Add sessions to device registration state (dfinity#3219)

* Add sessions to device registration state.

* Add sessions to device registration state.

* Add sessions to device registration state.

* Add sessions to device registration state.

* Add sessions to device registration state.

* Declaration files.

* Don't rename state variable

Author: sea-snake

src/frontend/src/lib/generated/internet_identity_idl.js

@@ -142,7 +142,9 @@ export const idlFactory = ({ IDL }) => {
   });
   const AuthnMethodAddError = IDL.Variant({ 'InvalidMetadata' : IDL.Text });
   const AuthnMethodConfirmationError = IDL.Variant({
+    'InternalCanisterError' : IDL.Text,
     'RegistrationModeOff' : IDL.Null,
+    'Unauthorized' : IDL.Principal,
     'NoAuthnMethodToConfirm' : IDL.Null,
     'WrongCode' : IDL.Record({ 'retries_left' : IDL.Nat8 }),
   });

src/frontend/src/lib/generated/internet_identity_types.d.ts

@@ -54,7 +54,11 @@ export interface AuthnMethodConfirmationCode {
   'confirmation_code' : string,
   'expiration' : Timestamp,
 }
-export type AuthnMethodConfirmationError = { 'RegistrationModeOff' : null } |
+export type AuthnMethodConfirmationError = {
+    'InternalCanisterError' : string
+  } |
+  { 'RegistrationModeOff' : null } |
+  { 'Unauthorized' : Principal } |
   { 'NoAuthnMethodToConfirm' : null } |
   { 'WrongCode' : { 'retries_left' : number } };
 export interface AuthnMethodData {

src/internet_identity/internet_identity.did

@@ -505,6 +505,8 @@ type AuthnMethodRegisterError = variant {
 };
 
 type AuthnMethodConfirmationError = variant {
+    Unauthorized : principal;
+    InternalCanisterError : text;
     // Wrong confirmation code entered. Retry with correct code.
     WrongCode : record {
         retries_left : nat8;

src/internet_identity/src/anchor_management/tentative_device_registration.rs

@@ -1,13 +1,13 @@
-use crate::anchor_management::add_device;
 use crate::authz_utils::IdentityUpdateError;
-use crate::state::RegistrationState::{DeviceRegistrationModeActive, DeviceTentativelyAdded};
+use crate::state::RegistrationState::{
+    DeviceRegistrationModeActive, DeviceTentativelyAdded, SessionTentativelyAdded,
+    SessionTentativelyConfirmed,
+};
 use crate::state::TentativeDeviceRegistration;
-use crate::storage::anchor::Anchor;
 use crate::{secs_to_nanos, state};
 use candid::{CandidType, Principal};
 use ic_cdk::api::time;
 use ic_cdk::{call, trap};
-use internet_identity_interface::archive::types::Operation;
 use internet_identity_interface::internet_identity::types::*;
 use std::collections::{hash_map, HashMap};
 use TentativeDeviceRegistrationError::{AnotherDeviceTentativelyAdded, DeviceRegistrationModeOff};
@@ -77,7 +77,7 @@ pub fn exit_device_registration_mode(anchor_number: AnchorNumber) {
 }
 
 pub struct TentativeRegistrationInfo {
-    pub verification_code: DeviceVerificationCode,
+    pub verification_code: DeviceConfirmationCode,
     pub device_registration_timeout: Timestamp,
 }
 
@@ -96,35 +96,42 @@ impl From<IdentityUpdateError> for TentativeDeviceRegistrationError {
 
 pub async fn add_tentative_device(
     anchor_number: AnchorNumber,
-    device_data: DeviceData,
+    tentative_device: DeviceData,
 ) -> Result<TentativeRegistrationInfo, TentativeDeviceRegistrationError> {
-    let verification_code = new_verification_code().await;
+    let confirmation_code = new_confirmation_code().await;
     let now = time();
 
     state::tentative_device_registrations_mut(|registrations| {
         state::lookup_tentative_device_registration_mut(|lookup| {
             prune_expired_tentative_device_registrations(registrations, lookup);
 
