Skip to content

fix: Soft logout with Matrix native OIDC does not send soft_logout flag#2360

Merged
krille-chan merged 2 commits into
mainfrom
krille/fix-soft-logout-for-oidc
Jul 8, 2026
Merged

fix: Soft logout with Matrix native OIDC does not send soft_logout flag#2360
krille-chan merged 2 commits into
mainfrom
krille/fix-soft-logout-for-oidc

Conversation

@krille-chan

Copy link
Copy Markdown
Contributor

No description provided.

@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d63641a4-ab08-4650-b1c9-f6afbc94751e

📥 Commits

Reviewing files that changed from the base of the PR and between c600aef and 3aecf1b.

📒 Files selected for processing (1)
  • lib/src/client.dart
🚧 Files skipped from review as they are similar to previous changes (1)
  • lib/src/client.dart

📝 Walkthrough

Walkthrough

The PR improves soft-logout handling in the Matrix Dart SDK to support OIDC token expiry scenarios. The sync loop's token-unknown detection now checks both the server's soft_logout flag and client-side token expiry. Error handling in _handleSoftLogout now distinguishes MatrixException (warns, clears session, rethrows) from other exceptions (errors, returns).

Changes

Soft-logout handling improvements

Layer / File(s) Summary
Soft-logout detection during sync
lib/src/client.dart
Extends M_UNKNOWN_TOKEN handling in the sync error path to treat a session as soft-logged-out when either the server provides soft_logout=true or accessTokenExpiresAt is already expired, enabling detection of token expiry in OIDC scenarios.
Error handling in soft-logout handler
lib/src/client.dart
Refines _handleSoftLogout to catch MatrixException separately: logs a warning, clears the client session via clear(), and rethrows. Other exception types log an error and return without clearing or rethrowing.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive No pull request description was provided by the author, making it impossible to evaluate relatedness to the changeset. Add a description explaining the soft logout behavior change for Matrix native OIDC scenarios and why the client-side token expiration check was needed.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main fix: handling soft logout when Matrix native OIDC does not send the soft_logout flag.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch krille/fix-soft-logout-for-oidc

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented Jun 2, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 42.85714% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.29%. Comparing base (f9e6b68) to head (e62de16).

Files with missing lines Patch % Lines
lib/src/client.dart 42.85% 4 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2360      +/-   ##
==========================================
- Coverage   59.29%   59.29%   -0.01%     
==========================================
  Files         161      161              
  Lines       20300    20303       +3     
==========================================
+ Hits        12037    12038       +1     
- Misses       8263     8265       +2     
Files with missing lines Coverage Δ
lib/src/client.dart 78.06% <42.85%> (-0.09%) ⬇️

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f9e6b68...e62de16. Read the comment docs.

@krille-chan krille-chan marked this pull request as ready for review June 2, 2026 10:44

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@lib/src/client.dart`:
- Around line 2518-2521: The soft-logout check is inverted: the variable
accessTokenExpired (computed from accessTokenExpiresAt) uses
isAfter(DateTime.now()) but should detect expiry, so change the condition in the
accessTokenExpired assignment to use
accessTokenExpiresAt?.isBefore(DateTime.now()) == true (referencing
accessTokenExpired and accessTokenExpiresAt) so expired tokens yield true and
restore the intended soft-logout logic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 69dca8a3-e378-4c46-bd12-82e6f7f062e8

📥 Commits

Reviewing files that changed from the base of the PR and between f394d9a and c600aef.

📒 Files selected for processing (1)
  • lib/src/client.dart

Comment thread lib/src/client.dart Outdated
@krille-chan krille-chan force-pushed the krille/fix-soft-logout-for-oidc branch from c600aef to 3aecf1b Compare June 2, 2026 12:39
@krille-chan krille-chan force-pushed the krille/fix-soft-logout-for-oidc branch 2 times, most recently from 3edcb6b to 332cc95 Compare June 25, 2026 08:20
Comment thread lib/src/client.dart
@krille-chan krille-chan force-pushed the krille/fix-soft-logout-for-oidc branch 7 times, most recently from 77ffff8 to e5c016b Compare June 27, 2026 08:56
@krille-chan krille-chan force-pushed the krille/fix-soft-logout-for-oidc branch from e5c016b to 7dee70b Compare July 6, 2026 06:31
@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Changes login-state and session-clearing behavior on sync errors and token refresh, which is security-sensitive but narrowly scoped to soft logout handling.

Overview
Fixes sessions that use Matrix Native OIDC when sync returns M_UNKNOWN_TOKEN without a soft_logout flag: the client now attempts token refresh when the error indicates soft logout or when accessTokenExpiresAt is set (refresh-capable session).

_handleSoftLogout distinguishes failures: MatrixException during refresh clears the local session and rethrows; other errors are logged and the handler exits without wiping the database so a later sync can retry refresh.

Reviewed by Cursor Bugbot for commit e62de16. Bugbot is set up for automated code reviews on this repo. Configure here.

Comment thread lib/src/client.dart
Comment thread lib/src/client.dart
Comment thread lib/src/client.dart
BREAKING CHANGE: no longer throws an exception on
soft logout network error but retries.
@krille-chan krille-chan force-pushed the krille/fix-soft-logout-for-oidc branch from 7dee70b to e62de16 Compare July 7, 2026 12:52

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.

Fix All in Cursor

Bugbot Autofix prepared fixes for both issues found in the latest run.

  • ✅ Fixed: Expiry flag triggers doomed refresh
    • The unknown-token soft-logout path now checks for a stored refresh_token instead of token expiry metadata.
  • ✅ Fixed: Refresh failures skip session clear
    • Generic soft-logout refresh failures now clear the session instead of leaving the invalid token retrying.

Create PR

Or push these changes by commenting:

@cursor push 8ae54d042b
Preview (8ae54d042b)
diff --git a/lib/src/client.dart b/lib/src/client.dart
--- a/lib/src/client.dart
+++ b/lib/src/client.dart
@@ -2376,10 +2376,11 @@
         rethrow;
       } catch (e, s) {
         Logs().e(
-          'Unable to refresh session after soft logout. Try again...',
+          'Unable to refresh session after soft logout. Clearing session...',
           e,
           s,
         );
+        await clear();
         return;
       }
     }();
@@ -2506,7 +2507,9 @@
         // The server explicitely moved the session into soft logout state:
         final isSoftLogoutState = e.raw.tryGet<bool>('soft_logout') == true;
 
-        final hasRefreshToken = accessTokenExpiresAt != null;
+        final storedClient = await database.getClient(clientName);
+        final hasRefreshToken =
+            storedClient?.tryGet<String>('refresh_token') != null;
 
         if (isSoftLogoutState || hasRefreshToken) {
           Logs().w('The user has been logged out! Try to refresh token...', e);

You can send follow-ups to the cloud agent here.

Reviewed by Cursor Bugbot for commit e62de16. Configure here.

Comment thread lib/src/client.dart
Comment thread lib/src/client.dart

@td-famedly td-famedly left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

breaking change but lg!

@krille-chan krille-chan merged commit c8f1062 into main Jul 8, 2026
19 of 20 checks passed
@krille-chan krille-chan deleted the krille/fix-soft-logout-for-oidc branch July 8, 2026 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants