Skip to content

fix: make login types check optional#2412

Open
krille-chan wants to merge 2 commits into
mainfrom
krille/make-login-types-check-optional
Open

fix: make login types check optional#2412
krille-chan wants to merge 2 commits into
mainfrom
krille/make-login-types-check-optional

Conversation

@krille-chan

@krille-chan krille-chan commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

check for login types is soon legacy duo to matrix native oidc. Making this a requirement actually makes login to oidc only homeservers like newest version of conduwuit impossible.

closes krille-chan/fluffychat#3250

closes https://famedly.atlassian.net/browse/FM-757

check for login types is soon
legacy duo to matrix native oidc. Making this a requirement
actually makes login to oidc
only homeservers like newest
version of conduwuit impossible.

closes krille-chan/fluffychat#3250
@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 56.52174% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.60%. Comparing base (53a6a79) to head (2d3b129).

Files with missing lines Patch % Lines
...2964_oidc_login_flow/msc_2964_oidc_login_flow.dart 50.00% 6 Missing ⚠️
...ion/msc_2966_oidc_dynamic_client_registration.dart 50.00% 2 Missing ⚠️
lib/src/client.dart 71.42% 2 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2412      +/-   ##
==========================================
- Coverage   59.62%   59.60%   -0.02%     
==========================================
  Files         161      161              
  Lines       20329    20346      +17     
==========================================
+ Hits        12121    12128       +7     
- Misses       8208     8218      +10     
Files with missing lines Coverage Δ
...ion/msc_2966_oidc_dynamic_client_registration.dart 69.23% <50.00%> (-1.44%) ⬇️
lib/src/client.dart 78.21% <71.42%> (-0.06%) ⬇️
...2964_oidc_login_flow/msc_2964_oidc_login_flow.dart 87.91% <50.00%> (-6.00%) ⬇️

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 53a6a79...2d3b129. Read the comment docs.

@krille-chan
krille-chan marked this pull request as ready for review July 14, 2026 11:08
@cursor

cursor Bot commented Jul 14, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Changes homeserver validation and OIDC token/registration response handling on the login path; permissive empty login flows could hide misconfigured servers until OIDC steps fail later.

Overview
checkHomeserver no longer requires a successful legacy /login flows response. Login types are fetched with Result.capture; failures are treated as an empty list (with a warning for non-MatrixException errors), and BadServerLoginTypesException is only raised when the server does return flows that none of match supportedLoginTypes. That unblocks OIDC-only homeservers (e.g. newer Conduwuit) that omit or break the old login API.

OIDC HTTP handling in MSC2964 (token login, refresh, revoke) and MSC2966 (dynamic client registration) now calls unexpectedResponse only for status ≥ 400, while unexpected “success” codes (not 200/201) log a warning and still parse the body.

Reviewed by Cursor Bugbot for commit 2d3b129. Bugbot is set up for automated code reviews on this repo. Configure here.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

  • ✅ Fixed: OIDC warnings name wrong operation
    • Updated the three non-200 warning messages to name their actual operations (token exchange, token refresh, token revocation) instead of the incorrect 'OIDC client registration'.

Create PR

Or push these changes by commenting:

@cursor push b59b91abe2
Preview (b59b91abe2)
diff --git a/lib/msc_extensions/msc_2964_oidc_login_flow/msc_2964_oidc_login_flow.dart b/lib/msc_extensions/msc_2964_oidc_login_flow/msc_2964_oidc_login_flow.dart
--- a/lib/msc_extensions/msc_2964_oidc_login_flow/msc_2964_oidc_login_flow.dart
+++ b/lib/msc_extensions/msc_2964_oidc_login_flow/msc_2964_oidc_login_flow.dart
@@ -101,7 +101,7 @@
     }
     if (response.statusCode != 200) {
       Logs().w(
-        'Expected a status code of 200 but got ${response.statusCode} for OIDC client registration.',
+        'Expected a status code of 200 but got ${response.statusCode} for OIDC token exchange.',
       );
     }
     final responseString = utf8.decode(response.bodyBytes);
@@ -139,7 +139,7 @@
     }
     if (response.statusCode != 200) {
       Logs().w(
-        'Expected a status code of 200 but got ${response.statusCode} for OIDC client registration.',
+        'Expected a status code of 200 but got ${response.statusCode} for OIDC token refresh.',
       );
     }
     final responseString = utf8.decode(response.bodyBytes);
@@ -166,7 +166,7 @@
     }
     if (response.statusCode != 200) {
       Logs().w(
-        'Expected a status code of 200 but got ${response.statusCode} for OIDC client registration.',
+        'Expected a status code of 200 but got ${response.statusCode} for OIDC token revocation.',
       );
     }
   }

You can send follow-ups to the cloud agent here.

Turns out that some implementations
can return 200 instead of 201 or other
status codes. Actually 201 or 200 is
the correct one but IMO not a reason to
 let the app crash here. Worth a
 warning though.
@krille-chan
krille-chan force-pushed the krille/make-login-types-check-optional branch from ff11875 to 2d3b129 Compare July 14, 2026 12:01

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix prepared a fix for the issue found in the latest run.

  • ✅ Fixed: Login types log missing stacktrace
    • Captured the stack trace from loginTypesResult.asError and passed it as the third argument to Logs().w, matching the SDK's logging convention.

Create PR

Or push these changes by commenting:

@cursor push 800a9b2435
Preview (800a9b2435)
diff --git a/lib/src/client.dart b/lib/src/client.dart
--- a/lib/src/client.dart
+++ b/lib/src/client.dart
@@ -575,8 +575,13 @@
       final loginTypesResult = await Result.capture(getLoginFlows());
       final loginTypes = loginTypesResult.asValue?.value ?? [];
       final loginTypesError = loginTypesResult.asError?.error;
+      final loginTypesStackTrace = loginTypesResult.asError?.stackTrace;
       if (loginTypesError != null && loginTypesError is! MatrixException) {
-        Logs().w('Unable to fetch legacy login types', loginTypesError);
+        Logs().w(
+          'Unable to fetch legacy login types',
+          loginTypesError,
+          loginTypesStackTrace,
+        );
       }
 
       if (loginTypes.isNotEmpty &&

You can send follow-ups to the cloud agent here.

Reviewed by Cursor Bugbot for commit 2d3b129. Configure here.

Comment thread lib/src/client.dart
@N00byKing N00byKing mentioned this pull request Jul 14, 2026
@N00byKing

Copy link
Copy Markdown

This change alone was not enough for me to get it to work, I also needed #2411.
Was that not the case for you?

@krille-chan

Copy link
Copy Markdown
Contributor Author

This change alone was not enough for me to get it to work, I also needed #2411. Was that not the case for you?

I haven't tried it on web so wasn't affected. I will review your PR :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Native OIDC-only homeservers (Continuwuity v26.6.0 and above) cannot be logged into, even with enableMatrixNativeOIDC enabled

2 participants