-            match registrations.get_mut(&anchor_number) {
-                None => Err(DeviceRegistrationModeOff),
-                Some(TentativeDeviceRegistration { expiration, .. }) if *expiration <= now => {
+            // Get registration else throw error
+            let registration = registrations
+                .get_mut(&anchor_number)
+                .ok_or(DeviceRegistrationModeOff)?;
+
+            match registration {
+                // Make sure registration isn't expired
+                TentativeDeviceRegistration { expiration, .. } if *expiration <= now => {
                     Err(DeviceRegistrationModeOff)
                 }
-                Some(TentativeDeviceRegistration {
-                    state: DeviceTentativelyAdded { .. },
+                // Add tentative session if registration mode is active
+                TentativeDeviceRegistration {
+                    state: DeviceRegistrationModeActive,
                     ..
-                }) => Err(AnotherDeviceTentativelyAdded),
-                Some(registration) => {
+                } => {
                     registration.state = DeviceTentativelyAdded {
-                        tentative_device: device_data,
+                        tentative_device,
                         failed_attempts: 0,
-                        verification_code: verification_code.clone(),
+                        confirmation_code: confirmation_code.clone(),
                     };
                     Ok(TentativeRegistrationInfo {
                         device_registration_timeout: registration.expiration,
-                        verification_code,
+                        verification_code: confirmation_code,
                     })
                 }
+                // Else return error
+                _ => Err(AnotherDeviceTentativelyAdded),
             }
         })
     })
@@ -135,82 +142,80 @@ pub enum VerifyTentativeDeviceError {
     WrongCode { retries_left: u8 },
     DeviceRegistrationModeOff,
     NoDeviceToVerify,
-    IdentityUpdateError(IdentityUpdateError),
-}
-
-impl From<IdentityUpdateError> for VerifyTentativeDeviceError {
-    fn from(err: IdentityUpdateError) -> Self {
-        VerifyTentativeDeviceError::IdentityUpdateError(err)
-    }
-}
-
-/// Verifies the tentative device using the submitted `user_verification_code` and returns
-/// a result of [VerifyTentativeDeviceResponse]. [VerifyTentativeDeviceResponse] is used both as
-/// a success and an error type because it corresponds to the candid variant unifying success and
-/// error cases. See `authenticated_anchor_operation` for more details on how the [Result] is handled.
-pub fn verify_tentative_device(
-    anchor: &mut Anchor,
-    anchor_number: AnchorNumber,
-    user_verification_code: DeviceVerificationCode,
-) -> Result<((), Operation), VerifyTentativeDeviceError> {
-    match get_verified_device(anchor_number, user_verification_code) {
-        Ok(device) => {
-            let operation = add_device(anchor, device);
-            Ok(((), operation))
-        }
-        Err(err) => Err(err),
-    }
 }
 
-/// Checks the device verification code for a tentative device.
-/// If valid, returns the device to be added and exits device registration mode
-/// If invalid, returns the appropriate error to send to the client and increases failed attempts. Exits device registration mode if there are no retries left.
-fn get_verified_device(
+/// Confirm the tentative device or session using the submitted `user_confirmation_code`.
+///
+/// # Returns
+/// [`Some(DeviceData)`] if a device (or [`None`] if a session) has been confirmed
+///
+/// # Errors
+/// Returns an error if either there's no tentative device (or session) or the code is incorrect.
+pub fn confirm_tentative_device_or_session(
     anchor_number: AnchorNumber,
-    user_verification_code: DeviceVerificationCode,
-) -> Result<DeviceData, VerifyTentativeDeviceError> {
+    user_confirmation_code: DeviceConfirmationCode,
+) -> Result<Option<DeviceData>, VerifyTentativeDeviceError> {
     state::tentative_device_registrations_mut(|registrations| {
         state::lookup_tentative_device_registration_mut(|lookup| {
             prune_expired_tentative_device_registrations(registrations, lookup);
 
