Retry processing password protected references for wrong passwords

packages/app-runtime/src/AppStringProcessor.ts

@@ -75,20 +75,16 @@ export class AppStringProcessor {
 
         const uiBridge = await this.runtime.uiBridge();
 
-        let password: string | undefined;
-        if (reference.passwordProtection) {
-            const passwordResult = await this.enterPassword(reference.passwordProtection);
-            if (passwordResult.isError) {
-                return UserfriendlyResult.fail(new UserfriendlyApplicationError("error.appStringProcessor.passwordNotProvided", "No password was provided."));
-            }
-
-            password = passwordResult.value;
-        }
+        const tokenResultHolder = reference.passwordProtection
+            ? await this._fetchPasswordProtectedItemWithRetry(
+                  async (password) => await this.runtime.anonymousServices.tokens.loadPeerToken({ reference: truncatedReference, password }),
+                  reference.passwordProtection
+              )
+            : { result: await this.runtime.anonymousServices.tokens.loadPeerToken({ reference: truncatedReference }) };
 
-        const tokenResult = await this.runtime.anonymousServices.tokens.loadPeerToken({ reference: truncatedReference, password: password });
-        if (tokenResult.isError) return UserfriendlyResult.fail(UserfriendlyApplicationError.fromError(tokenResult.error));
+        if (tokenResultHolder.result.isError) return UserfriendlyResult.fail(UserfriendlyApplicationError.fromError(tokenResultHolder.result.error));
 
-        const tokenDTO = tokenResult.value;
+        const tokenDTO = tokenResultHolder.result.value;
         const tokenContent = this.parseTokenContent(tokenDTO.content);
         if (!tokenContent) {
             const error = AppRuntimeErrors.startup.wrongCode();
@@ -111,24 +107,22 @@ export class AppStringProcessor {
             return UserfriendlyResult.ok(undefined);
         }
 
-        return await this._handleReference(reference, selectedAccount, password);
+        return await this._handleReference(reference, selectedAccount, tokenResultHolder.password);
     }
 
     private async _handleReference(reference: Reference, account: LocalAccountDTO, existingPassword?: string): Promise<UserfriendlyResult<void>> {
         const services = await this.runtime.getServices(account.id);
         const uiBridge = await this.runtime.uiBridge();
 
-        let password: string | undefined = existingPassword;
-        if (reference.passwordProtection && !password) {
-            const passwordResult = await this.enterPassword(reference.passwordProtection);
-            if (passwordResult.isError) {
-                return UserfriendlyResult.fail(new UserfriendlyApplicationError("error.appStringProcessor.passwordNotProvided", "No password was provided."));
-            }
-
-            password = passwordResult.value;
-        }
+        const result = reference.passwordProtection
+            ? (
+                  await this._fetchPasswordProtectedItemWithRetry(
+                      async (password) => await services.transportServices.account.loadItemFromTruncatedReference({ reference: reference.truncate(), password }),
+                      reference.passwordProtection
+                  )
+              ).result
+            : await services.transportServices.account.loadItemFromTruncatedReference({ reference: reference.truncate(), password: existingPassword });
 
-        const result = await services.transportServices.account.loadItemFromTruncatedReference({ reference: reference.truncate(), password: password });
         if (result.isError) return UserfriendlyResult.fail(UserfriendlyApplicationError.fromError(result.error));
 
         switch (result.value.type) {
@@ -164,14 +158,34 @@ export class AppStringProcessor {
         }
     }
 
-    private async enterPassword(passwordProtection: SharedPasswordProtection): Promise<Result<string>> {
+    private async _fetchPasswordProtectedItemWithRetry<T>(
+        fetchFunction: (password: string) => Promise<Result<T>>,
+        passwordProtection: SharedPasswordProtection
+    ): Promise<{ result: Result<T>; password?: string }> {
+        let iteration = 1;
+
         const uiBridge = await this.runtime.uiBridge();
-        const passwordResult = await uiBridge.enterPassword(
-            passwordProtection.passwordType === "pw" ? "pw" : "pin",
-            passwordProtection.passwordType.startsWith("pin") ? parseInt(passwordProtection.passwordType.substring(3)) : undefined
-        );
 
