fix(qr-login): Support the new variant of the m.login.protocols message

poljar · poljar · commit 5b449d8ed094 · 2026-03-20T11:13:17.000+01:00
diff --git a/crates/matrix-sdk/src/authentication/oauth/qrcode/grant.rs b/crates/matrix-sdk/src/authentication/oauth/qrcode/grant.rs
@@ -37,7 +37,7 @@ use crate::{
     Client,
     authentication::oauth::qrcode::{
         CheckCodeSender, GeneratedQrProgress, LoginFailureReason, QRCodeGrantLoginError,
-        QrProgress, SecureChannelError,
+        QrProgress, SecureChannelError, messages::LoginProtocolsMessage,
     },
 };
 
@@ -280,9 +280,16 @@ impl<'a> IntoFuture for GrantLoginWithScannedQrCode<'a> {
             // Inform the other device about the available login protocols and the
             // homeserver to use.
             // -- MSC4108 OAuth 2.0 login step 1
-            let message = QrAuthMessage::LoginProtocols {
-                protocols: vec![LoginProtocolType::DeviceAuthorizationGrant],
-                homeserver: self.client.homeserver(),
+            let message = if channel.is_using_msc_4388() {
+                QrAuthMessage::LoginProtocols(LoginProtocolsMessage::Msc4388 {
+                    protocols: vec![LoginProtocolType::DeviceAuthorizationGrant],
+                    base_url: self.client.homeserver(),
+                })
+            } else {
+                QrAuthMessage::LoginProtocols(LoginProtocolsMessage::Msc4108 {
+                    protocols: vec![LoginProtocolType::DeviceAuthorizationGrant],
+                    homeserver: self.client.homeserver(),
+                })
             };
             channel.send_json(message).await?;
 
@@ -424,7 +431,7 @@ mod test {
 
     use assert_matches2::{assert_let, assert_matches};
     use futures_util::StreamExt;
-    use matrix_sdk_base::crypto::types::SecretsBundle;
+    use matrix_sdk_base::crypto::types::{SecretsBundle, qr_login::QrCodeIntentData};
     use matrix_sdk_common::executor::spawn;
     use matrix_sdk_test::async_test;
     use oauth2::{EndUserVerificationUrl, VerificationUriComplete};
@@ -636,6 +643,11 @@ mod test {
         device_authorization_grant: Option<AuthorizationGrant>,
         secrets_bundle: Option<SecretsBundle>,
     ) {
+        let is_using_msc_4388 = match channel.qr_code_data().intent_data() {
+            QrCodeIntentData::Msc4108 { .. } => false,
+            QrCodeIntentData::Msc4388 { .. } => true,
+        };
+
         // Wait for Alice to scan the qr code and connect the secure channel.
         let channel =
             channel.connect().await.expect("Bob should be able to connect the secure channel");
@@ -651,9 +663,27 @@ mod test {
             .receive_json()
             .await
             .expect("Bob should receive the LoginProtocolAccepted message from Alice");
-        assert_let!(
-            QrAuthMessage::LoginProtocols { protocols, homeserver: alice_homeserver } = message
-        );
+
+        let (protocols, alice_homeserver) = if is_using_msc_4388 {
+            assert_let!(
+                QrAuthMessage::LoginProtocols(LoginProtocolsMessage::Msc4388 {
+                    protocols,
+                    base_url,
+                }) = message
+            );
+
+            (protocols, base_url)
+        } else {
+            assert_let!(
+                QrAuthMessage::LoginProtocols(LoginProtocolsMessage::Msc4108 {
+                    protocols,
+                    homeserver,
+                }) = message
+            );
+
+            (protocols, homeserver)
+        };
+
         assert_eq!(protocols, vec![LoginProtocolType::DeviceAuthorizationGrant]);
         assert_eq!(alice_homeserver, homeserver);
 
diff --git a/crates/matrix-sdk/src/authentication/oauth/qrcode/login.rs b/crates/matrix-sdk/src/authentication/oauth/qrcode/login.rs
@@ -40,7 +40,10 @@ use crate::{
     Client,
     authentication::oauth::{
         ClientRegistrationData, OAuth, OAuthError,
-        qrcode::{CheckCodeSender, GeneratedQrProgress, LoginProtocolType, QrProgress},
+        qrcode::{
+            CheckCodeSender, GeneratedQrProgress, LoginProtocolType, QrProgress,
+            messages::LoginProtocolsMessage,
+        },
     },
 };
 
