matrix_sdk/encryption/recovery/
mod.rs

1// Copyright 2023 The Matrix.org Foundation C.I.C.
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! The recovery module
16//!
17//! The recovery module attempts to provide a unified and simplified view over
18//! the secret storage and backup subsystems.
19//!
20//! **Note**: If you are using this module, do not use the [`SecretStorage`] and
21//! [`Backups`] subsystems directly. This module makes assumptions that might be
22//! broken by the direct usage of the respective lower level modules.
23//!
24//! **Note**: The term Recovery used in this submodule is not the same as the
25//! [`Recovery key`] mentioned in the spec. The recovery key from the spec is
26//! solely about backups, while the term recovery in this file includes both the
27//! backups and the secret storage subsystems. The recovery key mentioned in
28//! this file is the secret storage key.
29//!
30//! You should configure your client to bootstrap cross-signing automatically
31//! and may choose to let your client automatically create a backup, if it
32//! doesn't exist, as well:
33//!
34//! ```no_run
35//! use matrix_sdk::{encryption::EncryptionSettings, Client};
36//!
37//! # async {
38//! # let homeserver = "http://example.org";
39//! let client = Client::builder()
40//!     .homeserver_url(homeserver)
41//!     .with_encryption_settings(EncryptionSettings {
42//!         auto_enable_cross_signing: true,
43//!         auto_enable_backups: true,
44//!         ..Default::default()
45//!     })
46//!     .build()
47//!     .await?;
48//! # anyhow::Ok(()) };
49//! ```
50//!
51//! # Examples
52//!
53//! For a newly registered user you will want to enable recovery, either
54//! immediately or before the user logs out.
55//!
56//! ```no_run
57//! # use matrix_sdk::{Client, encryption::recovery::EnableProgress};
58//! # use url::Url;
59//! # async {
60//! # let homeserver = Url::parse("http://example.com")?;
61//! # let client = Client::new(homeserver).await?;
62//! let recovery = client.encryption().recovery();
63//!
64//! // Create a new recovery key, you can use the provided passphrase, or the returned recovery key
65//! // to recover.
66//! let recovery_key = recovery
67//!     .enable()
68//!     .wait_for_backups_to_upload()
69//!     .with_passphrase("my passphrase")
70//!     .await;
71//! # anyhow::Ok(()) };
72//! ```
73//!
74//! If the user logs in with another device, you'll want to let the user recover
75//! its secrets by entering the recovery key or recovery passphrase.
76//!
77//! ```no_run
78//! # use matrix_sdk::{Client, encryption::recovery::EnableProgress};
79//! # use url::Url;
80//! # async {
81//! # let homeserver = Url::parse("http://example.com")?;
82//! # let client = Client::new(homeserver).await?;
83//! let recovery = client.encryption().recovery();
84//!
85//! // Create a new recovery key, you can use the provided passphrase, or the returned recovery key
86//! // to recover.
87//! recovery.recover("my recovery key or passphrase").await;
88//! # anyhow::Ok(()) };
89//! ```
90//!
91//! [`Recovery key`]: https://spec.matrix.org/v1.8/client-server-api/#recovery-key
92
93use futures_core::{Future, Stream};
94use futures_util::StreamExt as _;
95use ruma::{
96    api::client::keys::get_keys,
97    events::{
98        secret::{request::SecretName, send::ToDeviceSecretSendEvent},
99        secret_storage::{default_key::SecretStorageDefaultKeyEvent, secret::SecretEventContent},
100        GlobalAccountDataEventType,
101    },
102    serde::Raw,
103};
104use serde_json::{json, value::to_raw_value};
105use tracing::{error, info, instrument, warn};
106
107#[cfg(doc)]
108use crate::encryption::{
109    backups::Backups,
110    secret_storage::{SecretStorage, SecretStore},
111};
112use crate::{client::WeakClient, encryption::backups::BackupState, Client};
113
114pub mod futures;
115mod types;
116pub use self::types::{EnableProgress, RecoveryError, RecoveryState, Result};
117use self::{
118    futures::{Enable, RecoverAndReset, Reset},
119    types::{BackupDisabledContent, SecretStorageDisabledContent},
120};
121use crate::encryption::{AuthData, CrossSigningResetAuthType, CrossSigningResetHandle};
122
123/// The recovery manager for the [`Client`].
124#[derive(Debug)]
125pub struct Recovery {
126    pub(super) client: Client,
127}
128
129impl Recovery {
130    /// The list of known secrets that are contained in secret storage once
131    /// recover is enabled.