-            // Check if the registration exists
-            if !registrations.contains_key(&anchor_number) {
-                return Err(VerifyTentativeDeviceError::DeviceRegistrationModeOff);
-            }
+            // Get registration else throw error
+            let registration = registrations
+                .get_mut(&anchor_number)
+                .ok_or(VerifyTentativeDeviceError::DeviceRegistrationModeOff)?;
+
+            let (should_remove, response) = match &mut registration.state {
+                DeviceRegistrationModeActive | SessionTentativelyConfirmed { .. } => {
+                    (false, Err(VerifyTentativeDeviceError::NoDeviceToVerify))
+                }
+                DeviceTentativelyAdded {
+                    failed_attempts,
+                    confirmation_code,
+                    tentative_device,
+                } => {
+                    if user_confirmation_code == *confirmation_code {
+                        // Verification successful - return device to be added and remove the registration
+                        (true, Ok(Some(tentative_device.clone())))
+                    } else {
+                        // Increment failed attempts counter
+                        *failed_attempts += 1;
 
-            // Check the state and prepare the response without keeping a mutable reference
-            let (should_remove, response) =
-                match &mut registrations.get_mut(&anchor_number).unwrap().state {
-                    DeviceRegistrationModeActive => {
-                        (false, Err(VerifyTentativeDeviceError::NoDeviceToVerify))
+                        // Remove registration if max attempts reached
+                        (
+                            *failed_attempts >= MAX_DEVICE_REGISTRATION_ATTEMPTS,
+                            Err(VerifyTentativeDeviceError::WrongCode {
+                                retries_left: (MAX_DEVICE_REGISTRATION_ATTEMPTS - *failed_attempts),
+                            }),
+                        )
                     }
-                    DeviceTentativelyAdded {
-                        failed_attempts,
-                        verification_code,
-                        tentative_device,
-                    } => {
-                        if user_verification_code == *verification_code {
-                            // Verification successful - we'll remove the registration
-                            (true, Ok(tentative_device.clone()))
-                        } else {
-                            // Increment failed attempts counter
-                            *failed_attempts += 1;
+                }
+                SessionTentativelyAdded {
+                    failed_attempts,
+                    confirmation_code,
+                    tentative_session,
+                } => {
+                    if user_confirmation_code == *confirmation_code {
+                        let principal = *tentative_session;
 
-                            // Check if max attempts reached
-                            let should_remove =
-                                *failed_attempts >= MAX_DEVICE_REGISTRATION_ATTEMPTS;
+                        // Verification successful - we'll confirm the session and keep the registration
+                        registration.state = SessionTentativelyConfirmed {
+                            tentative_session: principal,
+                        };
+                        (false, Ok(None))
+                    } else {
+                        // Increment failed attempts counter
+                        *failed_attempts += 1;
 
-                            (
-                                should_remove,
-                                Err(VerifyTentativeDeviceError::WrongCode {
-                                    retries_left: (MAX_DEVICE_REGISTRATION_ATTEMPTS
-                                        - *failed_attempts),
-                                }),
-                            )
-                        }
+                        // Remove registration if max attempts reached
+                        (
+                            *failed_attempts >= MAX_DEVICE_REGISTRATION_ATTEMPTS,
+                            Err(VerifyTentativeDeviceError::WrongCode {
+                                retries_left: (MAX_DEVICE_REGISTRATION_ATTEMPTS - *failed_attempts),
+                            }),
+                        )
                     }
-                };
-
+                }
+            };
             // Now handle removal if needed, after we're done with the mutable borrow
             if should_remove {
                 if let Some(TentativeDeviceRegistration {
@@ -221,14 +226,13 @@ fn get_verified_device(
                     lookup.remove(&reg_id);
                 }
             }
-
             response
         })
     })
 }
 
-/// Return a decimal representation of a random `u32` to be used as verification code
-async fn new_verification_code() -> DeviceVerificationCode {
+/// Return a decimal representation of a random `u32` to be used as confirmation code
+async fn new_confirmation_code() -> DeviceConfirmationCode {
     let res: Vec<u8> = match call(Principal::management_canister(), "raw_rand", ()).await {
         Ok((res,)) => res,
         Err((_, err)) => trap(&format!("failed to get randomness: {err}")),

