[Prep] PoC for "Sign in with Element Classic"

[manuroe]

Description

This demo is in the context of helping users to migrate from Element Classic to Element X. We want the process to be as smooth and as frictionless as possible.

The two apps being on the same phone, we do not want to ask the user in EX to verify their "device". Also, asking them to log in on EX is a bit annoying.

On the other hand, "Sign in with QR code" is super easy to use to connect from a new device. Since last week, EXA can display a QR code so that another Matrix client can easily sign in.

The question to answer: Can we reuse the same underneath mechanism of QR code between Element Classic and Element X so that EX can sign in with Element Classic?
There will be no QR code displayed or scanned by any app. The QR code data will be directly shared between the apps using OS secured channels for apps in the same group.

It means that Element Classic will have to embed a bit more of the Rust SDK. Its crypto crate currently used by Element classic is not enough to support QR code data and exchange. We are fine to embed to whole Rust SDK.

Leads

Tech: @bmarty
Design: @bmarty (it is a PoC to validate the tech of this app migration option)

Acceptance criteria

For users on servers where "Sign with QR code" is possible:

• if Element Classic is already on the device and already logged in, EX offers a "Sign in with Element Classic" button
• If the user taps on the "Sign in with Element Classic" button,
  • the user is automatically logged in
  • the new EX device is verified
• the user is still connected on Element Classic

Questions

• Security: do we need extra user interaction steps in Element Classic to validate the authentication request?

Dependencies

• None

Out of scope

• Servers not ready for "Sign with QR code". We will explore them later if needed.
• A polished implementation and UX. We want to check what is technically feasible. At this end of the PoC, we will discuss with product and design to build the production ready solution.

Sub-issue

Rust

• Expose method export_secrets_bundle in the FFI layer matrix-org/matrix-rust-sdk#6037
• Let the application be able to login using a matrix id and secrets matrix-org/matrix-rust-sdk#6087

Security

• https://github.com/element-hq/security-internal/issues/133

[burdges]

Element X does not correctly handle downloads or send intents for downloads, so seems kinda premature to push people to migrate.

[bmarty]

Current status:

• The feature in Element X is behind a feature flag
• We confirmed that Element X released on the PlayStore is able to get the data (userId and secrets) from a locally built Element Classic prod version. But no other action is done by Element X for now.
• Element Classic is not released yet. PR: Expose service to let Element X access some internal data element-android#9109. Mainly waiting for https://github.com/element-hq/security-internal/issues/133 to validate the security aspect of the solution.

[manuroe]

We can claim that the PoC has succeeded. We know what we can do now about sharing secrets between EA and EXA.