Replace the concept of a Widget Security Key with an OIDC state

The security key naming/practice was misguided, so let's call it what it is (a settings key) and abstract away the complexity to a new store. Fixes https://github.com/vector-im/element-web/issues/15820 while we're here.
2020-11-25 18:39:11 -07:00 · 2020-11-25 18:39:11 -07:00 · 5da27aed94
commit 5da27aed94
parent c91dc55bc1
5 changed files with 119 additions and 50 deletions
--- a/src/stores/widgets/StopGapWidgetDriver.ts
+++ b/src/stores/widgets/StopGapWidgetDriver.ts
@ -30,13 +30,12 @@ import { iterableDiff, iterableUnion } from "../../utils/iterables";
 import { MatrixClientPeg } from "../../MatrixClientPeg";
 import ActiveRoomObserver from "../../ActiveRoomObserver";
 import Modal from "../../Modal";
-import WidgetUtils from "../../utils/WidgetUtils";
-import SettingsStore from "../../settings/SettingsStore";
 import WidgetOpenIDPermissionsDialog from "../../components/views/dialogs/WidgetOpenIDPermissionsDialog";
 import WidgetCapabilitiesPromptDialog, {
    getRememberedCapabilitiesForWidget,
 } from "../../components/views/dialogs/WidgetCapabilitiesPromptDialog";
 import { WidgetPermissionCustomisations } from "../../customisations/WidgetPermissions";
+import { OIDCState, WidgetPermissionStore } from "./WidgetPermissionStore";

 // TODO: Purge this from the universe

@ -44,7 +43,12 @@ export class StopGapWidgetDriver extends WidgetDriver {
    private allowedCapabilities: Set<Capability>;

    // TODO: Refactor widgetKind into the Widget class
-    constructor(allowedCapabilities: Capability[], private forWidget: Widget, private forWidgetKind: WidgetKind) {
+    constructor(
+        allowedCapabilities: Capability[],
+        private forWidget: Widget,
+        private forWidgetKind: WidgetKind,
+        private inRoomId?: string,
+    ) {
        super();

        // Always allow screenshots to be taken because it's a client-induced flow. The widget can't
@ -114,26 +118,27 @@ export class StopGapWidgetDriver extends WidgetDriver {
    public async askOpenID(observer: SimpleObservable<IOpenIDUpdate>) {
        const isUserWidget = this.forWidgetKind !== WidgetKind.Room; // modal and account widgets are "user" widgets
        const rawUrl = this.forWidget.templateUrl;
-        const widgetSecurityKey = WidgetUtils.getWidgetSecurityKey(this.forWidget.id, rawUrl, isUserWidget);
+        const oidcState = WidgetPermissionStore.instance.getOIDCState(
+            this.forWidget, this.forWidgetKind, this.inRoomId,
+        );

        const getToken = (): Promise<IOpenIDCredentials> => {
            return MatrixClientPeg.get().getOpenIdToken();
        };

-        const settings = SettingsStore.getValue("widgetOpenIDPermissions");
-        if (settings?.deny?.includes(widgetSecurityKey)) {
+        if (oidcState === OIDCState.Denied) {
            return observer.update({state: OpenIDRequestState.Blocked});
        }
-        if (settings?.allow?.includes(widgetSecurityKey)) {
+        if (oidcState === OIDCState.Allowed) {
            return observer.update({state: OpenIDRequestState.Allowed, token: await getToken()});
        }

        observer.update({state: OpenIDRequestState.PendingUserConfirmation});

        Modal.createTrackedDialog("OpenID widget permissions", '', WidgetOpenIDPermissionsDialog, {
-            widgetUrl: rawUrl,
-            widgetId: this.forWidget.id,
-            isUserWidget: isUserWidget,
+            widget: this.forWidget,
+            widgetKind: this.forWidgetKind,
+            inRoomId: this.inRoomId,

            onFinished: async (confirm) => {
                if (!confirm) {