feat(#1908): inproved generate matrix access token

evgenibir · evgenibir · commit a52ce970714f · 2026-01-27T20:30:18.000+03:00
diff --git a/apps/web/src/app/api/matrix/token/route.ts b/apps/web/src/app/api/matrix/token/route.ts
@@ -2,9 +2,13 @@ import {
   createMatrixUserLinkAction,
   decryptMatrixToken,
   determineEnvironment,
+  Environment,
   getDecoratedPrivyId,
   getLinkByPrivyUserId,
   MatrixSharedSecret,
+  MatrixUserLink,
+  updateEncryptedAccessTokenAction,
+  updateMatrixUserLink,
 } from '@hypha-platform/core/server';
 import { PrivyClient } from '@privy-io/server-auth';
 import { NextRequest, NextResponse } from 'next/server';
@@ -14,6 +18,7 @@ const PRIVY_APP_SECRET = process.env.PRIVY_APP_SECRET ?? '';
 const MATRIX_HOMESERVER_URL =
   process.env.NEXT_PUBLIC_MATRIX_HOMESERVER_URL ?? '';
 const DEFAULT_ROOM_ID = process.env.DEFAULT_ROOM_ID ?? '';
+const ADMIN_SUFFIX = 'hypha_admin';
 
 export async function GET(request: NextRequest) {
   const authHeader = request.headers.get('Authorization');
@@ -31,6 +36,35 @@ export async function GET(request: NextRequest) {
   const privy = new PrivyClient(PRIVY_APP_ID, PRIVY_APP_SECRET);
   const matrixAuthClient = new MatrixSharedSecret();
 
+  const getAdminRecord = async (
+    adminUsername: string,
+    environment: Environment,
+    authToken: string,
+  ) => {
+    const record = await getLinkByPrivyUserId({
+      privyUserId: adminUsername,
+      environment,
+    });
+    if (record) {
+      return record;
+    }
+    const {
+      accessToken: encryptedAccessToken,
+      deviceId,
+      userId: matrixUserId,
+    } = await matrixAuthClient.registerUser(adminUsername, true);
+    return (await createMatrixUserLinkAction(
+      {
+        environment,
+        encryptedAccessToken,
+        deviceId,
+        matrixUserId,
+        privyUserId: adminUsername,
+      },
+      { authToken },
+    )) as MatrixUserLink;
+  };
+
   try {
     const authToken = authHeader.replace('Bearer ', '');
     const { userId: privyUserId } = await privy.verifyAuthToken(authToken);
@@ -51,7 +85,63 @@ export async function GET(request: NextRequest) {
           },
         });
       } else {
-        //TODO: update access token
+        const adminMatrixUsername = getDecoratedPrivyId(
+          ADMIN_SUFFIX,
+          environment,
+        );
+        const admin = await getAdminRecord(
+          adminMatrixUsername,
+          environment,
+          authToken,
+        );
+        if (admin) {
+          const adminAccessToken = decryptMatrixToken(
+            admin.encryptedAccessToken,
+          );
+          const { ok, password } = await matrixAuthClient.resetPassword(
+            existing.matrixUserId,
+            adminAccessToken,
+          );
+          if (ok) {
+            const {
+              accessToken: encryptedAccessToken,
+              deviceId,
+              userId: matrixUserId,
+            } = await matrixAuthClient.loginUser(
+              existing.matrixUserId,
+              password,
+            );
+
+            await updateEncryptedAccessTokenAction(
+              {
+                privyUserId,
+                environment,
+                encryptedAccessToken,
+              },
+              { authToken },
+            );
+
+            return NextResponse.json({
+              accessToken: decryptMatrixToken(encryptedAccessToken),
+              userId: matrixUserId,
+              homeserverUrl: MATRIX_HOMESERVER_URL,
+              deviceId,
+              elementConfig: {
+                // defaultRoomId: DEFAULT_ROOM_ID,
+                theme: 'dark',
+              },
+            });
+          }
+
+          return NextResponse.json(
+            {
+              error: 'Token generation failed',
+            },
+            {
+              status: 500,
+            },
+          );
+        }
       }
     }
 
@@ -62,6 +152,58 @@ export async function GET(request: NextRequest) {
       userId: matrixUserId,
     } = await matrixAuthClient.registerUser(matrixUsername);
 
