feat: Delete vg-request-with-auth from IMAP after processing (#6208)

In multi-device case `vg-request-with-auth` left on IMAP may result in situation when Bob joins the group, then leaves it, then second Alice device comes online and processes `vg-request-with-auth` again and adds Bob back. So we should IMAP-delete `vg-request-with-auth`. Another device will know the Bob's key from Autocrypt-Gossip. It's not a problem if Alice loses state (restores from an old backup) or goes offline for long before sending `vg-member-added`, anyway it may not be delivered by the server, rather Bob should retry sending SecureJoin messages as he is a part which wants to join, so let's not solve this for now.
2026-04-24 08:56:29 +03:00 · 2024-12-25 13:55:35 -03:00
parent 3d9aee1368
commit f61d5af468
3 changed files with 15 additions and 6 deletions
--- a/src/securejoin.rs
+++ b/src/securejoin.rs
@@ -454,6 +454,9 @@ pub(crate) async fn handle_securejoin_handshake(
                    .await?;
                inviter_progress(context, contact_id, 800);
                inviter_progress(context, contact_id, 1000);
+                // IMAP-delete the message to avoid handling it by another device and adding the
+                // member twice. Another device will know the member's key from Autocrypt-Gossip.
+                Ok(HandshakeMessage::Done)
            } else {
                // Setup verified contact.
                secure_connection_established(
@@ -468,8 +471,8 @@ pub(crate) async fn handle_securejoin_handshake(
                    .context("failed sending vc-contact-confirm message")?;

                inviter_progress(context, contact_id, 1000);
+                Ok(HandshakeMessage::Ignore) // "Done" would delete the message and break multi-device (the key from Autocrypt-header is needed)
            }
-            Ok(HandshakeMessage::Ignore) // "Done" would delete the message and break multi-device (the key from Autocrypt-header is needed)
        }
        /*=======================================================
        ====             Bob - the joiner's side             ====
@@ -1353,6 +1356,8 @@ mod tests {
        // explicit user action, the Auto-Submitted header shouldn't be present. Otherwise it would
        // be strange to have it in "member-added" messages of verified groups only.
        assert!(msg.get_header(HeaderDef::AutoSubmitted).is_none());
+        // This is a two-member group, but Alice must Autocrypt-gossip to her other devices.
+        assert!(msg.get_header(HeaderDef::AutocryptGossip).is_some());

        {
            // Now Alice's chat with Bob should still be hidden, the verified message should