feat: add server selection protection with jwt (MESSENGER-6162)

2026-04-21 00:52:43 +02:00 · 2024-07-24 15:54:45 +02:00
parent 579e7ddd3c
commit bb60e8f85d
14 changed files with 219 additions and 31 deletions
@@ -212,23 +212,51 @@ struct AuthenticationServerSelectionScreen: View {
    private func submit() {
        guard !viewModel.viewState.hasValidationError else { return }
        
-        if isHomeserverAddressValid(viewModel.homeserverAddress) {
-            viewModel.send(viewAction: .confirm)
-        } else {
-            isInvalidServerAlert = true
-            showAlert = true
+        // bwi #6162 homeserver validation is async now, due to server calls for token validation
+        Task {
+            let verified = await isHomeserverAddressValid(viewModel.homeserverAddress)
+            if verified {
+                viewModel.send(viewAction: .confirm)
+            } else {
+                isInvalidServerAlert = true
+                showAlert = true
+            }
        }
+
    }
         
-    private func isHomeserverAddressValid(_ homeserverAddress: String) -> Bool {
-        if BWIBuildSettings.shared.bwiEnableLoginProtection {
+    private func isHomeserverAddressValid(_ homeserverAddress: String) async -> Bool {
+        
+        // bwi #6162 a homeserveraddress is valid when there is either
+        // a) no homeserver protection (bwm)
+        // b) tokenized protection and there is a valid token
+        // c) hashed protection and there is a valid hash (this will be disabled soon)
+        // d) b) && c) can be combined for now
+        if !BWIBuildSettings.shared.bwiEnableTokenizedLoginProtection && !BWIBuildSettings.shared.bwiEnableLoginProtection {
+            return true
+        }
+        
+        var validHomeserver = false
+        
+        if BWIBuildSettings.shared.bwiEnableTokenizedLoginProtection {
+            
+            let tokenVerificator = ServerTokenVerificator()
+            
+            let token = await tokenVerificator.fetchToken(baseURL: homeserverAddress)
+            
+            if let token = token {
+                validHomeserver = tokenVerificator.verifyToken(baseURL: homeserverAddress, token: token)
+            }
+        }
+        
+        if BWIBuildSettings.shared.bwiEnableLoginProtection && !validHomeserver {
            let protectionService = LoginProtectionService()
            protectionService.hashes = BWIBuildSettings.shared.bwiHashes
            
-            return protectionService.isValid(homeserverAddress)
-        } else {
-            return true
+            validHomeserver = protectionService.isValid(homeserverAddress)
        }
+        
+        return validHomeserver
    }
    
    /// bwi: jump directly into the iOS settings app to allow camera access