@@ -401,7 +404,10 @@ impl<'a> IntoFuture for LoginWithGeneratedQrCode<'a> {
             // Verify that the device authorization grant is supported and extract
             // the homeserver URL.
             let homeserver = match message {
-                QrAuthMessage::LoginProtocols { protocols, homeserver } => {
+                QrAuthMessage::LoginProtocols(LoginProtocolsMessage::Msc4108 {
+                    protocols,
+                    homeserver,
+                }) if !channel.is_using_msc_4388() => {
                     if !protocols.contains(&LoginProtocolType::DeviceAuthorizationGrant) {
                         channel
                             .send_json(QrAuthMessage::LoginFailure {
@@ -418,6 +424,27 @@ impl<'a> IntoFuture for LoginWithGeneratedQrCode<'a> {
 
                     homeserver
                 }
+                QrAuthMessage::LoginProtocols(LoginProtocolsMessage::Msc4388 {
+                    protocols,
+                    base_url,
+                }) if channel.is_using_msc_4388() => {
+                    if !protocols.contains(&LoginProtocolType::DeviceAuthorizationGrant) {
+                        channel
+                            .send_json(QrAuthMessage::LoginFailure {
+                                reason: LoginFailureReason::UnsupportedProtocol,
+                                homeserver: None,
+                            })
+                            .await?;
+
+                        return Err(QRCodeLoginError::LoginFailure {
+                            reason: LoginFailureReason::UnsupportedProtocol,
+                            homeserver: None,
+                        });
+                    }
+
+                    base_url
+                }
+
                 _ => {
                     send_unexpected_message_error(&mut channel).await?;
 
@@ -520,7 +547,7 @@ mod test {
     use super::*;
     use crate::{
         authentication::oauth::qrcode::{
-            messages::LoginProtocolType,
+            messages::{LoginProtocolType, LoginProtocolsMessage},
             secure_channel::{SecureChannel, test::MockedRendezvousServer},
         },
         config::RequestConfig,
@@ -740,9 +767,16 @@ mod test {
             .expect("Alice should be able to send the check code to Bob");
 
         // Alice sends m.login.protocols message
-        let message = QrAuthMessage::LoginProtocols {
-            protocols: vec![LoginProtocolType::DeviceAuthorizationGrant],
-            homeserver: alice.homeserver(),
+        let message = if channel.is_using_msc_4388() {
+            QrAuthMessage::LoginProtocols(LoginProtocolsMessage::Msc4388 {
+                protocols: vec![LoginProtocolType::DeviceAuthorizationGrant],
+                base_url: alice.homeserver(),
+            })
+        } else {
+            QrAuthMessage::LoginProtocols(LoginProtocolsMessage::Msc4108 {
+                protocols: vec![LoginProtocolType::DeviceAuthorizationGrant],
+                homeserver: alice.homeserver(),
+            })
         };
         channel
             .send_json(message)
diff --git a/crates/matrix-sdk/src/authentication/oauth/qrcode/messages.rs b/crates/matrix-sdk/src/authentication/oauth/qrcode/messages.rs
@@ -33,12 +33,7 @@ pub enum QrAuthMessage {
     /// Message declaring the available protocols for sign in. Sent by the
     /// existing device.
     #[serde(rename = "m.login.protocols")]
-    LoginProtocols {
-        /// The login protocols the existing device supports.
-        protocols: Vec<LoginProtocolType>,
-        /// The homeserver we're going to log in to.
-        homeserver: Url,
-    },
+    LoginProtocols(LoginProtocolsMessage),
 
     /// Message declaring which protocols from the previous `m.login.protocols`
     /// message the new device has picked. Sent by the new device.
@@ -88,6 +83,28 @@ pub enum QrAuthMessage {
     LoginSecrets(SecretsBundle),
 }
 