132    pub const KNOWN_SECRETS: &[SecretName] = &[
133        SecretName::CrossSigningMasterKey,
134        SecretName::CrossSigningUserSigningKey,
135        SecretName::CrossSigningSelfSigningKey,
136        SecretName::RecoveryKey,
137    ];
138
139    /// Get the current [`RecoveryState`] for this [`Client`].
140    pub fn state(&self) -> RecoveryState {
141        self.client.inner.e2ee.recovery_state.get()
142    }
143
144    /// Get a stream of updates to the [`RecoveryState`].
145    ///
146    /// This method will send out the current state as the first update.
147    ///
148    /// # Examples
149    ///
150    /// ```no_run
151    /// # use matrix_sdk::{Client, encryption::recovery::RecoveryState};
152    /// # use url::Url;
153    /// # async {
154    /// # let homeserver = Url::parse("http://example.com")?;
155    /// # let client = Client::new(homeserver).await?;
156    /// use futures_util::StreamExt;
157    ///
158    /// let recovery = client.encryption().recovery();
159    ///
160    /// let mut state_stream = recovery.state_stream();
161    ///
162    /// while let Some(update) = state_stream.next().await {
163    ///     match update {
164    ///         RecoveryState::Enabled => {
165    ///             println!("Recovery has been enabled");
166    ///         }
167    ///         _ => (),
168    ///     }
169    /// }
170    /// # anyhow::Ok(()) };
171    /// ```
172    pub fn state_stream(&self) -> impl Stream<Item = RecoveryState> {
173        self.client.inner.e2ee.recovery_state.subscribe_reset()
174    }
175
176    /// Enable secret storage *and* backups.
177    ///
178    /// This method will create a new secret storage key and a new backup if one
179    /// doesn't already exist. It will then upload all the locally cached
180    /// secrets, including the backup recovery key, to the new secret store.
181    ///
182    /// This method will throw an error if a backup already exists on the
183    /// homeserver but this [`Client`] isn't connected to the existing backup.
184    ///
185    /// # Examples
186    ///
187    /// ```no_run
188    /// # use matrix_sdk::{Client, encryption::recovery::EnableProgress};
189    /// # use url::Url;
190    /// # async {
191    /// # let homeserver = Url::parse("http://example.com")?;
192    /// # let client = Client::new(homeserver).await?;
193    /// use futures_util::StreamExt;
194    ///
195    /// let recovery = client.encryption().recovery();
196    ///
197    /// let enable = recovery
198    ///     .enable()
199    ///     .wait_for_backups_to_upload()
200    ///     .with_passphrase("my passphrase");
201    ///
202    /// let mut progress_stream = enable.subscribe_to_progress();
203    ///
204    /// tokio::spawn(async move {
205    ///     while let Some(update) = progress_stream.next().await {
206    ///         let Ok(update) = update else {
207    ///             panic!("Update to the enable progress lagged")
208    ///         };
209    ///
210    ///         match update {
211    ///             EnableProgress::CreatingBackup => {
212    ///                 println!("Creating a new backup");
213    ///             }
214    ///             EnableProgress::CreatingRecoveryKey => {
215    ///                 println!("Creating a new recovery key");
216    ///             }
217    ///             EnableProgress::Done { .. } => {
218    ///                 println!("Recovery has been enabled");
219    ///                 break;
220    ///             }
221    ///             _ => (),
222    ///         }
223    ///     }
224    /// });
225    ///
226    /// let recovery_key = enable.await?;
227    ///
228    /// # anyhow::Ok(()) };
229    /// ```
230    #[instrument(skip_all)]
231    pub fn enable(&self) -> Enable<'_> {
232        Enable::new(self)
233    }
234
235    /// Create a new backup if one does not exist yet.
236    ///
237    /// This method will throw an error if a backup already exists on the
238    /// homeserver but this [`Client`] isn't connected to the existing backup.
239    ///
240    /// # Examples
241    ///
242    /// ```no_run
243    /// # use matrix_sdk::{Client, encryption::backups::BackupState};
244    /// # use url::Url;
245    /// # async {
246    /// # let homeserver = Url::parse("http://example.com")?;
247    /// # let client = Client::new(homeserver).await?;
248    /// let recovery = client.encryption().recovery();
249    ///
250    /// recovery.enable_backup().await?;
251    ///
252    /// assert_eq!(client.encryption().backups().state(), BackupState::Enabled);
253    ///
254    /// # anyhow::Ok(()) };
255    /// ```
256    #[instrument(skip_all)]
257    pub async fn enable_backup(&self) -> Result<()> {
258        if !self.client.encryption().backups().fetch_exists_on_server().await? {
259            self.mark_backup_as_enabled().await?;
260
261            self.client.encryption().backups().create().await?;
262            self.client.encryption().backups().maybe_trigger_backup();
263
264            Ok(())
265        } else {
266            Err(RecoveryError::BackupExistsOnServer)
267        }
268    }
269
270    /// Disable recovery completely.
