Verified Element X session became unverified

[colemickens]

Steps to reproduce

1. Setup Element X.
2. Login.
3. Verify the session with another device.
4. Use your "Recovery Key" to restore key backup.
5. wait a day :P

Outcome

What did you expect?

Things to work normally-ish.

What happened instead?

Today, my Element X started thinking it was unverified despite continuing to receive and see (readable) DMs from an encrypted room in my Android notification tray.

Timeline

• Apr 15 - ??? unknown time, likely around 19:00 - I reset Key Backup because it had been busted for quite a while. I ensured that I'd gotten as many keys as possible into my session, reset it.

• Apr 15 - 19:2x - I start setting up Element X Android

• Apr 15 - 19:2x - I confirm Element X Android session, using Element Web

• Apr 15 - 19:2x -I noticed that I'm prompted for recovery key (maybe to join KeyBackup), despite session verification

• Apr 15 - 19:28 - I message the Element X Android room saying I successfully got a verified Element X session

• Apr 16 - 15:36 - I randomly look at Element Web, and notice that Element X Android is not appearing in my session list at all. Later, when it does re-appear, I realize in retrospect that at least one of my other verified clients had also been missing from the list.

• Apr 16 - approx 17:15: I'm walking outside, and click on one of the notifications on my phone (possibly the first time doing so today, I probably was just reading them on Element Web while I worked). Almost immediately it popped up and asked me to Verify the session.

• Apr 16 - approx 17:40: element x DOES appear in my verified sessions in Element Web

• Apr 16 - approx 17:44: element x android is ... again not appearing in my verified sessions in Element Web.

Extra details:

• I only have one element web session\
• It seems that clicking the "Inactive sessions" in the top part of the Sessions window filters the list below. Which is awesome, makes total sense. I am now nervous that that's why I wasn't seeing Element X in the list? But... I'm still not sure.

Your phone model

Google Pixel 6a

Operating system version

Android 14 latest

Application version and app store

0.4.9 (40004090)

Homeserver

matrix.org

Will you send logs?

Yes

Are you willing to provide a PR?

Yes

[claell]

Some days ago, I also got the verification screen on my phone. I wonder whether that was just caused by a recent update that (I think) changed the verification process/screen.

So possibly, the session never really was unverified, just the verification screen shows up.

@bmarty, I think, you did that verification workflow commits; possibly you can check whether my theory is correct.

[claell]

I am talking about #2580. But that wouldn't really add up time-wise, as that is a bit older.

[bmarty]

We are forcing users to verify their session in the coming release (database migration here: #2718), but it seems that some code to set the real verification status is missing.

For the rationale about mandatory verification please refer to #2702 (comment)

[colemickens]

The broader discussion is a bit over my head (though I appreciate the insight) - but I think your DB migration link is wrong (links to this issue).

Also, I'm totally on board with mandatory verification, especially if y'all get QR login going (which, makes me curious how thats implemented, 🤞 it's via OIDC/OAuth-y mechanisms but idk if it's too early for that).

Sounds like y'all are on it, but for what it's worth, I haven't had any issues with Element X Android since getting it "re"-verified.

[claell]

@bmarty, the thing is that it appears that already verified sessions were forced to verify again.