Merge branch 'feature/6790_jwt_token_handling_expired' into 'develop'

feat: check jwt token on app start (MESSENGER-6790) See merge request bwmessenger/bundesmessenger/bundesmessenger-ios!425
2026-04-16 06:28:27 +02:00 · 2025-02-13 11:12:25 +00:00
parent e8549a36ce 2d948834eb
commit 790a7102b8
5 changed files with 93 additions and 8 deletions
--- a/Riot/Modules/Application/LegacyAppDelegate.h
+++ b/Riot/Modules/Application/LegacyAppDelegate.h
@@ -72,6 +72,10 @@ UINavigationControllerDelegate

@property (strong, nonatomic) UIAlertController *errorNotification;

+// BWI: #6790
+@property (strong, nonatomic) UIAlertController *serverNotAllowedAlertController;
+// BWI #6790 END
+
@property (strong, nonatomic) NSString *appVersion;
@property (strong, nonatomic) NSString *build;

--- a/Riot/Modules/Application/LegacyAppDelegate.m
+++ b/Riot/Modules/Application/LegacyAppDelegate.m
@@ -505,6 +505,18 @@ NSString *const AppDelegateUniversalLinkDidChangeNotification = @"AppDelegateUni
    
    [self setupAppConfig];
    
+    // BWI: #6790 check if active session is available
+    if ([self.mxSessions count] > 0)
+    {
+        // Check url savety for homeserver url
+        NSString *homeServerURL = [[[self.mxSessions firstObject] matrixRestClient] homeserver];
+        if (homeServerURL)
+        {
+            [self checkUrlSavetyWithURL: homeServerURL];
+        }
+    }
+    // BWI #6790 END
+    
    return YES;
 }

@@ -533,6 +545,14 @@ NSString *const AppDelegateUniversalLinkDidChangeNotification = @"AppDelegateUni
        self.errorNotification = nil;
    }
    
+    // BWI: #6790
+    if (self.serverNotAllowedAlertController)
+    {
+        [self.serverNotAllowedAlertController dismissViewControllerAnimated:NO completion:nil];
+        self.serverNotAllowedAlertController = nil;
+    }
+    // BWI #6790 END
+
    if (accountPicker)
    {
        [accountPicker dismissViewControllerAnimated:NO completion:nil];
@@ -4342,6 +4362,60 @@ NSString *const AppDelegateUniversalLinkDidChangeNotification = @"AppDelegateUni
    }
 }

+#pragma mark - App login protection
+// BWI: #6790 Check url savety for homeserver url on app start
+- (void)checkUrlSavetyWithURL:(NSString *)serverURL {
+    if (BWIBuildSettings.shared.bwiEnableLoginProtection || BWIBuildSettings.shared.bwiEnableTokenizedLoginProtection) {
+        LoginProtectionService *protectionService = [LoginProtectionService new];
+        protectionService.hashes = BWIBuildSettings.shared.bwiHashes;
+        
+        MXWeakify(self);
+        [protectionService isValid:serverURL ignoreNetworkConnectionLost:YES completionHandler:^(BOOL isVaild) {
+            if (!isVaild) {
+                dispatch_async(dispatch_get_main_queue(), ^{
+                    MXStrongifyAndReturnIfNil(self);
+                    
+                    if (self.setPinCoordinatorBridgePresenter)
+                    {
+                        [self.setPinCoordinatorBridgePresenter dismissWithMainAppWindow:self.window];
+                        self.setPinCoordinatorBridgePresenter = nil;
+                    }
+                    
+                    // Force logout
+                    [self logoutWithConfirmation:NO completion:^(BOOL isLoggedOut) {
+                        if (isLoggedOut)
+                        {
+                            // Show error Alert
+                            [self->_serverNotAllowedAlertController dismissViewControllerAnimated:NO completion:nil];
+
+                            self->_serverNotAllowedAlertController = [UIAlertController alertControllerWithTitle:[BWIL10n authenticationServerSelectionServerDeniedTitle] message:[BWIL10n authenticationServerSelectionServerDeniedMessage] preferredStyle:UIAlertControllerStyleAlert];
+                            
+                            // Open bum advertizementURL
+                            [self->_serverNotAllowedAlertController addAction:[UIAlertAction actionWithTitle:[BWIL10n authenticationServerSelectionServerDeniedAdvertizementWebsiteButton]
+                                                                                   style:UIAlertActionStyleDefault
+                                                                                 handler:^(UIAlertAction * action) {
+                                NSURL *url = [[NSURL alloc] initWithString:BWIBuildSettings.shared.bumAdvertizementURLString];
+                                [[UIApplication sharedApplication] vc_open:url completionHandler:nil];
+                            }]];
+                            
+                            // Close dialog
+                            [self->_serverNotAllowedAlertController addAction:[UIAlertAction actionWithTitle:[VectorL10n ok]
+                                                                                   style:UIAlertActionStyleDefault
+                                                                                       handler:^(UIAlertAction * action) {
+                                [AppDelegate theDelegate].errorNotification = nil;
+                            }]];
+                            
+                            [self->_serverNotAllowedAlertController mxk_setAccessibilityIdentifier:@"AppDelegateErrorAlertServerVerificationFailed"];
+                            [self showNotificationAlert:self->_serverNotAllowedAlertController];
+                        }
+                    }];
+                });
+            }
+        }];
+    }
+}
+// BWI #6790 END
+
 #pragma mark - App version management