271    ///
272    /// This method will do the following steps:
273    ///
274    /// 1. Disable the uploading of room keys to a currently active backup.
275    /// 2. Delete the currently active backup.
276    /// 3. Set the `m.secret_storage.default_key` global account data event to
277    ///    an empty JSON content.
278    /// 4. Set a global account data event so clients won't attempt to
279    ///    automatically re-enable a backup.
280    ///
281    /// # Examples
282    ///
283    /// ```no_run
284    /// # use matrix_sdk::{Client, encryption::recovery::RecoveryState};
285    /// # use url::Url;
286    /// # async {
287    /// # let homeserver = Url::parse("http://example.com")?;
288    /// # let client = Client::new(homeserver).await?;
289    /// let recovery = client.encryption().recovery();
290    ///
291    /// recovery.disable().await?;
292    ///
293    /// assert_eq!(recovery.state(), RecoveryState::Disabled);
294    ///
295    /// # anyhow::Ok(()) };
296    /// ```
297    #[instrument(skip_all)]
298    pub async fn disable(&self) -> Result<()> {
299        self.client.encryption().backups().disable().await?;
300
301        // Why oh why, can't we delete account data events?
302        //
303        // Alright, let's attempt to "delete" the content of our current default key,
304        // for this we first need to check if there is a default key, then
305        // deserialize the content and find out the key ID.
306        //
307        // Then we finally set the event to an empty JSON content.
308        if let Ok(Some(default_event)) =
309            self.client.encryption().secret_storage().fetch_default_key_id().await
310        {
311            if let Ok(default_event) = default_event.deserialize() {
312                let key_id = default_event.key_id;
313                let event_type = GlobalAccountDataEventType::SecretStorageKey(key_id);
314
315                self.client
316                    .account()
317                    .set_account_data_raw(
318                        event_type,
319                        Raw::new(&json!({})).expect("").cast_unchecked(),
320                    )
321                    .await?;
322            }
323        }
324
325        // Now let's "delete" the actual `m.secret.storage.default_key` event.
326        self.client.account().set_account_data(SecretStorageDisabledContent {}).await?;
327        // Make sure that we don't re-enable backups automatically.
328        self.client.account().set_account_data(BackupDisabledContent { disabled: true }).await?;
329        // Finally, "delete" all the known secrets we have in the account data.
330        self.delete_all_known_secrets().await?;
331
332        self.update_recovery_state().await?;
333
334        Ok(())
335    }
336
337    /// Reset the recovery key.
338    ///
339    /// This will rotate the secret storage key and re-upload all the secrets to
340    /// the [`SecretStore`].
341    ///
342    /// # Examples
343    ///
344    /// ```no_run
345    /// # use matrix_sdk::{Client, encryption::recovery::RecoveryState};
346    /// # use url::Url;
347    /// # async {
348    /// # let homeserver = Url::parse("http://example.com")?;
349    /// # let client = Client::new(homeserver).await?;
350    /// let recovery = client.encryption().recovery();
351    ///
352    /// let new_recovery_key =
353    ///     recovery.reset_key().with_passphrase("my passphrase").await;
354    /// # anyhow::Ok(()) };
355    /// ```
356    #[instrument(skip_all)]
357    pub fn reset_key(&self) -> Reset<'_> {
358        // TODO: Should this only be possible if we're in the RecoveryState::Enabled
359        // state? Otherwise we'll create a new secret store but won't be able to
360        // upload all the secrets.
361        Reset::new(self)
362    }
363
364    /// Reset the recovery key but first import all the secrets from secret
365    /// storage.
