MM-65085: Support Pre Shared Password on server connect (#9082) (#9096)

* feat: add shared server password to server setup

* feat: allow editing the sever

* refactor: changed password -> secret, styling and tests

* e2e: draft e2e tests

* chore: lint fix

* feat: also send preauth secret header when using native share

* fix: removed unused server database migration

credentials are being stored in the keychain

* i18n: added missing english translations

* test(e2e): simplified connection tests

* test(e2e): rework

* refactor: remove setBearerToken

* chore: restore migrations the way it was

* chore: reverted file to original state

* chore: removed unneeded test and renamed password to secret

* chore: function version

* chore: updated forms i18n keys

* chore: remove if from test

* chore: unneeded variable

* fix: add missing key on object list

* refactor: swift keychain access to retrieve all credentials in one call

* revert: edit server screen

* refactor: credentials use getGenericCredential

* fix: objc code calling old method

* fix: added scroll to login screen

* chore: variable names

* fix: avoid inline styles

* fix: Improved appVersion positioning

* Update app/screens/server/form.tsx



* feat: show error message on 403

* Revert "feat: show error message on 403"

This reverts commit f41630c.

---------


(cherry picked from commit f50056f)

Co-authored-by: Felipe Martin <[email protected]>
Co-authored-by: Matthew Birtch <[email protected]>

Author: 3 people

app/actions/remote/entry/login.ts

@@ -35,7 +35,7 @@ export async function loginEntry({serverUrl}: AfterLoginArgs): Promise<{error?:
         const credentials = await getServerCredentials(serverUrl);
         if (credentials?.token) {
             SecurityManager.addServer(serverUrl, clData.config, true);
-            WebsocketManager.createClient(serverUrl, credentials.token);
+            WebsocketManager.createClient(serverUrl, credentials.token, credentials.preauthSecret);
             await WebsocketManager.initializeClient(serverUrl, 'Login');
             SecurityManager.setActiveServer(serverUrl);
         }

app/actions/remote/general.ts

@@ -33,10 +33,10 @@ async function getDeviceIdForPing(serverUrl: string, checkDeviceId: boolean) {
 }
 
 // Default timeout interval for ping is 5 seconds
-export const doPing = async (serverUrl: string, verifyPushProxy: boolean, timeoutInterval = 5000) => {
+export const doPing = async (serverUrl: string, verifyPushProxy: boolean, timeoutInterval = 5000, preauthSecret?: string) => {
     let client: Client;
     try {
-        client = await NetworkManager.createClient(serverUrl);
+        client = await NetworkManager.createClient(serverUrl, undefined, preauthSecret);
     } catch (error) {
         return {error};
     }

app/actions/remote/session.test.ts

@@ -46,7 +46,7 @@ const throwFunc = () => {
 const mockClient = {
     login: jest.fn(() => user1),
     setCSRFToken: jest.fn(),
-    setBearerToken: jest.fn(),
+    setClientCredentials: jest.fn(),
     getClientConfigOld: jest.fn(() => ({})),
     getClientLicenseOld: jest.fn(() => ({})),
     getSessions: jest.fn(() => [session1]),

app/actions/remote/session.ts

@@ -300,7 +300,7 @@ export const sendPasswordResetEmail = async (serverUrl: string, email: string) =
     }
 };
 
-export const ssoLogin = async (serverUrl: string, serverDisplayName: string, serverIdentifier: string, bearerToken: string, csrfToken: string): Promise<LoginActionResponse> => {
+export const ssoLogin = async (serverUrl: string, serverDisplayName: string, serverIdentifier: string, bearerToken: string, csrfToken: string, preauthSecret?: string): Promise<LoginActionResponse> => {
     const database = DatabaseManager.appDatabase?.database;
     if (!database) {
         return {error: 'App database not found', failed: true};
@@ -309,7 +309,7 @@ export const ssoLogin = async (serverUrl: string, serverDisplayName: string, ser
     try {
         const client = NetworkManager.getClient(serverUrl);
 
-        client.setBearerToken(bearerToken);
+        client.setClientCredentials(bearerToken, preauthSecret);
         client.setCSRFToken(csrfToken);
 
         // Setting up active database for this SSO login flow

app/client/rest/base.ts

@@ -9,11 +9,11 @@ import ClientTracking from './tracking';
 import type {APIClientInterface} from '@mattermost/react-native-network-client';
 
 export default class ClientBase extends ClientTracking {
-    constructor(apiClient: APIClientInterface, serverUrl: string, bearerToken?: string, csrfToken?: string) {
+    constructor(apiClient: APIClientInterface, serverUrl: string, bearerToken?: string, csrfToken?: string, preauthSecret?: string) {
         super(apiClient);
 