 - (void)checkAppVersion
--- a/bwi/AppConfig/AppConfigService.swift
+++ b/bwi/AppConfig/AppConfigService.swift
@@ -120,7 +120,7 @@ extension UserDefaults
    
    func handleAppConfig() async {
        if let dict = UserDefaults.standard.dictionary(forKey: configKey) {
-            // only compute if serverURL has not changed (this may need to be changed on Adminportal integration
+            // only compute if serverURL has changed (this may need to be changed on Adminportal integration
            if !isSameConfig(dict: dict) {
                var config = AppConfig()
                
--- a/bwi/LoginProtection/LoginProtectionService.swift
+++ b/bwi/LoginProtection/LoginProtectionService.swift
@@ -21,7 +21,7 @@ import CryptoKit
@objcMembers class LoginProtectionService : NSObject {
    var hashes: [String]?
    
-    @objc func isValid(_ homeserverAddress: String) async -> Bool {
+    @objc func isValid(_ homeserverAddress: String, ignoreNetworkConnectionLost: Bool = false) async -> Bool {
        // bwi #6162 a homeserveraddress is valid when there is either
        // a) no homeserver protection (bwm)
        // b) tokenized protection and there is a valid token
@@ -36,8 +36,12 @@ import CryptoKit
            
            let tokens = await tokenVerificator.fetchToken(baseURL: homeserverAddress)
            
-            if let tokens = tokens {
-                validHomeserver = tokenVerificator.verifyToken(baseURL: homeserverAddress, tokens: tokens)
+            if tokens == nil && ignoreNetworkConnectionLost {
+                validHomeserver = true
+            } else {
+                if let tokens = tokens, !tokens.isEmpty {
+                    validHomeserver = tokenVerificator.verifyToken(baseURL: homeserverAddress, tokens: tokens)
+                }
            }
        }
        
--- a/bwi/TokenVerification/TokenVerificator.swift
+++ b/bwi/TokenVerification/TokenVerificator.swift
@@ -21,8 +21,8 @@ import SwiftJWT
 struct ServerTokenClaims: Claims {
    let issuer: String
    let sub: String
-    let exp: Int
-    let iat: Int
+    let exp: Date?
+    let iat: Date?
    let jti: String
    let version: Int
 }
@@ -80,8 +80,11 @@ struct ServerTokenVerificator {
            let fetchedStrings = try JSONDecoder().decode([String].self, from: data)
            
            return fetchedStrings
-        } catch {
-            return nil
+        } catch (let error) {
+            if let error = error as? URLError, error.code == .notConnectedToInternet {
+                return nil
+            }
+            return [String]()
        }
    }