366    ///
367    /// # Examples
368    ///
369    /// ```no_run
370    /// # use matrix_sdk::{Client, encryption::recovery::RecoveryState};
371    /// # use url::Url;
372    /// # async {
373    /// # let homeserver = Url::parse("http://example.com")?;
374    /// # let client = Client::new(homeserver).await?;
375    /// let recovery = client.encryption().recovery();
376    ///
377    /// let new_recovery_key = recovery
378    ///     .recover_and_reset("my old passphrase or key")
379    ///     .with_passphrase("my new passphrase")
380    ///     .await?;
381    /// # anyhow::Ok(()) };
382    /// ```
383    #[instrument(skip_all)]
384    pub fn recover_and_reset<'a>(&'a self, old_key: &'a str) -> RecoverAndReset<'a> {
385        RecoverAndReset::new(self, old_key)
386    }
387
388    /// Completely reset the current user's crypto identity.
389    /// This method will go through the following steps:
390    ///
391    /// 1. Disable backing up room keys and delete the active backup
392    /// 2. Disable recovery and delete secret storage
393    /// 3. Go through the cross-signing key reset flow
394    /// 4. Finally, re-enable key backups (only if they were already enabled)
395    ///
396    /// Disclaimer: failures in this flow will potentially leave the user in
397    /// an inconsistent state but they're expected to just run the reset flow
398    /// again as presumably the reason they started it to begin with was
399    /// that they no longer had access to any of their data.
400    ///
401    /// # Examples
402    ///
403    /// ```no_run
404    /// # use matrix_sdk::{
405    ///     encryption::recovery, encryption::CrossSigningResetAuthType, ruma::api::client::uiaa,
406    ///     Client,
407    ///   };
408    /// # use url::Url;
409    /// # async {
410    /// # let homeserver = Url::parse("http://example.com")?;
411    /// # let client = Client::new(homeserver).await?;
412    /// # let user_id = unimplemented!();
413    /// let encryption = client.encryption();
414    ///
415    /// if let Some(handle) = encryption.recovery().reset_identity().await? {
416    ///     match handle.auth_type() {
417    ///         CrossSigningResetAuthType::Uiaa(uiaa) => {
418    ///             let password = "1234".to_owned();
419    ///             let mut password = uiaa::Password::new(user_id, password);
420    ///             password.session = uiaa.session;
421    ///
422    ///             handle.reset(Some(uiaa::AuthData::Password(password))).await?;
423    ///         }
424    ///         CrossSigningResetAuthType::OAuth(o) => {
425    ///             println!(
426    ///                 "To reset your end-to-end encryption cross-signing identity, \
427    ///                 you first need to approve it at {}",
428    ///                 o.approval_url
429    ///             );
430    ///             handle.reset(None).await?;
431    ///         }
432    ///     }
433    /// }
434    /// # anyhow::Ok(()) };
435    /// ```
436    pub async fn reset_identity(&self) -> Result<Option<IdentityResetHandle>> {
437        self.client.encryption().backups().disable_and_delete().await?; // 1.
438
439        // 2. (We can't delete account data events)
440        self.client.account().set_account_data(SecretStorageDisabledContent {}).await?;
441        self.client.encryption().recovery().update_recovery_state().await?;
442
443        let cross_signing_reset_handle = self.client.encryption().reset_cross_signing().await?;
444
445        if let Some(handle) = cross_signing_reset_handle {
446            // Authentication required, backups will be re-enabled after the reset
447            Ok(Some(IdentityResetHandle {
448                client: self.client.clone(),
449                cross_signing_reset_handle: handle,
450            }))
451        } else {
452            // No authentication required, re-enable backups
453            if self.client.encryption().recovery().should_auto_enable_backups().await? {
454                self.client.encryption().recovery().enable_backup().await?; // 4.
455            }
456
457            Ok(None)
458        }
459    }
460
461    /// Recover all the secrets from the homeserver.
462    ///
463    /// This method is a convenience method around the
464    /// [`SecretStore::import_secrets()`] method, please read the documentation
465    /// of this method for more information about what happens if you call
466    /// this method.
467    ///
468    /// In short, this method will turn a newly created [`Client`] into a fully
469    /// end-to-end encryption enabled client.
470    ///
471    /// # Examples
472    ///
473    /// ```no_run
474    /// # use matrix_sdk::{Client, encryption::recovery::RecoveryState};
475    /// # use url::Url;
476    /// # async {
477    /// # let homeserver = Url::parse("http://example.com")?;
478    /// # let client = Client::new(homeserver).await?;
479    /// let recovery = client.encryption().recovery();
480    ///
481    /// recovery.recover("my recovery key or passphrase").await;
482    ///
483    /// assert_eq!(recovery.state(), RecoveryState::Enabled);
484    /// # anyhow::Ok(()) };
485    /// ```
486    #[instrument(skip_all)]
487    pub async fn recover(&self, recovery_key: &str) -> Result<()> {
488        let store =
489            self.client.encryption().secret_storage().open_secret_store(recovery_key).await?;
490
491        store.import_secrets().await?;
492        self.update_recovery_state().await?;
493
494        Ok(())
495    }
496
497    /// Is this device the last device the user has?
