Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hub suggests to register device, App shows "Access denied" #167

Open
2 tasks done
infeo opened this issue Oct 14, 2022 · 2 comments
Open
2 tasks done

Hub suggests to register device, App shows "Access denied" #167

infeo opened this issue Oct 14, 2022 · 2 comments
Labels
misc:desktop misc:frontend type:bug Something isn't working

Comments

@infeo
Copy link
Member

infeo commented Oct 14, 2022

Please agree to the following

Summary

App unlock with a different user than the device register user, Hub says to register device, but is impossible in app.

System Setup

- Hub: 96582145661fb0a29ac36791e33e4bf02386593e
- Keycloak: 19.0.2
- Cryptomator (Desktop/Android/iOS): Desktop 1.6.15

Steps to Reproduce

  1. Create two users A and B
  2. Register device with user A (during unlock)
  3. logout A
  4. unlock any other hub vault, login with B

Expected Behavior

Message shown: Device registered for different user

Actual Behavior

Opened webpage says to register device in app, app says "Access denied"

Reproducibility

Always

Relevant Log Output

No response

Anything else?

grafik
@infeo infeo added the type:bug Something isn't working label Oct 14, 2022
@infeo infeo self-assigned this Oct 17, 2022
@infeo
Copy link
Member Author

infeo commented Oct 17, 2022

The only easy fix is addding additional text to the screens.

The problem is, the current authorized user cannot determine if the used device is not registered at all or "only" already registered for another user. This would be important for the frontend to display the correct information.
The app would either need an additional backend request, because the locally existing certifiacte does not contain a user id. Or the user id is stored along side the cert in the key chain, which require a good amount of changes: Currently the cert is eagerly created and the user id should only be stored if the unlock is successful/device not registered.

But, this is also an edge case. We assume, that a device (...user account) is normally only used by one user.

@infeo infeo removed their assignment Oct 18, 2022
@tobihagemann
Copy link
Member

tobihagemann commented Feb 16, 2023
edited
Loading

I'm pretty sure this can be determined on the backend without an additional HTTP request. When unlocking the vault, we know which user is trying to unlock the vault:

hub/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java

Line 240 in dbabef3

var access = AccessToken.unlock(vaultId, deviceId, jwt.getSubject());

This database call can be changed so that the method can fail for different reasons (like "not existing at all" or "belongs to different user"):

hub/backend/src/main/java/org/cryptomator/hub/entities/AccessToken.java

Lines 50 to 56 in dbabef3

public static AccessToken unlock(String vaultId, String deviceId, String userId) {
try {
return find("#AccessToken.get", Parameters.with("deviceId", deviceId).and("vaultId", vaultId).and("userId", userId)).firstResult();
} catch (NoResultException e) {
return null;
}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
misc:desktop misc:frontend type:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tobihagemann @infeo