Famedly release/v1.145.0_2 (#235)

FrenchGithubUser · web-flow · commit 0287b77349f3 · 2026-02-10T08:13:20.000Z
# Famedly Synapse Release v1.145.0_2

## Famedly additions for v1.145.0_2

- fix: invalidate access token cache on device deletion

When an access token had a refresh token associated to it in the
database, deleting this refresh token (for example when deleting the
device using it) would cascade delete the access token, which wouldn't
be returned by the sql query that was supposed to delete it on its own,
and an empty array was passed to the cache invalidation function.
diff --git a/CHANGES.md b/CHANGES.md
@@ -10,6 +10,8 @@ Ubuntu 25.04 (Plucky Puffin) will be end of life on Jan 17, 2026. Synapse will s
 
 The "Updates to locked dependencies" section has been removed from the changelog due to lack of use and the maintenance burden. ([\#19254](https://github.com/element-hq/synapse/issues/19254))
 
+### Famedly additions for v1.145.0_2
+- fix: invalidate access token cache on device deletion (FrenchGithubUser)
 
 ### Famedly additions for v1.145.0_1
 - fix: typo in changelog (FrenchGithubUser)
diff --git a/synapse/storage/databases/main/registration.py b/synapse/storage/databases/main/registration.py
@@ -2569,14 +2569,9 @@ async def user_delete_access_tokens_for_devices(
         def user_delete_access_tokens_for_devices_txn(
             txn: LoggingTransaction, batch_device_ids: StrCollection
         ) -> list[tuple[str, int, str | None]]:
-            self.db_pool.simple_delete_many_txn(
-                txn,
-                table="refresh_tokens",
-                keyvalues={"user_id": user_id},
-                column="device_id",
-                values=batch_device_ids,
-            )
-
+            # Delete access tokens first, before refresh tokens.
+            # This ensures we can capture the deleted access tokens for cache invalidation
+            # before any CASCADE deletes occur.
             clause, args = make_in_list_sql_clause(
                 txn.database_engine, "device_id", batch_device_ids
             )
@@ -2595,6 +2590,14 @@ def user_delete_access_tokens_for_devices_txn(
                 self.get_user_by_access_token,
                 [(t[0],) for t in tokens_and_devices],
             )
+            self.db_pool.simple_delete_many_txn(
+                txn,
+                table="refresh_tokens",
+                keyvalues={"user_id": user_id},
+                column="device_id",
+                values=batch_device_ids,
+            )
+
             return tokens_and_devices
 
         results = []
diff --git a/tests/rest/client/test_auth.py b/tests/rest/client/test_auth.py
@@ -30,7 +30,16 @@
 from synapse.api.constants import ApprovalNoticeMedium, LoginType
 from synapse.api.errors import Codes, SynapseError
 from synapse.handlers.ui_auth.checkers import UserInteractiveAuthChecker
-from synapse.rest.client import account, auth, devices, login, logout, register
+from synapse.rest.client import (
+    account,
+    auth,
+    devices,
+    login,
+    logout,
+    read_marker,
+    register,
+    room,
+)
 from synapse.rest.synapse.client import build_synapse_client_resource_tree
 from synapse.server import HomeServer
 from synapse.storage.database import LoggingTransaction
@@ -625,10 +634,13 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
     servlets = [
         auth.register_servlets,
         account.register_servlets,
+        devices.register_servlets,
         login.register_servlets,
         logout.register_servlets,
-        synapse.rest.admin.register_servlets_for_client_rest_resource,
+        read_marker.register_servlets,
         register.register_servlets,
+        room.register_servlets,
+        synapse.rest.admin.register_servlets_for_client_rest_resource,
     ]
     hijack_auth = False
 
@@ -1394,6 +1406,94 @@ def _txn(txn: LoggingTransaction) -> int:
         self.assertEqual(_table_length("access_tokens"), 0)
         self.assertEqual(_table_length("refresh_tokens"), 0)
 
+    def test_token_invalid_after_refresh_token_issued_and_device_removed(self) -> None:
+        """
+        Test that sending a read marker (dummy action) fails after the device (which had a refresh token) is removed by another device.
+        The removal of a refresh token cascade deletes the associated access token in the db, which can make cache invalidation fail, if not handled properly.
+        This test will catch such behavior if it ever happens again.
+        1. User logs in with device1
+        2. User logs in with device2 and requests a refresh token
+        3. Device2 sends a read marker (should work)
+        4. Device1 removes device2
+        5. Device2 tries to send a read marker (should fail)
+        """
+        # Login with device1
+        device1_tok = self.login("test", self.user_pass, device_id="device1")
+
+        # Login with device2 and request a refresh token
+        login_response = self.make_request(
+            "POST",
+            "/_matrix/client/v3/login",
+            {
+                "type": "m.login.password",
+                "user": "test",
+                "password": self.user_pass,
+                "device_id": "device2",
+                "refresh_token": True,
+            },
+        )
+        self.assertEqual(login_response.code, HTTPStatus.OK, login_response.result)
+        device2_tok = login_response.json_body["access_token"]
+        device2_id = login_response.json_body["device_id"]
+        self.assertEqual(device2_id, "device2")
+
+        # Create a room and send a message
+        room_id = self.helper.create_room_as(self.user, tok=device1_tok)
+        event_id = self.helper.send(
+            room_id=room_id, body="test message", tok=device1_tok
+        )["event_id"]
+
+        # Device2 sends a read marker (should work)
+        channel = self.make_request(
+            "POST",
+            f"/rooms/{room_id}/read_markers",
+            content={
+                "m.fully_read": event_id,
+            },
+            access_token=device2_tok,
+        )
+        self.assertEqual(channel.code, HTTPStatus.OK, channel.result)
+
+        # Device1 removes device2
+        # First, attempt to delete device2
+        delete_channel = self.make_request(
+            "DELETE",
+            f"devices/{device2_id}",
+            access_token=device1_tok,
+        )
+        self.assertEqual(
+            delete_channel.code, HTTPStatus.UNAUTHORIZED, delete_channel.result
+        )
+        session = delete_channel.json_body["session"]
+
+        # Complete the UI auth flow
+        delete_channel = self.make_request(
+            "DELETE",
+            f"devices/{device2_id}",
+            content={
+                "auth": {
+                    "type": "m.login.password",
+                    "user": "test",
+                    "password": self.user_pass,
+                    "session": session,
+                },
+            },
+            access_token=device1_tok,
+        )
+        self.assertEqual(delete_channel.code, HTTPStatus.OK, delete_channel.result)
+
+        # Device2 tries to send a read marker (should fail)
+        channel = self.make_request(
+            "POST",
+            f"/rooms/{room_id}/read_markers",
+            content={
+                "m.fully_read": event_id,
+            },
+            access_token=device2_tok,
+        )
+        self.assertEqual(channel.code, HTTPStatus.UNAUTHORIZED, channel.result)
+        self.assertEqual(channel.json_body["errcode"], Codes.UNKNOWN_TOKEN)
+
 
 def oidc_config(
     id: str, with_localpart_template: bool, **kwargs: Any
