A frequently-updated browser produces a large number of sessions that hang validation

[mhoye]

Description

I suspect because it's frequently update, running Riot-Web in Firefox Nightly produces a very large number of "sessions". This was not a big deal before e2e rolled out, but this morning I deleted maybe ninety sessions (so much clicking tedium!) in order to validate the remaining real ones.

I think that this consequently breaks validation, somehow, as a result. I'm pinwheeling during the validation phase now, when this did work earlier today.

Steps to reproduce

Using riot-web and a previously-validated Riot.IM on Android, update nightly and reconnect, and try validating a session.

The result pinwheels forever.

I'm using Riot-Web current, Riot.IM on Android presumably also current (on Android One) and can reproduce at will.

[aaronraimist]

Are you having to log in each time you restart Firefox?

[t3chguy]

The session dropping is due to https://bugzilla.mozilla.org/show_bug.cgi?id=1640266

[bwindels]

@mhoye thanks for reporting. I'm not sure we can do much about FF Nightly clearing localStorage.

Wrt to pinwheeling forever during verification, are you sure you were verifying the riot web session you had open? Can you describe a bit more in detail what you tried to do exactly? Which sessions did you try to verify? (e.g. between your android device and a new web session?) From which session did you initiate the verification request?

If you submit your debug logs we might be able to tell what went wrong (in the hope your indexeddb hasn't been cleared as well).

[jorendorff]

I also see pinwheeling forever during verification:

The flow up to that point goes smoothly. I enter a passphrase. I save a recovery code. It links out to a Single Sign-On screen which successfully logs me in and directs me back to the application. Then this.

In the web console, I see:

Key backup is absent or missing required data (submit-rageshake.ts:132:17)
No usable key backup: not enabling key backup (submit-rageshake.ts:132:17)
Error: Secret storage creation canceled

[jorendorff]

I tried catching this in the debugger. It's a bit of a bear each time, especially because there are source maps but they don't actually point to real source; and the source that I do have is obfuscated.

But, I think the stack I've got is basically:

• this error is thrown in pkVerify, called from
• CrossSigningInfo.checkDeviceTrust, called from
• Crypto.prototype._checkDeviceInfoTrust, called from
• Crypto.prototype.checkDeviceTrust, called from more obfuscated code.

Actual obfuscated stack trace:

checkDeviceTrust (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#30887)
_checkDeviceInfoTrust (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#13052)
checkDeviceTrust (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#13043)
n (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#24494)
r (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#51841)
r (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#51839)
_updateE2eStatus (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#162534)
m (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#17602)
g (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#17604)
b (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#17621)
onUserVerificationChanged (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#162509)
emit (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#2691)
_handleEvent (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#30531)
n (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#30533)
emit (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#2690)
checkOwnCrossSigningTrust (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#13141)
_onDeviceListUserCrossSigningUpdated (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#13065)
emit (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#2690)
_processQueryResponseForUser (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#82139)
_doQueuedQueries (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#82085)
_doQueuedQueries (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#82081)
updateDevicesForUsers (https://chat.mozilla.org/bundles/c3a918d15ae5e273894e/vendors~init.js:formatted#82071)

[jryans]

@jorendorff Thanks for the detail around verification pinwheeling. Could you try submitting debug logs via top-left menu -> Settings -> Help -> Submit debug logs, and paste this issue where it asks for a GH issue? Or if you're not comfortable with submitting logs, it would be good to at least have a screenshot of what you see in top-left menu -> Settings -> Security -> Cross-signing -> toggle open Advanced.

[richvdh]

Not sure we can do much here. If your browser is configured to blow away your storage each night, you're going to end up with lots of sessions.

[jorendorff]

No idea if this issue still exists, but in this case the browser certainly was not configured to blow away storage each night.

I would have had to log into every web site I use every day, and that was never the case.

[richvdh]

@jorendorff looking at the history here, it sounds like your problem was unrelated to the OP.

[jorendorff]

Sorry for the noise, please disregard.