feat(sdk): Keep track of whether the access token is expired

This will allow to handle automatically whether to send an access token
or not on endpoints that don't require it in contexts were can't refresh
it.

We also don't cache calls to GET /versions that were not authenticated,
because they might lack some features compared to an authenticated
request.

Signed-off-by: Kévin Commaille <[email protected]>

Author: zecakeh

crates/matrix-sdk/src/authentication/mod.rs

@@ -48,6 +48,20 @@ impl fmt::Debug for SessionTokens {
     }
 }
 
+/// The tokens for a user session and their state.
+pub(crate) struct SessionTokensState {
+    /// The inner tokens.
+    inner: SessionTokens,
+
+    /// Whether the access token is expired.
+    ///
+    /// We keep track of this information here, rather than dropping the access
+    /// token, because we still want to make most requests with the expired
+    /// access token to try to refresh it, or wait for it to be refreshed. If we
+    /// make a request without the access token we will get the wrong error.
+    access_token_expired: bool,
+}
+
 pub(crate) type SessionCallbackError = Box<dyn std::error::Error + Send + Sync>;
 
 #[cfg(not(target_family = "wasm"))]
@@ -83,8 +97,8 @@ pub(crate) struct AuthCtx {
     /// Authentication data to keep in memory.
     pub(crate) auth_data: OnceCell<AuthData>,
 
-    /// The current session tokens.
-    tokens: OnceCell<Mutex<SessionTokens>>,
+    /// The current session tokens and their state.
+    tokens: OnceCell<Mutex<SessionTokensState>>,
 
     /// A callback called whenever we need an absolute source of truth for the
     /// current session tokens.
@@ -119,22 +133,47 @@ impl AuthCtx {
 
     /// The current session tokens.
     pub(crate) fn session_tokens(&self) -> Option<SessionTokens> {
-        Some(self.tokens.get()?.lock().clone())
+        Some(self.tokens.get()?.lock().inner.clone())
     }
 
     /// The current access token.
     pub(crate) fn access_token(&self) -> Option<String> {
-        Some(self.tokens.get()?.lock().access_token.clone())
+        Some(self.tokens.get()?.lock().inner.access_token.clone())
+    }
+
+    /// Whether we have a valid session token.
+    pub(crate) fn has_valid_access_token(&self) -> bool {
+        self.tokens.get().is_some_and(|tokens| !tokens.lock().access_token_expired)
     }
 
     /// Set the current session tokens.
     pub(crate) fn set_session_tokens(&self, session_tokens: SessionTokens) {
+        let session_tokens = SessionTokensState {
+            inner: session_tokens,
+            // We just got the tokens, so we assume that they are not expired.
+            access_token_expired: false,
+        };
+
         if let Some(tokens) = self.tokens.get() {
             *tokens.lock() = session_tokens;
         } else {
             let _ = self.tokens.set(Mutex::new(session_tokens));
         }
     }
+
+    /// Set the given access token as expired.
+    ///
+    /// We take the value of the access token to make sure that we don't mark
+    /// the wrong access token as expired.
+    pub(crate) fn set_access_token_expired(&self, access_token: &str) {
+        if let Some(tokens) = self.tokens.get() {
+            let mut tokens = tokens.lock();
+
+            if tokens.inner.access_token == access_token {
+                tokens.access_token_expired = true;
+            }
+        }
+    }
 }
 
 /// An enum over all the possible authentication APIs.

crates/matrix-sdk/src/client/mod.rs

@@ -1936,7 +1936,8 @@ impl Client {
         let path_builder_input =
             Request::PathBuilder::get_path_builder_input(self, skip_auth).await?;
 
-        self.inner
+        let result = self
+            .inner
             .http_client
             .send(
                 request,
@@ -1946,7 +1947,17 @@ impl Client {
                 path_builder_input,
                 send_progress,
             )
-            .await
+            .await;
+
+        if let Err(Some(ErrorKind::UnknownToken { .. })) =
+            result.as_ref().map_err(HttpError::client_api_error_kind)
+            && let Some(access_token) = &access_token
+        {
+            // Mark the access token as expired.
+            self.auth_ctx().set_access_token_expired(access_token);
+        }
+
+        result
     }
 
     fn broadcast_unknown_token(&self, soft_logout: &bool) {
@@ -2030,9 +2041,9 @@ impl Client {
             unstable_features: server_versions.unstable_features,
         };
 
-        // Attempt to cache the result in storage.
-        {
-            if let Err(err) = self
+        // Only attempt to cache the result in storage if the request was authenticated.
+        if self.auth_ctx().has_valid_access_token()
+            && let Err(err) = self
                 .state_store()
                 .set_kv_data(
                     StateStoreDataKey::SupportedVersions,
@@ -2041,9 +2052,8 @@ impl Client {
                     )),
                 )
                 .await
-            {
-                warn!("error when caching supported versions: {err}");
-            }
+        {
+            warn!("error when caching supported versions: {err}");
         }
 
         Ok(supported_versions)
@@ -2105,7 +2115,10 @@ impl Client {
             supported_versions.versions = [MatrixVersion::V1_0].into();
         }
 
-        *guarded_supported_versions = CachedValue::Cached(supported_versions.clone());
+        // Only cache the result if the request was authenticated.
+        if self.auth_ctx().has_valid_access_token() {
+            *guarded_supported_versions = CachedValue::Cached(supported_versions.clone());
+        }
 
         Ok(supported_versions)
     }