You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
46 lines
1.9 KiB
Markdown
46 lines
1.9 KiB
Markdown
6 years ago
|
# Soft Remote Logout Proposal
|
||
|
|
||
|
## Motivation
|
||
|
|
||
|
Currently when a user logs out of riot, the app will destroy things like
|
||
|
encryption keys. If the logout was done by the user in local app then it will
|
||
|
have first prompted the user to export the encryption keys. However, when the
|
||
|
app is logged out remotely (i.e. it received a 401 from the server) there is no
|
||
|
opportunity to ask the user to backup the keys, resulting in those keys being
|
||
|
lost.
|
||
|
|
||
|
While this behaviour is useful in many circumstances, e.g. remote logging out a
|
||
|
stolen/lost device, it also means that the server shouldn't automatically
|
||
|
log out devices, to avoid users losing encryption keys.
|
||
|
|
||
|
|
||
|
## Proposal
|
||
|
|
||
|
A new parameter is added to the JSON body of 401 responses, called
|
||
|
`soft_logout`. This is a boolean flag (defaulting to `false`) that signals to
|
||
|
the client whether it should keep local data and simply prompt to reauth (when
|
||
|
`true`) or to destroy the current data like it does today (when `false`).
|
||
|
|
||
|
The major disadvantage with this approach is that once the client is logged
|
||
|
out, the user can no longer remotely cause the client to destroy the local
|
||
|
data. However, this is not substantially different from today where the app has
|
||
|
to be opened to receive remote logout requests (via 401), as it allows
|
||
|
attackers to get at encryption keys even after remote logout if they simply
|
||
|
avoid opening the app.
|
||
|
|
||
|
|
||
|
### Example Client UX
|
||
|
|
||
|
When handling a soft logout the client could show a "re-login" dialogue, rather
|
||
|
than back to the default logged out screen. This new dialogue would then have
|
||
|
several options including logging out, exporting keys and logging out fully.
|
||
|
|
||
|
|
||
|
## Alternatives
|
||
|
|
||
|
One alternative is to force the user to enter a password for backing up keys
|
||
|
when they enter the app, and then have the app keep secure backups of they
|
||
|
keys. This then means its safer to not delete the secure backups when the app
|
||
|
is logged out remotely.
|
||
|
|