Force verification even for refreshed clients

package.json

@@ -198,6 +198,7 @@
         "axe-core": "4.10.0",
         "babel-jest": "^29.0.0",
         "blob-polyfill": "^9.0.0",
+        "core-js": "^3.38.1",
         "eslint": "8.57.1",
         "eslint-config-google": "^0.14.0",
         "eslint-config-prettier": "^9.0.0",

playwright/e2e/login/login.spec.ts

@@ -6,20 +6,85 @@ SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only
 Please see LICENSE files in the repository root for full details.
 */
 
+import { Page } from "playwright-core";
+
 import { expect, test } from "../../element-web-test";
 import { doTokenRegistration } from "./utils";
 import { isDendrite } from "../../plugins/homeserver/dendrite";
 import { selectHomeserver } from "../utils";
+import { Credentials, HomeserverInstance } from "../../plugins/homeserver";
+
+const username = "user1234";
+const password = "p4s5W0rD";
+
+// Pre-generated dummy signing keys to create an account that has signing keys set.
+// Note the signatures are specific to the username and must be valid or the HS will reject the keys.
+const DEVICE_SIGNING_KEYS_BODY = {
+    master_key: {
+        keys: {
+            "ed25519:6qCouJsi2j7DzOmpxPTBALpvDTqa8p2mjrQR2P8wEbg": "6qCouJsi2j7DzOmpxPTBALpvDTqa8p2mjrQR2P8wEbg",
+        },
+        signatures: {
+            "@user1234:localhost": {
+                "ed25519:6qCouJsi2j7DzOmpxPTBALpvDTqa8p2mjrQR2P8wEbg":
+                    "mvwqsYiGa2gPH6ueJsiJnceHMrZhf1pqIMGxkvKisN3ucz8sU7LwyzndbYaLkUKEDx1JuOKFfZ9Mb3mqc7PMBQ",
+                "ed25519:SRHVWTNVBH":
+                    "HVGmVIzsJe3d+Un/6S9tXPsU7YA8HjZPdxogVzdjEFIU8OjLyElccvjupow0rVWgkEqU8sO21LIHw9cWRZEmDw",
+            },
+        },
+        usage: ["master"],
+        user_id: "@user1234:localhost",
+    },
+    self_signing_key: {
+        keys: {
+            "ed25519:eqzRly4S1GvTA36v48hOKokHMtYBLm02zXRgPHue5/8": "eqzRly4S1GvTA36v48hOKokHMtYBLm02zXRgPHue5/8",
+        },
+        signatures: {
+            "@user1234:localhost": {
+                "ed25519:6qCouJsi2j7DzOmpxPTBALpvDTqa8p2mjrQR2P8wEbg":
+                    "M2rt5xs+23egbVUwUcZuU7pMpn0chBNC5rpdyZGayfU3FDlx1DbopbakIcl5v4uOSGMbqUotyzkE6CchB+dgDw",
+            },
+        },
+        usage: ["self_signing"],
+        user_id: "@user1234:localhost",
+    },
+    user_signing_key: {
+        keys: {
+            "ed25519:h6C7sonjKSSa/VMvmpmFnwMA02H2rKIMSYZ2ddwgJn4": "h6C7sonjKSSa/VMvmpmFnwMA02H2rKIMSYZ2ddwgJn4",
+        },
+        signatures: {
+            "@user1234:localhost": {
+                "ed25519:6qCouJsi2j7DzOmpxPTBALpvDTqa8p2mjrQR2P8wEbg":
+                    "5ZMJ7SG2qr76vU2nITKap88AxLZ/RZQmF/mBcAcVZ9Bknvos3WQp8qN9jKuiqOHCq/XpPORA6XBmiDIyPqTFAA",
+            },
+        },
+        usage: ["user_signing"],
+        user_id: "@user1234:localhost",
+    },
+    auth: {
+        type: "m.login.password",
+        identifier: { type: "m.id.user", user: "@user1234:localhost" },
+        password: password,
+    },
+};
+
+async function login(page: Page, homeserver: HomeserverInstance) {
+    await page.getByRole("link", { name: "Sign in" }).click();
+    await selectHomeserver(page, homeserver.config.baseUrl);
+
+    await page.getByRole("textbox", { name: "Username" }).fill(username);
+    await page.getByPlaceholder("Password").fill(password);
+    await page.getByRole("button", { name: "Sign in" }).click();
+}
 
 test.describe("Login", () => {
     test.describe("Password login", () => {
         test.use({ startHomeserverOpts: "consent" });
 
