feat(ffi): Allow passing in a SecretsBundle after logging in

[poljar]

This PR allows people to get a secrets bundle out of band and import it after logging in a new client.

Mainly targeted to support the Element Classic -> Element X migration.

This closes #6087.

• I've documented the public API Changes in the appropriate CHANGELOG.md files.
• I've read the CONTRIBUTING.md file, notably the sections about Pull requests, Commit message format, and AI policy.
• This PR was made with the help of AI.

[codspeed-hq]

Merging this PR will not alter performance

✅ 50 untouched benchmarks

---

_{Comparing poljar/login/secret-bundle-import (0ec9338) with main (a65fec3)}

[bmarty]

Hello, thanks, I am testing the updated API using EXA.

[poljar]

Hello, thanks, I am testing the updated API using EXA.

Ah, thanks for testing.

[bmarty]

it looks like the method bundle_from_str is not exposed in the FFI layer, can you double check @poljar ? Thanks! An alternative would be that the secrets parameter added to login_with_oidc_callback and login would be of type optional String.

[poljar]

Whoops, that's true.

An alternative would be that the secrets parameter added to login_with_oidc_callback and login would be of type optional String.

That would complicate things for the codepath where we want to get the secrets bundle from a database.

I exported the methods now.

[codecov]

Codecov Report

❌ Patch coverage is 35.48387% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.85%. Comparing base (eb51c86) to head (0ec9338).
⚠️ Report is 12 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
crates/matrix-sdk/src/encryption/mod.rs	34.48%	16 Missing and 3 partials ⚠️
...atrix-sdk/src/authentication/oauth/qrcode/login.rs	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6212   +/-   ##
=======================================
  Coverage   89.84%   89.85%           
=======================================
  Files         378      378           
  Lines      103339   103366   +27     
  Branches   103339   103366   +27     
=======================================
+ Hits        92847    92879   +32     
- Misses       6915     6918    +3     
+ Partials     3577     3569    -8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[bmarty]

I am providing the secrets to the function with oidc, and at the end the session is not verified. I believe that this is supposed to be the case? Happy to provide some logs if it helps.

[poljar]

I am providing the secrets to the function with oidc, and at the end the session is not verified. I believe that this is supposed to be the case? Happy to provide some logs if it helps.

Hmm, I read through the code again, it should give you a verified device in the end.

If it's not too much trouble logs could help, though I think I'll need to make an integration test for this and move the logic into the SDK.

[poljar]

Oh wait, I did another mistake. Did you perhaps test this with an OIDC login?

If so I forgot to connect things for the OIDC login.

[bmarty]

Did you perhaps test this with an OIDC login?

Yes

[poljar]

Did you perhaps test this with an OIDC login?

Yes

Ok, my bad: 44a92c3 fixes this for the OIDC login.

[bmarty]

Thanks @poljar, I confirm that the session is now verified when using MAS!

[bmarty]

IMO the SDK should not throw anything but just ignore the provided secrets if the userId does not match, so the application can just continue with the "manual" verification step. Do you agree?

CC @pixlwave

[pixlwave]

Personally I think I'd rather split this API into 2 calls if it doesn't throw.

client.login()
client.importSecrets()

That way a client can tell whether or not that operation was successful or not and decide to act accordingly.

[pixlwave]

Or specifically make it throw some kind of ClientError::Secrets { msg } so that this specific error can be handled differently. It would be nice to start moving away from ClientError::Generic everywhere anyway 😇

[poljar]

That way a client can tell whether or not that operation was successful or not and decide to act accordingly.

We can do this, but you have to promise me to call this before you start a sync.

Or specifically make it throw some kind of ClientError::Secrets { msg } so that this specific error can be handled differently. It would be nice to start moving away from ClientError::Generic everywhere anyway 😇

Yeah, I skipped adding more specific errors for now, but we can obviously add them.

Let me know which way you prefer.

[pixlwave]

We can do this, but you have to promise me to call this before you start a sync.

I don't think it's even possible for us to start a sync at this stage in the flow anyway but, just in case…

Let me know which way you prefer.

Personally I think 2 calls makes more sense but I'm happy either way. Any preference @bmarty?

[poljar]

Alright, let's go with two separate calls then.

[bmarty]

Maybe the login function (and the other of the same vein) can return an object which has an importSecrets method?

[poljar]

Maybe the login function (and the other of the same vein) can return an object which has an importSecrets method?

Hmm, that would again result in a breaking change and complicate the interface compared to the added error variant and argument.

[bmarty]

(maybe just ignore my last comment)
With the double API approach, I guess the application can also check the userId, after the login call, and before providing the secret, using client.session().userId, so it's good.

[poljar]

I would leave the user ID check on the Rust side, so people don't forget about it.

[poljar]

The complement-crypto failure is due to mozilla/uniffi-rs#2775.

Other than that, this should now work for iOS as well. It should also have the two step interface people were requesting.

Still needs some tests before this is ready for review.

[bmarty]

Thanks, I can test the new API. Can I ask you to update the branch regarding develop, so that I will not have too many API breaks to manage?

[poljar]

Thanks, I can test the new API. Can I ask you to update the branch regarding develop, so that I will not have too many API breaks to manage?

Ah, you mean rebase on top of main? Sure, can do that.

[poljar]

Rebased now.

[pixlwave]

Thank you! Although unfortunately I bring bad news: It doesn't compile yet on iOS as both the generated matrix_sdk_crypto.swift and matrix_sdk_ffi.swift have a SecretsBundle (and SecretsBundleProtocol) definition so they conflict.

[bmarty]

I have no conflict on building the Android sdk, probably because SecretsBundle declaration are in 2 different package, but it seems that the method import_secrets_bundle is not exposed through the FFI layer, so the application cannot access it. I'll double check on my side.

EDIT: OK, my bad, I need to call client.encryption().importSecretsBundle now.

[bmarty]

Tested on Android using b7e7412 and it's working as expected 🎉

[poljar]

Thank you! Although unfortunately I bring bad news: It doesn't compile yet on iOS as both the generated matrix_sdk_crypto.swift and matrix_sdk_ffi.swift have a SecretsBundle (and SecretsBundleProtocol) definition so they conflict.

Annoying, but ok, I renamed one of the types.

[poljar]

I added a method which allows you to check if the bundle contains the backup key as well, as this is the only optional secret in the bundle.

As for the complement-crypto problem, I opened matrix-org/complement-crypto#233 to get complement-crypto on the same uniffi version as the SDK uses.