498    ///
499    /// This method is useful to check if we should recommend to the user that
500    /// they should enable recovery, typically done before logging out.
501    ///
502    /// If the user does not enable recovery before logging out of their last
503    /// device, they will not be able to decrypt historic messages once they
504    /// create a new device.
505    pub async fn is_last_device(&self) -> Result<bool> {
506        let olm_machine = self.client.olm_machine().await;
507        let olm_machine = olm_machine.as_ref().ok_or(crate::Error::NoOlmMachine)?;
508        let user_id = olm_machine.user_id();
509
510        self.client.encryption().ensure_initial_key_query().await?;
511
512        let devices = self.client.encryption().get_user_devices(user_id).await?;
513
514        Ok(devices.devices().count() == 1)
515    }
516
517    /// Did we correctly set up cross-signing and backups?
518    async fn all_known_secrets_available(&self) -> Result<bool> {
519        // Cross-signing state is fine if we have all the private cross-signing keys, as
520        // indicated in the status.
521        let cross_signing_complete = self
522            .client
523            .encryption()
524            .cross_signing_status()
525            .await
526            .map(|status| status.is_complete());
527        if !cross_signing_complete.unwrap_or_default() {
528            return Ok(false);
529        }
530
531        // The backup state is fine if we have backups enabled locally, or if backups
532        // have been marked as disabled.
533        if self.client.encryption().backups().are_enabled().await {
534            Ok(true)
535        } else {
536            self.are_backups_marked_as_disabled().await
537        }
538    }
539
540    async fn should_auto_enable_backups(&self) -> Result<bool> {
541        // If we didn't already enable backups, we don't see a backup version on the
542        // server, and finally if backups have not been marked to be explicitly
543        // disabled, then we can automatically enable them.
544        Ok(self.client.inner.e2ee.encryption_settings.auto_enable_backups
545            && !self.client.encryption().backups().are_enabled().await
546            && !self.client.encryption().backups().fetch_exists_on_server().await?
547            && !self.are_backups_marked_as_disabled().await?)
548    }
549
550    pub(crate) async fn setup(&self) -> Result<()> {
551        info!("Setting up account data listeners and trying to setup recovery");
552
553        self.client.add_event_handler(Self::default_key_event_handler);
554        self.client.add_event_handler(Self::secret_send_event_handler);
555        self.client.inner.e2ee.initialize_recovery_state_update_task(&self.client);
556
557        self.update_recovery_state().await?;
558
559        if self.should_auto_enable_backups().await? {
560            info!("Trying to automatically enable backups");
561
562            if let Err(e) = self.enable_backup().await {
563                warn!("Could not automatically enable backups: {e:?}");
564            }
565        }
566
567        Ok(())
568    }
569
570    /// Delete all the known secrets we are keeping in secret storage.
571    ///
572    /// The exact list of secrets is defined in [`Recovery::KNOWN_SECRETS`] and
573    /// might change over time.
574    ///
575    /// Since account data events can't actually be deleted, due to a missing
576    /// DELETE API, we're replacing the events with an empty
577    /// [`SecretEventContent`].
578    async fn delete_all_known_secrets(&self) -> Result<()> {
579        for secret_name in Self::KNOWN_SECRETS {
580            let event_type = GlobalAccountDataEventType::from(secret_name.to_owned());
581            let content = SecretEventContent::new(Default::default());
582            let secret_content = Raw::from_json(
583                to_raw_value(&content)
584                    .expect("We should be able to serialize a raw empty secret event content"),
585            );
586            self.client.account().set_account_data_raw(event_type, secret_content).await?;
587        }
588
589        Ok(())
590    }
591
592    /// Run a network request to figure whether backups have been disabled at
593    /// the account level.
594    async fn are_backups_marked_as_disabled(&self) -> Result<bool> {
595        Ok(self
596            .client
597            .account()
598            .fetch_account_data_static::<BackupDisabledContent>()
599            .await?