-        const username = "user1234";
-        const password = "p4s5W0rD";
+        let creds: Credentials;
 
         test.beforeEach(async ({ homeserver }) => {
-            await homeserver.registerUser(username, password);
+            creds = await homeserver.registerUser(username, password);
         });
 
         test("Loads the welcome page by default; then logs in with an existing account and lands on the home screen", async ({
@@ -65,17 +130,97 @@ test.describe("Login", () => {
 
         test("Follows the original link after login", async ({ page, homeserver }) => {
             await page.goto("/#/room/!room:id"); // should redirect to the welcome page
-            await page.getByRole("link", { name: "Sign in" }).click();
-
-            await selectHomeserver(page, homeserver.config.baseUrl);
-
-            await page.getByRole("textbox", { name: "Username" }).fill(username);
-            await page.getByPlaceholder("Password").fill(password);
-            await page.getByRole("button", { name: "Sign in" }).click();
+            await login(page, homeserver);
 
             await expect(page).toHaveURL(/\/#\/room\/!room:id$/);
             await expect(page.getByRole("button", { name: "Join the discussion" })).toBeVisible();
         });
+
+        test.describe("verification after login", () => {
+            test("Shows verification prompt after login if signing keys are set up, skippable by default", async ({
+                page,
+                homeserver,
+                request,
+            }) => {
+                const res = await request.post(
+                    `${homeserver.config.baseUrl}/_matrix/client/v3/keys/device_signing/upload`,
+                    { headers: { Authorization: `Bearer ${creds.accessToken}` }, data: DEVICE_SIGNING_KEYS_BODY },
+                );
+                if (res.status() / 100 !== 2) {
+                    console.log("Uploading dummy keys failed", await res.json());
+                }
+                expect(res.status() / 100).toEqual(2);
+
+                await page.goto("/");
+                await login(page, homeserver);
+
+                await expect(page.getByRole("heading", { name: "Verify this device", level: 1 })).toBeVisible();
+
+                await expect(page.getByRole("button", { name: "Skip verification for now" })).toBeVisible();
+            });
+
+            test.describe("with force_verification off", () => {
+                test.use({
+                    config: {
+                        force_verification: false,
+                    },
+                });
+
+                test("Shows skippable verification prompt after login if signing keys are set up", async ({
+                    page,
+                    homeserver,
+                    request,
+                }) => {
+                    const res = await request.post(
+                        `${homeserver.config.baseUrl}/_matrix/client/v3/keys/device_signing/upload`,
+                        { headers: { Authorization: `Bearer ${creds.accessToken}` }, data: DEVICE_SIGNING_KEYS_BODY },
+                    );
+                    if (res.status() / 100 !== 2) {
+                        console.log("Uploading dummy keys failed", await res.json());
+                    }
+                    expect(res.status() / 100).toEqual(2);
+
+                    await page.goto("/");
+                    await login(page, homeserver);
+
+                    await expect(page.getByRole("heading", { name: "Verify this device", level: 1 })).toBeVisible();
+
+                    await expect(page.getByRole("button", { name: "Skip verification for now" })).toBeVisible();
+                });
+            });
+
+            test.describe("with force_verification on", () => {
+                test.use({
+                    config: {
+                        force_verification: true,
+                    },
+                });
+
+                test("Shows unskippable verification prompt after login if signing keys are set up", async ({
+                    page,
+                    homeserver,
+                    request,
+                }) => {
+                    console.log(`uid ${creds.userId} body`, DEVICE_SIGNING_KEYS_BODY);
+                    const res = await request.post(
+                        `${homeserver.config.baseUrl}/_matrix/client/v3/keys/device_signing/upload`,
+                        { headers: { Authorization: `Bearer ${creds.accessToken}` }, data: DEVICE_SIGNING_KEYS_BODY },
+                    );
+                    if (res.status() / 100 !== 2) {
+                        console.log("Uploading dummy keys failed", await res.json());
+                    }
+                    expect(res.status() / 100).toEqual(2);
+
+                    await page.goto("/");
+                    await login(page, homeserver);
+
+                    const h1 = await page.getByRole("heading", { name: "Verify this device", level: 1 });
+                    await expect(h1).toBeVisible();
+
+                    expect(h1.locator(".mx_CompleteSecurity_skip")).not.toBeVisible();
+                });
+            });
+        });
     });
 
     // tests for old-style SSO login, in which we exchange tokens with Synapse, and Synapse talks to an auth server

src/Lifecycle.ts

@@ -824,6 +824,8 @@ async function doSetLoggedIn(
     }
     checkSessionLock();
 
+    // We are now logged in, so fire this. We have yet to start the client but the
+    // client_started dispatch is for that.
     dis.fire(Action.OnLoggedIn);
 
     const clientPegOpts: MatrixClientPegAssignOpts = {};
@@ -846,6 +848,12 @@ async function doSetLoggedIn(
     // Run the migrations after the MatrixClientPeg has been assigned
     SettingsStore.runMigrations(isFreshLogin);
 
+    if (isFreshLogin && !credentials.guest) {
+        // For newly registered users, set a flag so that we force them to verify,
+        // (we don't want to force users with existing sessions to verify though)
+        localStorage.setItem("must_verify_device", "true");
+    }
+
     return client;
 }
 

src/SdkConfig.ts

@@ -24,6 +24,7 @@ export const DEFAULTS: DeepReadonly<IConfigOptions> = {
     integrations_rest_url: "https://scalar.vector.im/api",
     uisi_autorageshake_app: "element-auto-uisi",
     show_labs_settings: false,
+    force_verification: false,
 
     jitsi: {
         preferred_domain: "meet.element.io",