Provision and delete Matrix devices in OAuth sessions

crates/handlers/src/oauth2/authorization/complete.rs

@@ -21,7 +21,7 @@ use axum::{
 use axum_extra::extract::PrivateCookieJar;
 use hyper::StatusCode;
 use mas_axum_utils::SessionInfoExt;
-use mas_data_model::{AuthorizationGrant, BrowserSession, Client};
+use mas_data_model::{AuthorizationGrant, BrowserSession, Client, Device};
 use mas_keystore::{Encrypter, Keystore};
 use mas_policy::PolicyFactory;
 use mas_router::{PostAuthAction, Route, UrlBuilder};
@@ -217,9 +217,10 @@ pub(crate) async fn complete(
     let lacks_consent = grant
         .scope
         .difference(&current_consent)
-        .any(|scope| !scope.starts_with("urn:matrix:org.matrix.msc2967.client:device:"));
+        .filter(|scope| Device::from_scope_token(scope).is_none())
+        .any(|_| true);
 
-    // Check if the client lacks consent *or* if consent was explicitely asked
+    // Check if the client lacks consent *or* if consent was explicitly asked
     if lacks_consent || grant.requires_consent {
         repo.save().await?;
         return Err(GrantCompletionError::RequiresConsent);

crates/handlers/src/oauth2/consent.rs

@@ -24,7 +24,7 @@ use mas_axum_utils::{
     csrf::{CsrfExt, ProtectedForm},
     SessionInfoExt,
 };
-use mas_data_model::AuthorizationGrantStage;
+use mas_data_model::{AuthorizationGrantStage, Device};
 use mas_keystore::Encrypter;
 use mas_policy::PolicyFactory;
 use mas_router::{PostAuthAction, Route};
@@ -190,9 +190,10 @@ pub(crate) async fn post(
     let scope_without_device = grant
         .scope
         .iter()
-        .filter(|s| !s.starts_with("urn:matrix:org.matrix.msc2967.client:device:"))
+        .filter(|s| Device::from_scope_token(s).is_none())
         .cloned()
         .collect();
+
     repo.oauth2_client()
         .give_consent_for_user(
             &mut rng,

crates/handlers/src/oauth2/revoke.rs

@@ -18,10 +18,14 @@ use mas_axum_utils::{
     client_authorization::{ClientAuthorization, CredentialsVerificationError},
     http_client_factory::HttpClientFactory,
 };
-use mas_data_model::TokenType;
+use mas_data_model::{Device, TokenType};
 use mas_iana::oauth::OAuthTokenTypeHint;
 use mas_keystore::Encrypter;
-use mas_storage::{BoxClock, BoxRepository};
+use mas_storage::{
+    job::{DeleteDeviceJob, JobRepositoryExt},
+    user::BrowserSessionRepository,
+    BoxClock, BoxRepository, RepositoryAccess,
+};
 use oauth2_types::{
     errors::{ClientError, ClientErrorCode},
     requests::RevocationRequest,
@@ -196,6 +200,28 @@ pub(crate) async fn post(
         return Err(RouteError::UnauthorizedClient);
     }
 
+    // Fetch the user session
+    let user_session = repo
+        .browser_session()
+        .lookup(session.user_session_id)
+        .await?
+        .ok_or(RouteError::UnknownToken)?;
+
+    // Scan the scopes of the session to find if there is any device that should be
+    // deleted from the Matrix server.
+    // TODO: this should be moved in a higher level "end oauth session" method.
+    // XXX: this might not be the right semantic, but it's the best we
+    // can do for now, since we're not explicitly storing devices for OAuth2
+    // sessions.
+    for scope in session.scope.iter() {
+        if let Some(device) = Device::from_scope_token(scope) {
+            // Schedule a job to delete the device.
+            repo.job()
+                .schedule_job(DeleteDeviceJob::new(&user_session.user, &device))
+                .await?;
+        }
+    }
+
     // Now that we checked everything, we can end the session.
     repo.oauth2_session().finish(&clock, session).await?;
 

crates/handlers/src/oauth2/token.rs

@@ -20,16 +20,17 @@ use mas_axum_utils::{
     client_authorization::{ClientAuthorization, CredentialsVerificationError},
     http_client_factory::HttpClientFactory,
 };
-use mas_data_model::{AuthorizationGrantStage, Client};
+use mas_data_model::{AuthorizationGrantStage, Client, Device};
 use mas_keystore::{Encrypter, Keystore};
 use mas_router::UrlBuilder;
 use mas_storage::{
+    job::{JobRepositoryExt, ProvisionDeviceJob},
     oauth2::{
         OAuth2AccessTokenRepository, OAuth2AuthorizationGrantRepository,
         OAuth2RefreshTokenRepository, OAuth2SessionRepository,
     },
     user::BrowserSessionRepository,
-    BoxClock, BoxRepository, BoxRng, Clock,
+    BoxClock, BoxRepository, BoxRng, Clock, RepositoryAccess,
 };
 use oauth2_types::{
     errors::{ClientError, ClientErrorCode},
@@ -328,6 +329,20 @@ async fn authorization_code_grant(
         params = params.with_id_token(id_token);
     }
 
+    // Look for device to provision
+    for scope in session.scope.iter() {
+        if let Some(device) = Device::from_scope_token(scope) {
+            // Note that we're not waiting for the job to finish, we just schedule it. We
+            // might get in a situation where the provisioning job is not finished when the
+            // client does its first request to the Homeserver. This is fine for now, since
+            // Synapse still provision devices on-the-fly if it doesn't find them in the
+            // database.
+            repo.job()
+                .schedule_job(ProvisionDeviceJob::new(&browser_session.user, &device))
+                .await?;
+        }
+    }
+
     repo.oauth2_authorization_grant()
         .exchange(clock, authz_grant)
         .await?;