Team: make sure joined device has all team keys #108
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I was finding that a joined device only had access to the most recent generation of team keys. When the device would try to instantiate the team from storage, it couldn't decrypt the root link if that link was encrypted with an older generation.
My first approach was to put the full team keys into lockboxes in the
ADD_DEVICE
link, which made sure thatteam.teamKeyring()
would return the full team keys. We discussed in slack and decided a better approach would be to have the device be in charge of storing the keyring separately.So, we emit the full keyring along with the team from the Connection, attach that keyring to the PrivateShare (separate from the team), and then always use the keyring from the private share.
I still don't know of an easy way to test this until member removal is added to xdev... the two demos in this repo both work just fine with removing members and then inviting more. So this can sit until https://github.com/DevResults/xdev/pull/140 merges