600            .map(|event| event.deserialize().map(|event| event.disabled).unwrap_or(false))
601            .unwrap_or(false))
602    }
603
604    async fn mark_backup_as_enabled(&self) -> Result<()> {
605        self.client.account().set_account_data(BackupDisabledContent { disabled: false }).await?;
606
607        Ok(())
608    }
609
610    async fn check_recovery_state(&self) -> Result<RecoveryState> {
611        Ok(if self.client.encryption().secret_storage().is_enabled().await? {
612            if self.all_known_secrets_available().await? {
613                RecoveryState::Enabled
614            } else {
615                RecoveryState::Incomplete
616            }
617        } else {
618            RecoveryState::Disabled
619        })
620    }
621
622    async fn update_recovery_state(&self) -> Result<()> {
623        let new_state = self.check_recovery_state().await?;
624        let old_state = self.client.inner.e2ee.recovery_state.set(new_state);
625
626        if new_state != old_state {
627            info!("Recovery state changed from {old_state:?} to {new_state:?}");
628        }
629
630        Ok(())
631    }
632
633    async fn update_recovery_state_no_fail(&self) {
634        if let Err(e) = self.update_recovery_state().await {
635            error!("Couldn't update the recovery state: {e:?}");
636        }
637    }
638
639    #[instrument]
640    async fn secret_send_event_handler(_: ToDeviceSecretSendEvent, client: Client) {
641        client.encryption().recovery().update_recovery_state_no_fail().await;
642    }
643
644    #[instrument]
645    async fn default_key_event_handler(_: SecretStorageDefaultKeyEvent, client: Client) {
646        client.encryption().recovery().update_recovery_state_no_fail().await;
647    }
648
649    /// Listen for changes in the [`BackupState`] and, if necessary, update the
650    /// [`RecoveryState`] accordingly.
651    ///
652    /// This should not be called directly, this method is put into a background
653    /// task which is always listening for updates in the [`BackupState`].
654    pub(crate) fn update_state_after_backup_state_change(
655        client: &Client,
656    ) -> impl Future<Output = ()> {
657        let mut stream = client.encryption().backups().state_stream();
658        let weak = WeakClient::from_client(client);
659
660        async move {
661            while let Some(update) = stream.next().await {
662                if let Some(client) = weak.get() {
663                    match update {
664                        Ok(update) => {
665                            // The recovery state only cares about these two states, the
666                            // intermediate states that tell us that
667                            // we're creating a backup are not interesting.
668                            if matches!(update, BackupState::Unknown | BackupState::Enabled) {
669                                client
670                                    .encryption()
671                                    .recovery()
672                                    .update_recovery_state_no_fail()
673                                    .await;
674                            }
675                        }
676                        Err(_) => {
677                            // We missed some updates, let's update our state in case something
678                            // changed.
679                            client.encryption().recovery().update_recovery_state_no_fail().await;
680                        }
681                    }
682                } else {
683                    break;
684                }
685            }
686        }
687    }
688
689    #[instrument(skip_all)]
690    pub(crate) async fn update_state_after_keys_query(&self, response: &get_keys::v3::Response) {
691        if let Some(user_id) = self.client.user_id() {
692            if response.master_keys.contains_key(user_id) {
693                // TODO: This is unnecessarily expensive, we could let the crypto crate notify
694                // us that our private keys got erased... But, the OlmMachine
695                // gets recreated and... You know the drill by now...
696                self.update_recovery_state_no_fail().await;
697            }
698        }
699    }
700}
701
702/// A helper struct that handles continues resetting a user's crypto identity
703/// after authentication was required and re-enabling backups (if necessary) at
704/// the end of it
705#[derive(Debug)]
706pub struct IdentityResetHandle {
707    client: Client,
708    cross_signing_reset_handle: CrossSigningResetHandle,
709}
710
711impl IdentityResetHandle {
712    /// Get the underlying [`CrossSigningResetAuthType`] this identity reset
713    /// process is using.
714    pub fn auth_type(&self) -> &CrossSigningResetAuthType {
715        &self.cross_signing_reset_handle.auth_type
716    }
717
718    /// This method will retry to upload the device keys after the previous try
719    /// failed due to required authentication
720    pub async fn reset(&self, auth: Option<AuthData>) -> Result<()> {
721        self.cross_signing_reset_handle.auth(auth).await?;
722
723        if self.client.encryption().recovery().should_auto_enable_backups().await? {
724            self.client.encryption().recovery().enable_backup().await?;
725        }
726
727        Ok(())
728    }
729
730    /// Cancel the ongoing identity reset process
731    pub async fn cancel(&self) {
732        self.cross_signing_reset_handle.cancel().await;
733    }
734}