Unable to restore session

[florianduros]

After brower relaunch, I'm unable to restore my session. I had to signout.

RS available.

On develop: Element version: 22c7bf346c53-js-26922a61f30e Crypto version: Rust SDK 0.11.0 (f2e32d4), Vodozemac 0.9.0

[uhoreg]

The rageshakes say:

D No pickle key available for <mxid>|<deviceid>
E Unable to load session Error decrypting secret access_token: no pickle key found.
tryDecryptToken@https://develop.element.io/bundles/8f2853412d467a7b1664/element-web-app.js:11359:11
restoreSessionFromStorage@https://develop.element.io/bundles/8f2853412d467a7b1664/element-web-app.js:12055:40

There is a rageshake from Firefox, and a rageshake from Element Desktop. Both rageshakes are on Linux.

[kla269977]

D No pickle key available for | E Unable to load session Error decrypting secret access_token: no pickle key found. tryDecryptToken@https://develop.element.io/bundles/8f2853412d467a7b1664/element-web-app.js:11359:11 restoreSessionFromStorage@https://develop.element.io/bundles/8f2853412d467a7b1664/element-web-app.js:12055:40

[richvdh]

Sounds a lot like https://github.com/element-hq/element-desktop/issues/1816

[t3chguy]

Though interestingly doesn't involve Electron

[richvdh]

Ok, so another factor here: before this problem started, there were some OAuth2 shenanigans:

2025-05-20T12:07:58.172Z D FetchHttpApi: --> GET https://matrix-client.matrix.org/_matrix/client/unstable/org.matrix.msc2965/auth_metadata
2025-05-20T12:07:58.197Z D FetchHttpApi: <-- GET https://matrix-client.matrix.org/_matrix/client/v3/directory/room/%23alpagabzh%3Ainso.ovh [325ms 200]
2025-05-20T12:07:58.217Z D FetchHttpApi: <-- GET https://matrix-client.matrix.org/_matrix/client/unstable/org.matrix.msc2965/auth_metadata [45ms 200]
2025-05-20T12:07:58.447Z E Dynamic registration failed
registerOidcClient@https://develop.element.io/bundles/8f2853412d467a7b1664/init.js:33395:13

2025-05-20T12:07:58.447Z D FetchHttpApi: --> GET https://matrix-client.matrix.org/_matrix/client/v3/login
2025-05-20T12:07:58.507Z D FetchHttpApi: <-- GET https://matrix-client.matrix.org/_matrix/client/v3/login [60ms 200]
2025-05-20T12:07:58.859Z D FetchHttpApi: <-- GET https://matrix-client.matrix.org/_matrix/client/versions [1311ms 401]
2025-05-20T12:07:58.868Z D Attempting to refresh token
2025-05-20T12:07:58.934Z E Failed to refresh token The provided access grant is invalid, expired, or revoked.
TokenRefreshLogoutError@https://develop.element.io/bundles/8f2853412d467a7b1664/init.js:14199:5
doRefreshAccessToken@https://develop.element.io/bundles/8f2853412d467a7b1664/init.js:33517:15

(from logs-0002.log.gz)

I can well believe that a failure to refresh the access token would result in the pickle key being cleared out, which would then result in a failure to restore the session next time (though if we're clearing the pickle key, I'd expect us to clear all the session data, not just the pickle key).

@t3chguy: OAuth2 is your wheelhouse I think. Any ideas what those logs mean?

[richvdh]

(could it be that, if EW decides to refresh its access token at exactly the wrong moment, we end up blowing away bits of the session?)

[t3chguy]

Dynamic registration failed

can be ignored, though am surprised to see it trying to register a new oidc client if there is an existing session

The provided access grant is invalid, expired, or revoked.

This error is directly from the IdP

[richvdh]

Ok, so if the IdP rejected our attempt to renew, could we have left the session in a broken state?

[t3chguy]

A failed token refresh should yield a logout in the same way a 401 without OIDC would

[richvdh]

... meaning we would clear the pickle key from indexeddb and the sessiondata from localstorage? Given that this was happening as the machine was being shut down, it's fairly easy to imagine that update to localstorage getting lost.

[t3chguy]

Yup, given we store everything in different places we can't do any form of atomicity