fix: do not send Secure-Join-Group in vg-request

Secure-Join-Group is only expected by old core in vg-request-with-auth. There is no reason to leak group ID in unencrypted vg-request. Besides that, Secure-Join-Group is deprecated as Alice knows Group ID corresponding to the auth code, so the header can be removed completely eventually.
2026-04-02 05:22:14 +03:00 · 2024-02-13 01:33:02 +00:00
parent 4ccd2b8d02
commit 8d09291d1e
3 changed files with 21 additions and 6 deletions
--- a/src/param.rs
+++ b/src/param.rs
@@ -87,7 +87,7 @@ pub enum Param {
    /// `Secure-Join-Fingerprint` header for `{vc,vg}-request-with-auth` messages.
    Arg3 = b'G',

-    /// For Messages
+    /// Deprecated `Secure-Join-Group` header for messages.
    Arg4 = b'H',

    /// For Messages
--- a/src/securejoin.rs
+++ b/src/securejoin.rs
@@ -1125,6 +1125,14 @@ mod tests {
        assert_eq!(msg.get_header(HeaderDef::SecureJoin).unwrap(), "vg-request");
        assert!(msg.get_header(HeaderDef::SecureJoinInvitenumber).is_some());

+        // Old Delta Chat core sent `Secure-Join-Group` header in `vg-request`,
+        // but it was only used by Alice in `vg-request-with-auth`.
+        // New Delta Chat versions do not use `Secure-Join-Group` header at all
+        // and it is deprecated.
+        // Now `Secure-Join-Group` header
+        // is only sent in `vg-request-with-auth` for compatibility.
+        assert!(msg.get_header(HeaderDef::SecureJoinGroup).is_none());
+
        // Step 3: Alice receives vg-request, sends vg-auth-required
        alice.recv_msg(&sent).await;

--- a/src/securejoin/bobstate.rs
+++ b/src/securejoin/bobstate.rs
@@ -378,14 +378,21 @@ async fn send_handshake_message(
            // Sends our own fingerprint in the Secure-Join-Fingerprint header.
            let bob_fp = load_self_public_key(context).await?.fingerprint();
            msg.param.set(Param::Arg3, bob_fp.hex());
+
+            // Sends the grpid in the Secure-Join-Group header.
+            //
+            // `Secure-Join-Group` header is deprecated,
+            // but old Delta Chat core requires that Alice receives it.
+            //
+            // Previous Delta Chat core also sent `Secure-Join-Group` header
+            // in `vg-request` messages,
+            // but it was not used on the receiver.
+            if let QrInvite::Group { ref grpid, .. } = invite {
+                msg.param.set(Param::Arg4, grpid);
+            }
        }
    };

-    // Sends the grpid in the Secure-Join-Group header.
-    if let QrInvite::Group { ref grpid, .. } = invite {
-        msg.param.set(Param::Arg4, grpid);
-    }
-
    chat::send_msg(context, chat_id, &mut msg).await?;
    Ok(())
 }