/oidc/persistOidcSettin
 const HOMESERVER_URL_KEY = "mx_hs_url";
 const ID_SERVER_URL_KEY = "mx_is_url";
 
+/**
+ * Used as storage key
+ */
 const ACCESS_TOKEN_STORAGE_KEY = "mx_access_token";
 const REFRESH_TOKEN_STORAGE_KEY = "mx_refresh_token";
 /**
- * Used during encryption/decryption of token
+ * Used as initialization vector during encryption in persistTokenInStorage
+ * And decryption in restoreFromLocalStorage
  */
 const ACCESS_TOKEN_NAME = "access_token";
 const REFRESH_TOKEN_NAME = "refresh_token";
+/**
+ * Used in localstorage to store whether we expect a token in idb
+ */
+const HAS_ACCESS_TOKEN_STORAGE_KEY = "mx_has_access_token";
+const HAS_REFRESH_TOKEN_STORAGE_KEY = "mx_has_refresh_token";
 
 dis.register((payload) => {
     if (payload.action === Action.TriggerLogout) {
@@ -224,7 +233,8 @@ export async function attemptDelegatedAuthLogin(
  */
 async function attemptOidcNativeLogin(queryParams: QueryDict): Promise<boolean> {
     try {
-        const { accessToken, refreshToken, homeserverUrl, identityServerUrl } = await completeOidcLogin(queryParams);
+        const { accessToken, refreshToken, homeserverUrl, identityServerUrl, clientId, issuer } =
+            await completeOidcLogin(queryParams);
 
         const {
             user_id: userId,
@@ -482,7 +492,7 @@ export async function getStoredSessionVars(): Promise<Partial<IStoredSession>> {
     }
     // if we pre-date storing "mx_has_access_token", but we retrieved an access
     // token, then we should say we have an access token
-    const hasAccessToken = localStorage.getItem(`mx_has_${ACCESS_TOKEN_NAME}`) === "true" || !!accessToken;
+    const hasAccessToken = localStorage.getItem(HAS_ACCESS_TOKEN_STORAGE_KEY) === "true" || !!accessToken;
     const userId = localStorage.getItem("mx_user_id") ?? undefined;
     const deviceId = localStorage.getItem("mx_device_id") ?? undefined;
 
@@ -499,7 +509,7 @@ export async function getStoredSessionVars(): Promise<Partial<IStoredSession>> {
 
 // The pickle key is a string of unspecified length and format.  For AES, we
 // need a 256-bit Uint8Array. So we HKDF the pickle key to generate the AES
-// key.  The AES key should be zeroed after it is used.
+// key.  The AES key should be zeroed after it is used
 async function pickleKeyToAesKey(pickleKey: string): Promise<Uint8Array> {
     const pickleKeyBuffer = new Uint8Array(pickleKey.length);
     for (let i = 0; i < pickleKey.length; i++) {
@@ -780,16 +790,18 @@ class AbortLoginAndRebuildStorage extends Error {}
  *
  * @param storageKey key used to store the token
  * @param name eg "access_token" used as initialization vector during encryption
- * @param token
+ *              only used when pickleKey is present to encrypt with
+ * @param token the token to store, when undefined any existing token at the storageKey is removed from storage
  * @param pickleKey optional pickle key used to encrypt token
+ * @param hasTokenStorageKey used to store in localstorage whether we expect to have a token in idb, eg "mx_has_access_token"
  */
 async function persistTokenInStorage(
     storageKey: string,
     name: string,
     token: string | undefined,
     pickleKey: IMatrixClientCreds["pickleKey"],
+    hasTokenStorageKey: string,
 ): Promise<void> {
-    const hasTokenStorageKey = `mx_has_${name}`;
     // store whether we expect to find a token, to detect the case
     // where IndexedDB is blown away
     if (token) {
@@ -852,12 +864,14 @@ async function persistCredentials(credentials: IMatrixClientCreds): Promise<void
         ACCESS_TOKEN_NAME,
         credentials.accessToken,
         credentials.pickleKey,
+        HAS_ACCESS_TOKEN_STORAGE_KEY,
     );
     await persistTokenInStorage(
         REFRESH_TOKEN_STORAGE_KEY,
         REFRESH_TOKEN_NAME,
         credentials.refreshToken,
         credentials.pickleKey,
+        HAS_REFRESH_TOKEN_STORAGE_KEY,
     );
 
     if (credentials.pickleKey) {

src/utils/oidc/authorize.ts

@@ -69,30 +69,37 @@ const getCodeAndStateFromQueryParams = (queryParams: QueryDict): { code: string;
     return { code, state };
 };
 
+type CompleteOidcLoginResponse = {
+    // url of the homeserver selected during login
+    homeserverUrl: string;
+    // identity server url as discovered during login
+    identityServerUrl?: string;
+    // accessToken gained from OIDC token issuer
+    accessToken: string;
+    // refreshToken gained from OIDC token issuer, when falsy token cannot be refreshed
+    refreshToken?: string;
+    // this client's id as registered with the OIDC issuer
+    clientId: string;
+    // issuer used during authentication
+    issuer: string;
+};
 /**
  * Attempt to complete authorization code flow to get an access token
  * @param queryParams the query-parameters extracted from the real query-string of the starting URI.
- * @returns Promise that resolves with accessToken, identityServerUrl, and homeserverUrl when login was successful
+ * @returns Promise that resolves with a CompleteOidcLoginResponse when login was successful
  * @throws When we failed to get a valid access token
  */
-export const completeOidcLogin = async (
-    queryParams: QueryDict,
-): Promise<{
-    homeserverUrl: string;
-    identityServerUrl?: string;
-    accessToken: string;
-    refreshToken?: string;
-}> => {
+export const completeOidcLogin = async (queryParams: QueryDict): Promise<CompleteOidcLoginResponse> => {
     const { code, state } = getCodeAndStateFromQueryParams(queryParams);
     const { homeserverUrl, tokenResponse, identityServerUrl, oidcClientSettings } =
         await completeAuthorizationCodeGrant(code, state);
 
-    // @TODO(kerrya) do something with the refresh token https://github.com/vector-im/element-web/issues/25444
-
     return {
-        homeserverUrl: homeserverUrl,
-        identityServerUrl: identityServerUrl,
+        homeserverUrl,
+        identityServerUrl,
         accessToken: tokenResponse.access_token,
         refreshToken: tokenResponse.refresh_token,
+        clientId: oidcClientSettings.clientId,
+        issuer: oidcClientSettings.issuer,
     };
 };