Add disableKeyStorage() to crypto API (#4742)

* Add disableKeyStorage() to crypto API As an all-in-one method for deleting all server side key storage on the user's account (as the doc hopefully explains). * Add test * const * Can't be disabled here
2025-11-23 17:02:25 +03:00 · 2025-03-06 11:16:28 +00:00
parent 3e512711d7
commit db7e3e3cf3
3 changed files with 84 additions and 11 deletions
--- a/src/rust-crypto/rust-crypto.ts
+++ b/src/rust-crypto/rust-crypto.ts
@@ -1276,6 +1276,24 @@ export class RustCrypto extends TypedEventEmitter<RustCryptoEvents, CryptoEventH
        this.checkKeyBackupAndEnable();
    }

+    /**
+     * Implementation of {@link CryptoApi#disableKeyStorage}.
+     */
+    public async disableKeyStorage(): Promise<void> {
+        // Get the key backup version we're using
+        const info = await this.getKeyBackupInfo();
+        if (info?.version) {
+            await this.deleteKeyBackupVersion(info.version);
+        } else {
+            logger.error("Can't delete key backup version: no version available");
+        }
+
+        // also turn off 4S, since this is also storing keys on the server.
+        await this.deleteSecretStorage();
+
+        await this.dehydratedDeviceManager.delete();
+    }
+
    /**
     * Signs the given object with the current device and current identity (if available).
     * As defined in {@link https://spec.matrix.org/v1.8/appendices/#signing-json | Signing JSON}.
@@ -1447,17 +1465,7 @@ export class RustCrypto extends TypedEventEmitter<RustCryptoEvents, CryptoEventH
        // Disable backup, and delete all the backups from the server
        await this.backupManager.deleteAllKeyBackupVersions();

-        // Remove the stored secrets in the secret storage
-        await this.secretStorage.store("m.cross_signing.master", null);
-        await this.secretStorage.store("m.cross_signing.self_signing", null);
-        await this.secretStorage.store("m.cross_signing.user_signing", null);
-        await this.secretStorage.store("m.megolm_backup.v1", null);
-
-        // Remove the recovery key
-        const defaultKeyId = await this.secretStorage.getDefaultKeyId();
-        if (defaultKeyId) await this.secretStorage.store(`m.secret_storage.key.${defaultKeyId}`, null);
-        // Disable the recovery key and the secret storage
-        await this.secretStorage.setDefaultKeyId(null);
+        this.deleteSecretStorage();

        // Reset the cross-signing keys
        await this.crossSigningIdentity.bootstrapCrossSigning({
@@ -1471,6 +1479,24 @@ export class RustCrypto extends TypedEventEmitter<RustCryptoEvents, CryptoEventH
        this.logger.debug("resetEncryption: ended");
    }

+    /**
+     * Removes the secret storage key, default key pointer and all (known) secret storage data
+     * from the user's account data
+     */
+    private async deleteSecretStorage(): Promise<void> {
+        // Remove the stored secrets in the secret storage
+        await this.secretStorage.store("m.cross_signing.master", null);
+        await this.secretStorage.store("m.cross_signing.self_signing", null);
+        await this.secretStorage.store("m.cross_signing.user_signing", null);
+        await this.secretStorage.store("m.megolm_backup.v1", null);
+
+        // Remove the recovery key
+        const defaultKeyId = await this.secretStorage.getDefaultKeyId();
+        if (defaultKeyId) await this.secretStorage.store(`m.secret_storage.key.${defaultKeyId}`, null);
+        // Disable the recovery key and the secret storage
+        await this.secretStorage.setDefaultKeyId(null);
+    }
+
    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
    //
    // SyncCryptoCallbacks implementation