+/// Message declaring the available protocols for sign in. Sent by the
+/// existing device.
+///
+/// Supports both the MSC4108 variant of the m.login.protocols message as well
+/// as the MSC4388 variant.
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(untagged)]
+pub enum LoginProtocolsMessage {
+    Msc4388 {
+        /// The login protocols the existing device supports.
+        protocols: Vec<LoginProtocolType>,
+        /// The homeserver we're going to log in to.
+        base_url: Url,
+    },
+    Msc4108 {
+        /// The login protocols the existing device supports.
+        protocols: Vec<LoginProtocolType>,
+        /// The homeserver we're going to log in to.
+        homeserver: Url,
+    },
+}
+
 impl QrAuthMessage {
     /// Create a new [`QrAuthMessage::LoginProtocol`] message with the
     /// [`LoginProtocolType::DeviceAuthorizationGrant`] protocol type.
@@ -170,17 +187,48 @@ mod test {
     use super::*;
 
     #[test]
-    fn test_protocols_serialization() {
+    fn test_protocols_serialization_msc_4108() {
+        const HOMESERVER: &str = "https://matrix-client.matrix.org/";
+
         let json = json!({
             "type": "m.login.protocols",
             "protocols": ["device_authorization_grant"],
-            "homeserver": "https://matrix-client.matrix.org/"
+            "homeserver": HOMESERVER,
 
         });
 
         let message: QrAuthMessage = serde_json::from_value(json.clone()).unwrap();
-        assert_let!(QrAuthMessage::LoginProtocols { protocols, .. } = &message);
+        assert_let!(
+            QrAuthMessage::LoginProtocols(LoginProtocolsMessage::Msc4108 {
+                protocols,
+                homeserver
+            }) = &message
+        );
+        assert!(protocols.contains(&LoginProtocolType::DeviceAuthorizationGrant));
+        assert_eq!(homeserver.as_str(), HOMESERVER);
+
+        let serialized = serde_json::to_value(&message).unwrap();
+        assert_eq!(json, serialized);
+    }
+
+    #[test]
+    fn test_protocols_serialization_msc_4388() {
+        const HOMESERVER: &str = "https://matrix-client.matrix.org/";
+
+        let json = json!({
+            "type": "m.login.protocols",
+            "protocols": ["device_authorization_grant"],
+            "base_url": HOMESERVER,
+
+        });
+
+        let message: QrAuthMessage = serde_json::from_value(json.clone()).unwrap();
+        assert_let!(
+            QrAuthMessage::LoginProtocols(LoginProtocolsMessage::Msc4388 { protocols, base_url }) =
+                &message
+        );
         assert!(protocols.contains(&LoginProtocolType::DeviceAuthorizationGrant));
+        assert_eq!(base_url.as_str(), HOMESERVER);
 
         let serialized = serde_json::to_value(&message).unwrap();
         assert_eq!(json, serialized);
diff --git a/crates/matrix-sdk/src/authentication/oauth/qrcode/secure_channel/mod.rs b/crates/matrix-sdk/src/authentication/oauth/qrcode/secure_channel/mod.rs
@@ -319,6 +319,13 @@ impl EstablishedSecureChannel {
         }
     }
 
+    pub(super) fn is_using_msc_4388(&self) -> bool {
+        match &self.channel {
+            RendezvousChannel::Msc4108(_) => false,
+            RendezvousChannel::Msc4388(_) => true,
+        }
+    }
+
     /// Get the [`CheckCode`] which can be used to, out of band, verify that
     /// both sides of the channel are indeed communicating with each other and
     /// not with a 3rd party.

Original file line number	Diff line number	Diff line change
`@@ -319,6 +319,13 @@ impl EstablishedSecureChannel {`
`319`	`319`	`}`
`320`	`320`	`}`
`321`	`321`
	`322`	`+ pub(super) fn is_using_msc_4388(&self) -> bool {`
	`323`	`+ match &self.channel {`
	`324`	`+ RendezvousChannel::Msc4108(_) => false,`
	`325`	`+ RendezvousChannel::Msc4388(_) => true,`
	`326`	`+ }`
	`327`	`+ }`
	`328`	`+`
`322`	`329`	/// Get the [`CheckCode`] which can be used to, out of band, verify that
`323`	`330`	`/// both sides of the channel are indeed communicating with each other and`
`324`	`331`	`/// not with a 3rd party.`