-        return passwordResult;
+        // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition, no-constant-condition
+        while (true) {
+            const passwordResult = await uiBridge.enterPassword(
+                passwordProtection.passwordType === "pw" ? "pw" : "pin",
+                passwordProtection.passwordType.startsWith("pin") ? parseInt(passwordProtection.passwordType.substring(3)) : undefined,
+                iteration
+            );
+            if (passwordResult.isError) {
+                return { result: UserfriendlyResult.fail(new UserfriendlyApplicationError("error.appStringProcessor.passwordNotProvided", "No password was provided.")) };
+            }
+
+            const password = passwordResult.value;
+
+            const result = await fetchFunction(password);
+            iteration++;
+
+            if (result.isSuccess) return { result, password };
+            if (result.isError && result.error.code === "error.runtime.recordNotFound") continue;
+            return { result };
+        }
     }
 
     private async selectAccount(forIdentityTruncated?: string): Promise<UserfriendlyResult<LocalAccountDTO | undefined>> {

packages/app-runtime/src/extensibility/ui/IUIBridge.ts

@@ -11,5 +11,5 @@ export interface IUIBridge {
     showRequest(account: LocalAccountDTO, request: LocalRequestDVO): Promise<Result<void>>;
     showError(error: UserfriendlyApplicationError, account?: LocalAccountDTO): Promise<Result<void>>;
     requestAccountSelection(possibleAccounts: LocalAccountDTO[], title?: string, description?: string): Promise<Result<LocalAccountDTO | undefined>>;
-    enterPassword(passwordType: "pw" | "pin", pinLength?: number): Promise<Result<string>>;
+    enterPassword(passwordType: "pw" | "pin", pinLength?: number, iteration?: number): Promise<Result<string>>;
 }

packages/app-runtime/test/lib/MockUIBridge.matchers.ts

@@ -67,7 +67,7 @@ expect.extend({
 
         return { pass: true, message: () => "" };
     },
-    enterPasswordCalled(mockUIBridge: unknown, passwordType: "pw" | "pin", pinLength?: number) {
+    enterPasswordCalled(mockUIBridge: unknown, passwordType: "pw" | "pin", pinLength?: number, iteration?: number) {
         if (!(mockUIBridge instanceof MockUIBridge)) {
             throw new Error("This method can only be used with expect(MockUIBridge).");
         }
@@ -77,12 +77,13 @@ expect.extend({
             return { pass: false, message: () => "The method enterPassword was not called." };
         }
 
-        const matchingCalls = calls.filter((x) => x.passwordType === passwordType && x.pinLength === pinLength);
+        const matchingCalls = calls.filter((x) => x.passwordType === passwordType && x.pinLength === pinLength && x.iteration === (iteration ?? 1));
         if (matchingCalls.length === 0) {
             const parameters = calls
                 .map((e) => {
-                    return { passwordType: e.passwordType, pinLength: e.pinLength };
+                    return { passwordType: e.passwordType, pinLength: e.pinLength, iteration: e.iteration };
                 })
+                .map((e) => JSON.stringify(e))
                 .join(", ");
 
             return {
@@ -115,7 +116,7 @@ declare global {
             showDeviceOnboardingNotCalled(): R;
             requestAccountSelectionCalled(possibleAccountsLength: number): R;
             requestAccountSelectionNotCalled(): R;
-            enterPasswordCalled(passwordType: "pw" | "pin", pinLength?: number): R;
+            enterPasswordCalled(passwordType: "pw" | "pin", pinLength?: number, iteration?: number): R;
             enterPasswordNotCalled(): R;
         }
     }

packages/app-runtime/test/lib/MockUIBridge.ts

@@ -10,17 +10,17 @@ export type MockUIBridgeCall =
     | { method: "showRequest"; account: LocalAccountDTO; request: LocalRequestDVO }
     | { method: "showError"; error: UserfriendlyApplicationError; account?: LocalAccountDTO }
     | { method: "requestAccountSelection"; possibleAccounts: LocalAccountDTO[]; title?: string; description?: string }
-    | { method: "enterPassword"; passwordType: "pw" | "pin"; pinLength?: number };
+    | { method: "enterPassword"; passwordType: "pw" | "pin"; pinLength?: number; iteration?: number };
 
 export class MockUIBridge implements IUIBridge {
     private _accountIdToReturn: string | undefined;
     public set accountIdToReturn(value: string | undefined) {
         this._accountIdToReturn = value;
     }
 
-    private _passwordToReturn: string | undefined;
-    public set passwordToReturn(value: string | undefined) {
-        this._passwordToReturn = value;
+    private _passwordToReturnForIteration: Record<number, string> = {};
+    public setPasswordToReturnForIteration(iteration: number, password: string): void {
+        this._passwordToReturnForIteration[iteration] = password;
     }
 
     private _calls: MockUIBridgeCall[] = [];
@@ -29,8 +29,8 @@ export class MockUIBridge implements IUIBridge {
     }
 
     public reset(): void {
-        this._passwordToReturn = undefined;
         this._accountIdToReturn = undefined;
+        this._passwordToReturnForIteration = {};
 
         this._calls = [];
     }
@@ -82,11 +82,12 @@ export class MockUIBridge implements IUIBridge {
         return Promise.resolve(Result.ok(foundAccount));
     }
 
