Redact megolm sessions when device is deleted

2026-03-14 14:25:53 +01:00 · 2023-04-11 12:55:23 +03:00 · 2023-04-11 12:55:23 +03:00 · 43d58fbad2
commit 43d58fbad2
parent 3ee9693d55
3 changed files with 23 additions and 0 deletions
--- a/bridge/crypto.go
+++ b/bridge/crypto.go
@ -99,6 +99,7 @@ func (helper *CryptoHelper) Init() error {
 	helper.mach.RatchetKeysOnDecrypt = encryptionConfig.DeleteKeys.RatchetOnDecrypt
 	helper.mach.DeleteFullyUsedKeysOnDecrypt = encryptionConfig.DeleteKeys.DeleteFullyUsedOnDecrypt
 	helper.mach.DeletePreviousKeysOnReceive = encryptionConfig.DeleteKeys.DeletePrevOnNewSession
+	helper.mach.DeleteKeysOnDeviceDelete = encryptionConfig.DeleteKeys.DeleteOnDeviceDelete

 	helper.client.Syncer = &cryptoSyncer{helper.mach}
 	helper.client.Store = helper.store
--- a/crypto/devicelist.go
+++ b/crypto/devicelist.go
@ -128,6 +128,7 @@ func (mach *OlmMachine) fetchKeys(ctx context.Context, users []id.UserID, sinceT
 			log.Warn().Err(err).Msg("Failed to get existing devices for user")
 			existingDevices = make(map[id.DeviceID]*id.Device)
 		}
+
 		log.Debug().
 			Int("new_device_count", len(devices)).
 			Int("old_device_count", len(existingDevices)).
@ -158,6 +159,26 @@ func (mach *OlmMachine) fetchKeys(ctx context.Context, users []id.UserID, sinceT

 		changed = changed || len(newDevices) != len(existingDevices)
 		if changed {
+			if mach.DeleteKeysOnDeviceDelete {
+				for deviceID := range newDevices {
+					delete(existingDevices, deviceID)
+				}
+				for _, device := range existingDevices {
+					log := log.With().
+						Str("device_id", device.DeviceID.String()).
+						Str("identity_key", device.IdentityKey.String()).
+						Str("signing_key", device.SigningKey.String()).
+						Logger()
+					sessionIDs, err := mach.CryptoStore.RedactGroupSessions("", device.IdentityKey, "device removed")
+					if err != nil {
+						log.Err(err).Msg("Failed to redact megolm sessions from deleted device")
+					} else {
+						log.Info().
+							Strs("session_ids", stringifyArray(sessionIDs)).
+							Msg("Redacted megolm sessions from deleted device")
+					}
+				}
+			}
 			mach.OnDevicesChanged(userID)
 		}
 	}
--- a/crypto/machine.go
+++ b/crypto/machine.go
@ -71,6 +71,7 @@ type OlmMachine struct {
 	DeletePreviousKeysOnReceive  bool
 	RatchetKeysOnDecrypt         bool
 	DeleteFullyUsedKeysOnDecrypt bool
+	DeleteKeysOnDeviceDelete     bool
 }

 // StateStore is used by OlmMachine to get room state information that's needed for encryption.