"Connect key backup" prompts me to enter my security key after submitting my security key

element-hq / element-web

A glossy Matrix collaboration client for the web.

https://element.io

GNU Affero General Public License v3.0

11.01k stars 1.96k forks source link

"Connect key backup" prompts me to enter my security key after submitting my security key #27469

Open lampholder opened 4 months ago

lampholder commented 4 months ago

Steps to reproduce

Create a fresh account.
Create/join an encrypted room and set up key backup following the prompts. Don't use a passphrase - generate and save a key instead.
Log out.
Log in.
Ignore all the prompts for verifying/connecting to secure backup
Go to Settings -> Security and Privacy
Click Connect this session to key backup. Observe this dialog:
Click upload even though uploading is 1000% not what you are ever doing with your secure key
Choose your file and click continue
Uh oh, here's an uninvited prompt to enter my security key again, this time by typing it:
If you re-enter your security key, you get an error dialog:

Outcome

What did you expect?

A more sensible verb than upload to be attached to the activity of unlocking key backup with my locally stored key
Not that extra prompt

Operating system

mac

Browser information

Firefox

URL for webapp

app and develop

Application version

Element version: 482b81b0ed5f-react-6e31f691189e-js-d421e7f82904 Crypto version: Rust SDK 0.7.0 (61b175b), Vodozemac 0.5.1 and whatever the latest release is

Homeserver

lant.uk

Will you send logs?

richvdh commented 3 months ago

Yeeees.

The first prompt ("Use your security key to continue", with the stupid "upload" button) is the AccessSecretStorageDialog. This is shown because RestoreKeyBackupDialog (correctly) determines that the backup key is in 4S, and therefore calls SecurityManager.accessSecretStorage to get hold of the 4S key. This completes successfully, restores the backup, and enables upload of new keys to backup. However, it doesn't correctly feed this information back to RestoreKeyBackupDialog.recoverInfo.

The second prompt ("Enter security key") is fallback code meant to handle the case when the backup key is not stored in secret storage, and instead is prompting you to enter your backup key directly. Since you don't know the backup key (it is not the same as the 4S key), it's impossible to enter this key and you are shown an error. (Presumably if you did somehow know the backup key, we would attempt to restore it again.)

This is not a new issue; it also happens with legacy crypto.

richvdh commented 3 months ago

Ideally I think this whole fallback flow would be removed, but that's not actually the problem here: all we need is to make sure that recoverInfo is correctly populated when the recovery completes. And, for the love of God, some tests for this flow.

richvdh commented 3 months ago

This is a duplicate of https://github.com/element-hq/element-web/issues/26247, but this is a better description of the issue, so closing that one.