feat: new group membership update algorithm

[Septias]

Replacement for #3807.

This PR implements the idea sketched in #3782 by acting along these guidlines:

1. If self is no in chat, reject the membership update.
2. If a membership update message has an outdated timestamp, reject the update.
3. If the sender is a mua rebuild the contact list, but only add new members.
4. If we don't know the referenced message, rebuild the contact list because we missed messages which could have been add/remove.

By always discarding outdated membership messages there might occur situations in which two people simultaneously change members and the updates come in out of order, leading to the discard of one of the messages. It is to note though, that this is only a problem when there was no synchronisation between the two senders because otherwise the membership-list will be rebuild because of 4.

This problem also occures in the current master' implementation because it usese the same logic as 2 and is hard to mitigate because there is no obvious way to decide whether to accept an old update or not. There is maybe a way by storing a timestamp per group member which would allow us to reason better about the membership of individual users instead of membership changes on a group-level, but this can be part of future work.

Tests

This PR also introduces some new tests:

• Bob will catchup to groupstate when readded. (test_sync_member_list_on_rejoin)
• Alice rebuilds the contact list if she misses a message. (test_rebuild_contact_list_on_missing_message)
• Alice doesn't rebuild contact list because of single addition/deletion. (test_dont_recreate_contacts_on_add_remove)
• Bob doesn't readd himself to a group because he receives a normal message. (test_dont_readd_with_normal_msg)
• A delayed receival of an addition or removal will not change group state.(test_recreate_contact_list_on_missing_message)
• A mua user can't remove someone (test_mua_cant_remove)
• A mua user can add someone (test_mua_can_add)

[hpk42]

is this still implementing #3782 ? -- please try to add a bit more context to PRs. Was expecting to read a description of the new algorithm that is in the PR title somewhere .... :)

[iequidoo]

And also we can miss messages about an addition of ourselves. So, this code should have a preference over "self" checks done above. And also a comment would be good on why these "self" checks are needed

[Septias]

When self is added, the recreate_membership_list flag is set and apply_groupchanges aswell. This will lead to a new better_msg in the header-handling code, so a stockstring should be created.

[iequidoo]

But what if we did't receive a ChatGroupMemberAdded message about "self"? Afaiu, this PR is fixing problems when messages can be missed because of delivery problems. I don't get why "self" is a special case in ragards to handling of InReplyTo which references a missed message

[Septias]

I moved it outwards where it belongs

[iequidoo]

Anyway, consider the following scenario:

• We left the group
• Then we were re-added, but missed the addition message
• We receive a message with InReplyTo referencing a message we don't have (the message adding us to the group). But above there's the check:

if !chat::is_contact_in_chat(context, chat_id, ContactId::SELF).await? && !self_added {

So, we're not in the group and don't handle this scenario. Is it correct? Why is it special for SELF?

[iequidoo]

I think that current problems with unintentional re-additions come from the current approach that u described:

* If the message has a Chat-Group-Member-Removed header, then we completely recreate the group member list (i.e. use the member list of the incoming message).

* If the message has a Chat-Group-Member-Added, then we recreate the group member list, but don't remove anyone (i.e. add recipients of the incoming messages as members).

It's not difficult to see how each of the both arms above can lead to an unintentional re-addition.

[iequidoo]

@Hocuri, i still don't get why we can't just use the algo you suggested initially in #3782 (comment). For me it looks more simple and straightforward. Also it was discussed in the "DC Core Rust" chat, just search for "InReplyTo" (starting from Apr 17)

[link2xt]

IIRC at some point, there were lots of complaints that people couldn't leave a group because they were constantly re-added.

The problem was that some users in a large group kept reinstalling DC and restored an old backup with old member list. Then they immediately left some groups, sending a Chat-Group-Member-Removed header, which caused recreation of the member list and readdition of self to the group for you and other members. Other members also tried to leave the group, sending lots of "... left the group" messages to some broken group. It was difficult to teach everyone not to leave the group, but to delete it or block it and forget about it.

[Hocuri]

Reading the thread here, tbh, I don't remember anymore what the problems discussed here were. But I think it's fine, IIRC we discussed pretty minor edge cases, time will tell if there are problems we should fix (and whether the new algo is an improvement at all). @iequidoo I hope you don't feel like we missed your concerns?

[iequidoo]

The problem is that the current algo is not resillent to missed messages about addition of SELF. If it happens, the only way to fix the group is to remove the member and re-add them again. The algo you suggested in #3782 (comment) fixes this inconsistency when we receive a message with orphaned InReplyTo. Also it looks simpler. And as for the problem with messages from a Delta Chat that restored an old backup, it will ignore them as well because they will reference a known message in InReplyTo.

I think it's not very important right now, but i'd prefer to try your "truly consistent" algo and if it doesn't bring new problems, why not use it?

[Hocuri]

I reviewed the new logic, directly pushed some changes with explanation (please have a look if they seem good), and have one (blocking) comment.

So, only the tests need to be reviewed still. Edit: The tests also look good; in many places, they could use some newer APIs from test_utils.rs in order to be a lot shorter / more concise, but it would also be OK-ish to merge as-is.

[Hocuri]

🎉🎉🎉!

Before merging, let's

• wait for @link2xt to review / have a glance on it
• make sure that nobody is going to make a release right afterwards

[Septias]

Ty for rebasing @link2xt

[link2xt]

I have added some logs, removed unnecessary .cloned(), rebased and squashed the PR, then merged once the tests passed.

[link2xt]

make sure that nobody is going to make a release right afterwards

The changes are incremental and only add tests without modifying existing tests, so I think it is ok to get this into 1.117.0 and turn 1.117 into a stable branch.

[Septias]

Finally done! Thanks everybody for the great effort!

[link2xt]

This may fail to load the contact if the contact is blocked. In this case all the code below is skipped and better_msg is not used.

Found this while looking for the reason of #4528