ZAP: Encryption for mobile push notifications #2
Conversation
prakhar1144
force-pushed
the
encrypt-push-notification
branch
3 times, most recently
from
0b4f350 to
94cfa73
Compare
| **On success**, the bouncer replies to the server with `device_id`. | ||
| The server stores `device_id` in the `PushDevice`. | ||
|
|
||
| **On error**, the server keep retrying for a long time. Like maybe |
There was a problem hiding this comment.
Not on a liveness failure. (Those don't have a hope of fixing themselves on retry.)
In that case the server should probably then just forget about that push_account_id, so that the client retries from scratch.
gnprice
changed the title
|
I shortened the title because "proposal" is redundant in the name of a ZAP 🙂 |
prakhar1144
force-pushed
the
encrypt-push-notification
branch
from
94cfa73 to
aa02161
Compare
prakhar1144
force-pushed
the
encrypt-push-notification
branch
from
aa02161 to
57251f2
Compare
|
Addressed the review comments. Posted 2 questions: |
prakhar1144
force-pushed
the
encrypt-push-notification
branch
from
57251f2 to
7358a81
Compare
prakhar1144
force-pushed
the
encrypt-push-notification
branch
from
7358a81 to
bede1c5
Compare
|
I have a workflow suggestion for this repo: Instead of using the workflow we use in Zulip's software repos, I'd like to use a squash-merge workflow. That means:
This way, the commits in the PR are a record of its history during review. We know the end result will be a single commit — so, unlike with Zulip's main repos, there's no need to use the commit structure within the PR branch to express the details of the desired commit structure to be merged. And this way everyone has a lot more options for looking at the PR after some revisions have happened and seeing exactly what's changed since the last time one looked, or exactly what the PR looked like at the time of a given review discussion. (Cf. previous discussion of the trade-offs of squash-merge vs. Zulip's normal rebase-merge workflow, in the context of our main repos: #git help > squash-merges @ 💬.) |
prakhar1144
force-pushed
the
encrypt-push-notification
branch
from
5d0ad50 to
7fd37bf
Compare
Changes: * Import/Export PushDevice carefully. * Keep Zulip Cloud implementation conceptually similar. * Explanation for how a user is notified of liveness error. * No need to pass `user_id` when registering to bouncer. * Cleanup stale entries of `PushDevice`.
prakhar1144
force-pushed
the
encrypt-push-notification
branch
from
7fd37bf to
b6d61dc
Compare
|
New changes made are in a separate commit as discussed. See commit message for a summary. |
Updates since last time: * Add `token_kind` in `PushDevice` to make batched API call to the push bouncer while sending notifications possible. * Addressed Zixuan comments.
| - This allows the client to determine if the `push_account_id` it has | ||
| locally for the account is missing on the `push_account_ids` map. | ||
| If missing, it knows it needs to reregister the push device. | ||
| It helps to show an error to the user in case of liveness error. |
There was a problem hiding this comment.
I don't understand the last sentence here. What's a "liveness error" in this context? Is this saying that something helps for showing an error, or that showing an error is helpful?
There was a problem hiding this comment.
It's related to the error bouncer raises during registration:
On error:
- If it's a liveness error, don't retry and forget the
push_account_id.
Pass the error to the server admin. The user is notified about this
error on the client using thepush_account_idsmap provided in the
register-queue response. (Refer
to the Miscellaneous section for more details.)
Updating it would be helpful:
It helps to show an error to the user in case of liveness error
+ raised by the bouncer during registration.Also, I think we can be more specific here. When we say "user is notified about this error", there would be some specific error message like "contact your admin" ? & not just a retry.
So, PushDevice record with push_account_id will be deleted in the case of expired_time as well as "liveness error". How we're going to distinguish to show the specific error message to the user in one case and not the other ?
There was a problem hiding this comment.
Hmm, I still don't understand what this is saying. Can you clarify this part?
Is this saying that something helps for showing an error, or that showing an error is helpful?
And if the former: what is the thing that helps for showing an error?
There was a problem hiding this comment.
This is addressing #2 (comment)
Is this saying that something helps for showing an error
Yes.
if the former: what is the thing that helps for showing an error?
push_account_ids map (which has push_account_id and status) will help the client.
There was a problem hiding this comment.
Great, so this sentence could say:
This data helps the client to show an error to the user in case of a liveness error.
I understand now what the sentence is saying. Next is the how and the why: how does the client use this data for that purpose, and why is that something we want to do? Why does the client care that there was specifically a liveness error?
For giving the user feedback that notifications aren't successfully set up, I think we probably want just a timeout: the client started trying to tell the server about its token more than, like, a few minutes ago, and the status is still that it hasn't succeeded yet.
There was a problem hiding this comment.
PUSH_REGISTRATION_LIVENESS_TIMEOUT is 24 hours.
So, are you suggesting:
- Storing the timestamp in client when the registration request was made and server responded with 200.
- Then, in future, when the user reopens the map and the
push_account_idis missing in the map + 24 hours passed; we can show the error and retry.
There was a problem hiding this comment.
No, I meant what I said.
If the user installed the Zulip app and logged into Zulip 5 minutes ago, and they're not getting notifications when people DM them, they're going to be wondering what's up because "the mobile app" clearly isn't working. So the app should acknowledge that.
At that point the server will still be periodically attempting to retry the registration with the bouncer (because PUSH_REGISTRATION_LIVENESS_TIMEOUT hasn't expired). In other words it will be still attempting to recover from the outage. But that doesn't mean there isn't an outage.
There was a problem hiding this comment.
Okay, simply client side handling.
There was a problem hiding this comment.
Updated in the 7th commit.
93750b6424 (HEAD -> web-empty-topic-name-support) inline_topic_edit: Show realm_empty_topic_display_name as placeholder.
prakhar1144
force-pushed
the
encrypt-push-notification
branch
from
a2e0b1d to
34240d4
Compare
prakhar1144
force-pushed
the
encrypt-push-notification
branch
from
34240d4 to
c3aa215
Compare
|
Addressed the last batch of comments. I'll post a design for #2 (comment) in CZO. -- Update: Discussed and documented here, ready to review. |
Adds plan to support rotating asymmetric key generated by the bouncer.
|
Merged via #3. I verified all the comment threads above are resolved in the merged draft. |
4 participants
Rendered