-    public enterPassword(passwordType: "pw" | "pin", pinLength?: number): Promise<Result<string>> {
-        this._calls.push({ method: "enterPassword", passwordType, pinLength });
+    public enterPassword(passwordType: "pw" | "pin", pinLength?: number, iteration?: number): Promise<Result<string>> {
+        this._calls.push({ method: "enterPassword", passwordType, pinLength, iteration });
 
-        if (!this._passwordToReturn) return Promise.resolve(Result.fail(new ApplicationError("code", "message")));
+        const password = this._passwordToReturnForIteration[iteration ?? 1];
+        if (!password) return Promise.resolve(Result.fail(new ApplicationError("code", "message")));
 
-        return Promise.resolve(Result.ok(this._passwordToReturn));
+        return Promise.resolve(Result.ok(password));
     }
 }

packages/app-runtime/test/runtime/AppStringProcessor.test.ts

@@ -96,7 +96,7 @@ describe("AppStringProcessor", function () {
             passwordProtection: { password: "password" }
         });
 
-        mockUiBridge.passwordToReturn = "password";
+        mockUiBridge.setPasswordToReturnForIteration(1, "password");
         mockUiBridge.accountIdToReturn = runtime2SessionA.account.id;
 
         const result = await runtime2.stringProcessor.processTruncatedReference(templateResult.value.truncatedReference);
@@ -116,7 +116,7 @@ describe("AppStringProcessor", function () {
             passwordProtection: { password: "000000", passwordIsPin: true }
         });
 
-        mockUiBridge.passwordToReturn = "000000";
+        mockUiBridge.setPasswordToReturnForIteration(1, "000000");
         mockUiBridge.accountIdToReturn = runtime2SessionA.account.id;
 
         const result = await runtime2.stringProcessor.processTruncatedReference(templateResult.value.truncatedReference);
@@ -137,7 +137,7 @@ describe("AppStringProcessor", function () {
             forIdentity: runtime2SessionA.account.address!
         });
 
-        mockUiBridge.passwordToReturn = "password";
+        mockUiBridge.setPasswordToReturnForIteration(1, "password");
 
         const result = await runtime2.stringProcessor.processTruncatedReference(templateResult.value.truncatedReference);
         expect(result).toBeSuccessful();
@@ -157,7 +157,7 @@ describe("AppStringProcessor", function () {
             forIdentity: runtime2SessionA.account.address!
         });
 
-        mockUiBridge.passwordToReturn = "000000";
+        mockUiBridge.setPasswordToReturnForIteration(1, "000000");
 
         const result = await runtime2.stringProcessor.processTruncatedReference(templateResult.value.truncatedReference);
         expect(result).toBeSuccessful();
@@ -169,6 +169,29 @@ describe("AppStringProcessor", function () {
         expect(mockUiBridge).requestAccountSelectionNotCalled();
     });
 
+    test("should retry for a wrong password when handling a password protected RelationshipTemplate", async function () {
+        const templateResult = await runtime1Session.transportServices.relationshipTemplates.createOwnRelationshipTemplate({
+            content: templateContent,
+            expiresAt: CoreDate.utc().add({ days: 1 }).toISOString(),
+            passwordProtection: { password: "password" }
+        });
+
+        mockUiBridge.setPasswordToReturnForIteration(1, "wrongPassword");
+        mockUiBridge.setPasswordToReturnForIteration(2, "password");
+
+        mockUiBridge.accountIdToReturn = runtime2SessionA.account.id;
+
+        const result = await runtime2.stringProcessor.processTruncatedReference(templateResult.value.truncatedReference);
+        expect(result).toBeSuccessful();
+        expect(result.value).toBeUndefined();
+
+        await expect(eventBus).toHavePublished(PeerRelationshipTemplateLoadedEvent);
+
+        expect(mockUiBridge).enterPasswordCalled("pw", undefined, 1);
+        expect(mockUiBridge).enterPasswordCalled("pw", undefined, 2);
+        expect(mockUiBridge).requestAccountSelectionCalled(2);
+    });
+
     describe("onboarding", function () {
         let runtime3: AppRuntime;
         const runtime3MockUiBridge = new MockUIBridge();
@@ -187,7 +210,7 @@ describe("AppStringProcessor", function () {
                 passwordProtection: { password: "password" }
             });
 
-            mockUiBridge.passwordToReturn = "password";
+            mockUiBridge.setPasswordToReturnForIteration(1, "password");
 
             const result = await runtime2.stringProcessor.processTruncatedReference(tokenResult.value.truncatedReference);
             expect(result).toBeSuccessful();