Check and prefer user token if provided

server/routers/olm/getOlmToken.ts

@@ -1,4 +1,7 @@
-import { generateSessionToken } from "@server/auth/sessions/app";
+import {
+    generateSessionToken,
+    validateSessionToken
+} from "@server/auth/sessions/app";
 import {
     clients,
     db,
@@ -26,8 +29,9 @@ import { APP_VERSION } from "@server/lib/consts";
 
 export const olmGetTokenBodySchema = z.object({
     olmId: z.string(),
-    secret: z.string(),
-    token: z.string().optional(),
+    secret: z.string().optional(),
+    userToken: z.string().optional(),
+    token: z.string().optional(), // this is the olm token
     orgId: z.string().optional()
 });
 
@@ -49,7 +53,7 @@ export async function getOlmToken(
         );
     }
 
-    const { olmId, secret, token, orgId } = parsedBody.data;
+    const { olmId, secret, token, orgId, userToken } = parsedBody.data;
 
     try {
         if (token) {
@@ -84,6 +88,24 @@ export async function getOlmToken(
             );
         }
 
+        if (userToken) {
+            const { session: userSession, user } =
+                await validateSessionToken(userToken);
+            if (!userSession || !user) {
+                return next(
+                    createHttpError(HttpCode.BAD_REQUEST, "Invalid user token")
+                );
+            }
+            if (user.userId !== existingOlm.userId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "User token does not match olm"
+                    )
+                );
+            }
+        } else if (secret) {
+            // this is for backward compatibility, we want to move towards userToken but some old clients may still be using secret so we will support both for now
             const validSecret = await verifyPassword(
                 secret,
                 existingOlm.secretHash
@@ -99,6 +121,14 @@ export async function getOlmToken(
                     createHttpError(HttpCode.BAD_REQUEST, "Secret is incorrect")
                 );
             }
+        } else {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Either secret or userToken is required"
+                )
+            );
+        }
 
         logger.debug("Creating new olm session token");