-        if (bearerToken) {
-            this.setBearerToken(bearerToken);
+        if (bearerToken || preauthSecret) {
+            this.setClientCredentials(bearerToken || '', preauthSecret || '');
         }
         if (csrfToken) {
             this.setCSRFToken(csrfToken);

app/client/rest/constants.ts

@@ -10,6 +10,7 @@ export const HEADER_REQUESTED_WITH = 'X-Requested-With';
 export const HEADER_TOKEN = 'Token';
 export const HEADER_USER_AGENT = 'User-Agent';
 export const HEADER_X_CSRF_TOKEN = 'X-CSRF-Token';
+export const HEADER_X_MATTERMOST_PREAUTH_SECRET = 'X-Mattermost-Preauth-Secret';
 export const HEADER_X_VERSION_ID = 'X-Version-Id';
 export const DEFAULT_LIMIT_BEFORE = 30;
 export const DEFAULT_LIMIT_AFTER = 30;

app/client/rest/index.ts

@@ -78,8 +78,8 @@ class Client extends mix(ClientBase).with(
     ClientPlaybooks,
 ) {
     // eslint-disable-next-line no-useless-constructor
-    constructor(apiClient: APIClientInterface, serverUrl: string, bearerToken?: string, csrfToken?: string) {
-        super(apiClient, serverUrl, bearerToken, csrfToken);
+    constructor(apiClient: APIClientInterface, serverUrl: string, bearerToken?: string, csrfToken?: string, preauthSecret?: string) {
+        super(apiClient, serverUrl, bearerToken, csrfToken, preauthSecret);
     }
 }
 

app/client/rest/tracking.test.ts

@@ -92,10 +92,10 @@ describe('ClientTracking', () => {
 
     it('should set bearer token', () => {
         const token = 'testToken';
-        client.setBearerToken(token);
+        client.setClientCredentials(token);
 
         expect(client.requestHeaders[ClientConstants.HEADER_AUTH]).toBe(`${ClientConstants.HEADER_BEARER} ${token}`);
-        expect(require('@init/credentials').setServerCredentials).toHaveBeenCalledWith(apiClientMock.baseUrl, token);
+        expect(require('@init/credentials').setServerCredentials).toHaveBeenCalledWith(apiClientMock.baseUrl, token, undefined);
     });
 
     it('should set CSRF token', () => {
@@ -107,7 +107,7 @@ describe('ClientTracking', () => {
 
     it('should get request headers', () => {
         client.setCSRFToken('csrfToken');
-        client.setBearerToken('testToken');
+        client.setClientCredentials('testToken');
 
         const headers = client.getRequestHeaders('POST');
         expect(headers[ClientConstants.HEADER_AUTH]).toBe(`${ClientConstants.HEADER_BEARER} testToken`);
@@ -823,5 +823,59 @@ describe('ClientTracking', () => {
             expect(result).toBe(100);
         });
     });
+
+    describe('setClientCredentials', () => {
+        it('should set shared password header when provided', () => {
+            client.setClientCredentials('bearer-token', 'shared-password');
+
+            expect(client.requestHeaders[ClientConstants.HEADER_AUTH]).toBe(`${ClientConstants.HEADER_BEARER} bearer-token`);
+            expect(client.requestHeaders[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET]).toBe('shared-password');
+        });
+
+        it('should remove shared password header when undefined', () => {
+            // First set a shared password
+            client.setClientCredentials('bearer-token', 'shared-password');
+            expect(client.requestHeaders[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET]).toBe('shared-password');
+
+            // Then remove it by setting undefined
+            client.setClientCredentials('bearer-token', undefined);
+            expect(client.requestHeaders[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET]).toBeUndefined();
+        });
+
+        it('should remove shared password header when empty string', () => {
+            // First set a shared password
+            client.setClientCredentials('bearer-token', 'shared-password');
+            expect(client.requestHeaders[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET]).toBe('shared-password');
+
+            // Then remove it by setting empty string
+            client.setClientCredentials('bearer-token', '');
+            expect(client.requestHeaders[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET]).toBeUndefined();
+        });
+
+        it('should always set bearer token correctly', () => {
+            client.setClientCredentials('test-bearer', 'shared-password');
+            expect(client.requestHeaders[ClientConstants.HEADER_AUTH]).toBe(`${ClientConstants.HEADER_BEARER} test-bearer`);
+
+            client.setClientCredentials('new-bearer', undefined);
+            expect(client.requestHeaders[ClientConstants.HEADER_AUTH]).toBe(`${ClientConstants.HEADER_BEARER} new-bearer`);
+        });
+
+        it('should handle multiple header updates correctly', () => {
+            // Set initial credentials
+            client.setClientCredentials('bearer1', 'password1');
+            expect(client.requestHeaders[ClientConstants.HEADER_AUTH]).toBe(`${ClientConstants.HEADER_BEARER} bearer1`);
+            expect(client.requestHeaders[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET]).toBe('password1');
+
+            // Update to new password
+            client.setClientCredentials('bearer2', 'password2');
+            expect(client.requestHeaders[ClientConstants.HEADER_AUTH]).toBe(`${ClientConstants.HEADER_BEARER} bearer2`);
+            expect(client.requestHeaders[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET]).toBe('password2');
+
+            // Remove password
+            client.setClientCredentials('bearer3', undefined);
+            expect(client.requestHeaders[ClientConstants.HEADER_AUTH]).toBe(`${ClientConstants.HEADER_BEARER} bearer3`);
+            expect(client.requestHeaders[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET]).toBeUndefined();
+        });
+    });
 });
 /* eslint-enable max-lines */

app/client/rest/tracking.ts

@@ -72,9 +72,17 @@ export default class ClientTracking {
         this.apiClient = apiClient;
     }
 
-    setBearerToken(bearerToken: string) {
+    setClientCredentials(bearerToken: string, preauthSecret?: string) {
         this.requestHeaders[ClientConstants.HEADER_AUTH] = `${ClientConstants.HEADER_BEARER} ${bearerToken}`;
-        setServerCredentials(this.apiClient.baseUrl, bearerToken);
+
+        if (preauthSecret) {
+            this.requestHeaders[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET] = preauthSecret;
+        } else {
+            // Remove shared password header when undefined
+            delete this.requestHeaders[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET];
+        }
+
+        setServerCredentials(this.apiClient.baseUrl, bearerToken, preauthSecret);
     }
 
     setCSRFToken(csrfToken: string) {
@@ -412,7 +420,8 @@ export default class ClientTracking {
 
         const bearerToken = headers[ClientConstants.HEADER_TOKEN] || headers[ClientConstants.HEADER_TOKEN.toLowerCase()];
         if (bearerToken) {
-            this.setBearerToken(bearerToken);
+            const existingSharedPassword = this.requestHeaders[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET];
+            this.setClientCredentials(bearerToken, existingSharedPassword);
         }
 
         if (response.ok) {

app/client/websocket/index.ts

@@ -4,6 +4,7 @@
 import {type ClientHeaders, getOrCreateWebSocketClient, type WebSocketClientInterface, WebSocketReadyState} from '@mattermost/react-native-network-client';
 import {Platform} from 'react-native';
 
+import * as ClientConstants from '@client/rest/constants';
 import {WebsocketEvents} from '@constants';
 import DatabaseManager from '@database/manager';
 import {getConfigValue} from '@queries/servers/system';
@@ -26,6 +27,7 @@ export default class WebSocketClient {
     private connectionTimeout: NodeJS.Timeout | undefined;
     private connectionId = '';
     private token: string;
+    private preauthSecret?: string;
     private stop = false;
     private url = '';
     private serverUrl: string;
@@ -58,9 +60,10 @@ export default class WebSocketClient {
     private closeCallback?: (connectFailCount: number) => void;
     private connectingCallback?: () => void;
 
-    constructor(serverUrl: string, token: string) {
+    constructor(serverUrl: string, token: string, preauthSecret?: string) {
         this.token = token;
         this.serverUrl = serverUrl;
+        this.preauthSecret = preauthSecret;
     }
 
     public async initialize(opts = {}, shouldSkipSync = false) {
@@ -134,6 +137,13 @@ export default class WebSocketClient {
                 // iOS is using he underlying cookieJar
                 headers.Authorization = `Bearer ${this.token}`;
             }
+
+            // Add shared password header if available
+            if (this.preauthSecret) {
+                headers[ClientConstants.HEADER_X_MATTERMOST_PREAUTH_SECRET] = this.preauthSecret;
+                logDebug('WebSocket: Added shared password header for', this.serverUrl);
+            }
+
             const {client} = await getOrCreateWebSocketClient(this.url, {headers, timeoutInterval: WEBSOCKET_TIMEOUT});
 
             // Check again if the client is the same, to avoid race conditions