Store session data in a secure way (#98)

* Replace SessionData DataStore with an encrypted SQLite DB.

---------

Co-authored-by: Benoit Marty <benoit@matrix.org>

libraries/session-storage/src/main/kotlin/io/element/android/libraries/sessionstorage/DatabaseSessionStore.kt

@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2023 New Vector Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.element.android.libraries.sessionstorage
+
+import com.squareup.anvil.annotations.ContributesBinding
+import com.squareup.sqldelight.runtime.coroutines.asFlow
+import com.squareup.sqldelight.runtime.coroutines.mapToOneOrNull
+import io.element.android.libraries.di.AppScope
+import io.element.android.libraries.di.SingleIn
+import io.element.android.libraries.matrix.session.SessionData
+import kotlinx.coroutines.flow.Flow
+import kotlinx.coroutines.flow.map
+import javax.inject.Inject
+
+@SingleIn(AppScope::class)
+@ContributesBinding(AppScope::class)
+class DatabaseSessionStore @Inject constructor(
+    private val database: SessionDatabase,
+) : SessionStore {
+
+    override fun isLoggedIn(): Flow<Boolean> {
+        return database.sessionDataQueries.selectFirst().asFlow().mapToOneOrNull().map { it != null }
+    }
+
+    override suspend fun storeData(sessionData: SessionData) {
+        database.sessionDataQueries.insertSessionData(sessionData)
+    }
+
+    override suspend fun getLatestSession(): SessionData? {
+        return database.sessionDataQueries.selectFirst()
+            .executeAsOneOrNull()
+    }
+
+    override suspend fun getSession(sessionId: String): SessionData? {
+        return database.sessionDataQueries.selectByUserId(sessionId)
+            .executeAsOneOrNull()
+    }
+
+    override suspend fun removeSession(sessionId: String) {
+        database.sessionDataQueries.removeSession(sessionId)
+    }
+}

libraries/session-storage/src/main/kotlin/io/element/android/libraries/sessionstorage/SessionStore.kt

@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2023 New Vector Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.element.android.libraries.sessionstorage
+
+import io.element.android.libraries.matrix.session.SessionData
+import kotlinx.coroutines.flow.Flow
+
+interface SessionStore {
+    fun isLoggedIn(): Flow<Boolean>
+    suspend fun storeData(session: SessionData)
+    suspend fun getSession(sessionId: String): SessionData?
+    suspend fun getLatestSession(): SessionData?
+    suspend fun removeSession(sessionId: String)
+}

libraries/session-storage/src/main/kotlin/io/element/android/libraries/sessionstorage/di/SessionStorageModule.kt

@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2023 New Vector Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.element.android.libraries.sessionstorage.di
+
+import android.content.Context
+import com.squareup.anvil.annotations.ContributesTo
+import dagger.Module
+import dagger.Provides
+import io.element.android.libraries.di.AppScope
+import io.element.android.libraries.di.ApplicationContext
+import io.element.android.libraries.di.SingleIn
+import io.element.android.libraries.sessionstorage.SessionDatabase
+import io.element.encrypteddb.SqlCipherDriverFactory
+import io.element.encrypteddb.passphrase.RandomSecretPassphraseProvider
+
+@Module
+@ContributesTo(AppScope::class)
+object SessionStorageModule {
+    @Provides
+    @SingleIn(AppScope::class)
+    fun provideMatrixDatabase(@ApplicationContext context: Context): SessionDatabase {
+        val name = "session_database"
+        val secretFile = context.getDatabasePath("$name.key")
+        val passphraseProvider = RandomSecretPassphraseProvider(context, secretFile, name)
+        val driver = SqlCipherDriverFactory(passphraseProvider)
+            .create(SessionDatabase.Schema, "$name.db", context)
+        return SessionDatabase(driver)
+    }
+}

libraries/session-storage/src/main/sqldelight/io/element/android/libraries/matrix/session/SessionData.sq

@@ -0,0 +1,21 @@
+CREATE TABLE SessionData (
+    userId TEXT NOT NULL PRIMARY KEY,
+    deviceId TEXT NOT NULL,
+    accessToken TEXT NOT NULL,
+    refreshToken TEXT,
+    homeserverUrl TEXT NOT NULL,
+    isSoftLogout INTEGER AS Boolean NOT NULL DEFAULT 0,
+    slidingSyncProxy TEXT
+);
+
+selectFirst:
+SELECT * FROM SessionData LIMIT 1;
+
+selectByUserId:
+SELECT * FROM SessionData WHERE userId = ?;
+
+insertSessionData:
+INSERT INTO SessionData(userId, deviceId, accessToken, refreshToken, homeserverUrl, isSoftLogout, slidingSyncProxy) VALUES ?;
+
+removeSession:
+DELETE FROM SessionData WHERE userId = ?;