src/internet_identity/src/main.rs

@@ -123,17 +123,26 @@ async fn add_tentative_device(
 #[update]
 fn verify_tentative_device(
     anchor_number: AnchorNumber,
-    user_verification_code: DeviceVerificationCode,
+    user_confirmation_code: DeviceConfirmationCode,
 ) -> VerifyTentativeDeviceResponse {
-    let result = anchor_operation_with_authz_check(anchor_number, |anchor| {
-        tentative_device_registration::verify_tentative_device(
-            anchor,
-            anchor_number,
-            user_verification_code,
-        )
-    });
-    match result {
-        Ok(()) => VerifyTentativeDeviceResponse::Verified,
+    let (mut anchor, authorization_key) = check_authorization(anchor_number)
+        .unwrap_or_else(|err| trap(&format!("{} could not be authenticated.", err.principal)));
+    match tentative_device_registration::confirm_tentative_device_or_session(
+        anchor_number,
+        user_confirmation_code,
+    ) {
+        Ok(maybe_confirmed_device) => {
+            if let Some(confirmed_device) = maybe_confirmed_device {
+                // Add device to anchor with bookkeeping if it has been confirmed
+                anchor_management::activity_bookkeeping(&mut anchor, &authorization_key);
+                let operation = anchor_management::add_device(&mut anchor, confirmed_device);
+                if let Err(err) = state::storage_borrow_mut(|storage| storage.update(anchor)) {
+                    trap(&format!("{err}"));
+                }
+                anchor_management::post_operation_bookkeeping(anchor_number, operation);
+            }
+            VerifyTentativeDeviceResponse::Verified
+        }
         Err(err) => match err {
             VerifyTentativeDeviceError::DeviceRegistrationModeOff => {
                 VerifyTentativeDeviceResponse::DeviceRegistrationModeOff
@@ -144,10 +153,6 @@ fn verify_tentative_device(
             VerifyTentativeDeviceError::WrongCode { retries_left } => {
                 VerifyTentativeDeviceResponse::WrongCode { retries_left }
             }
-            VerifyTentativeDeviceError::IdentityUpdateError(err) => {
-                // Legacy API traps instead of returning an error.
-                trap(String::from(err).as_str())
-            }
         },
     }
 }
@@ -926,19 +931,37 @@ mod v2_api {
         identity_number: IdentityNumber,
         confirmation_code: String,
     ) -> Result<(), AuthnMethodConfirmationError> {
-        let response = verify_tentative_device(identity_number, confirmation_code);
-        match response {
-            VerifyTentativeDeviceResponse::Verified => Ok(()),
-            VerifyTentativeDeviceResponse::WrongCode { retries_left } => {
-                Err(AuthnMethodConfirmationError::WrongCode { retries_left })
-            }
-            VerifyTentativeDeviceResponse::DeviceRegistrationModeOff => {
-                Err(AuthnMethodConfirmationError::RegistrationModeOff)
-            }
-            VerifyTentativeDeviceResponse::NoDeviceToVerify => {
-                Err(AuthnMethodConfirmationError::NoAuthnMethodToConfirm)
-            }
+        let (mut anchor, authorization_key) = check_authorization(identity_number)
+            .map_err(|err| AuthnMethodConfirmationError::Unauthorized(err.principal))?;
+
+        let maybe_confirmed_device =
+            tentative_device_registration::confirm_tentative_device_or_session(
+                identity_number,
+                confirmation_code,
+            )
+            .map_err(|err| match err {
+                VerifyTentativeDeviceError::WrongCode { retries_left } => {
+                    AuthnMethodConfirmationError::WrongCode { retries_left }
+                }
+                VerifyTentativeDeviceError::DeviceRegistrationModeOff => {
+                    AuthnMethodConfirmationError::RegistrationModeOff
+                }
+                VerifyTentativeDeviceError::NoDeviceToVerify => {
+                    AuthnMethodConfirmationError::NoAuthnMethodToConfirm
+                }
+            })?;
+
+        if let Some(confirmed_device) = maybe_confirmed_device {
+            // Add device to anchor with bookkeeping if it has been confirmed
+            anchor_management::activity_bookkeeping(&mut anchor, &authorization_key);
+            let operation = anchor_management::add_device(&mut anchor, confirmed_device);
+            state::storage_borrow_mut(|storage| storage.update(anchor)).map_err(|err| {
+                AuthnMethodConfirmationError::InternalCanisterError(err.to_string())
+            })?;
+            anchor_management::post_operation_bookkeeping(identity_number, operation);
         }
+
+        Ok(())
     }
 
     #[query]