+    if (!encryptedAccessToken) {
+      const adminMatrixUsername = getDecoratedPrivyId(
+        ADMIN_SUFFIX,
+        environment,
+      );
+      const admin = await getAdminRecord(
+        adminMatrixUsername,
+        environment,
+        authToken,
+      );
+      const adminAccessToken = decryptMatrixToken(admin.encryptedAccessToken);
+      const { ok, password } = await matrixAuthClient.resetPassword(
+        matrixUserId,
+        adminAccessToken,
+      );
+      if (ok) {
+        const {
+          accessToken: encryptedAccessToken,
+          deviceId,
+          userId,
+        } = await matrixAuthClient.loginUser(matrixUserId, password);
+
+        await updateEncryptedAccessTokenAction(
+          {
+            privyUserId,
+            environment,
+            encryptedAccessToken,
+          },
+          { authToken },
+        );
+
+        return NextResponse.json({
+          accessToken: decryptMatrixToken(encryptedAccessToken),
+          userId,
+          homeserverUrl: MATRIX_HOMESERVER_URL,
+          deviceId,
+          elementConfig: {
+            // defaultRoomId: DEFAULT_ROOM_ID,
+            theme: 'dark',
+          },
+        });
+      }
+      return NextResponse.json(
+        {
+          error: 'Token generation failed',
+        },
+        {
+          status: 500,
+        },
+      );
+    }
+
     await createMatrixUserLinkAction(
       {
         environment,
diff --git a/packages/core/src/coherence/lib/matrix-shared-secret.ts b/packages/core/src/coherence/lib/matrix-shared-secret.ts
@@ -1,5 +1,6 @@
 import crypto from 'node:crypto';
-import { encryptMatrixToken, hashHmacSha1Hex } from '../../server';
+import { hashHmacSha1Hex } from '../../common/server/encrypt-aes';
+import { encryptMatrixToken } from '../../common/server/encrypt-matrix-token';
 
 type VersionsResponse = {
   versions: Array<string>;
@@ -67,11 +68,10 @@ export class MatrixSharedSecret {
     return available.available;
   }
 
-  async registerUserNonce(username: string) {
+  async registerUserNonce(username: string, isAdmin: boolean = false) {
     const nonce = await this.getNonce();
     const endpoint = '/_synapse/admin/v1/register';
     const password = crypto.randomBytes(32).toString('hex');
-    const isAdmin = false;
     const admin = isAdmin ? 'admin' : 'notadmin';
     const text = `${nonce}\0${username}\0${password}\0${admin}`;
     const mac = hashHmacSha1Hex(text, this.registrationSharedSecret);
@@ -96,10 +96,25 @@ export class MatrixSharedSecret {
     return response;
   }
 
-  async registerUser(username: string): Promise<RegisterResponse> {
-    const response = await this.registerUserNonce(username);
+  async registerUser(
+    username: string,
+    isAdmin: boolean = false,
+  ): Promise<RegisterResponse> {
+    const response = await this.registerUserNonce(username, isAdmin);
     const data = await response.json();
 
+    if (!response.ok) {
+      console.warn('Cannot register user:', data);
+
+      if (data.errcode === 'M_USER_IN_USE') {
+        return {
+          accessToken: '',
+          userId: '',
+          deviceId: '',
+        };
+      }
+    }
+
     await this.changePassword(
       data.access_token,
       crypto.randomBytes(32).toString('hex'),
@@ -112,6 +127,29 @@ export class MatrixSharedSecret {
     };
   }
 
+  async resetPassword(username: string, adminAccessToken: string) {
+    const password = crypto.randomBytes(32).toString('hex');
+    const response = await fetch(
+      `${this.matrixHomeserverUrl}/_dendrite/admin/resetPassword/${username}`,
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: `Bearer ${adminAccessToken}`,
+        },
+        body: JSON.stringify({
+          password,
+          logout_devices: true,
+        }),
+      },
+    );
+    const data = await response.json();
+    if (!response.ok) {
+      console.warn('Cannot reset password', data);
+    }
+    return { ok: data.password_updated, password };
+  }
+
   async removeUser(username: string) {
     const response = await fetch(
       `${this.matrixHomeserverUrl}/_dendrite/admin/deactivate/${username}`,
@@ -157,6 +195,37 @@ export class MatrixSharedSecret {
     }
   }
 
+  async loginUser(username: string, password: string) {
+    const version = await this.getEffectiveVersion();
+    const endpoint = `/_matrix/client/${version}/login`;
+
+    const response = await fetch(`${this.matrixHomeserverUrl}${endpoint}`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        identifier: {
+          type: 'm.id.user',
+          user: username,
+        },
+        initial_device_display_name: `device_${Date.now()}`,
+        password,
+        type: 'm.login.password',
+      }),
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      console.warn('Cannot login user', data);
+    }
+    console.log('Login data response:', data);
+    return {
+      accessToken: encryptMatrixToken(data.access_token),
+      userId: data.user_id,
+      deviceId: data.device_id,
+    };
+  }
+
   private async changePassword(accessToken: string, newPassword: string) {
     const version = await this.getEffectiveVersion();
     const endpoint = `/_matrix/client/${version}/account/password`;
@@ -173,5 +242,6 @@ export class MatrixSharedSecret {
       }),
     });
     const data = await response.json();
+    return data;
   }
 }
diff --git a/packages/core/src/matrix/server/actions.ts b/packages/core/src/matrix/server/actions.ts
@@ -3,9 +3,11 @@
 import { db } from '@hypha-platform/storage-postgres';
 import {
   CreateMatrixUserLinkInput,
+  GetMatrixUserLinkActionInput,
   UpdateEncryptedAccessTokenInput,
 } from '../types';
 import { createMatrixUserLink, updateMatrixUserLink } from './mutations';
+import { findLinkByPrivyUserId } from './queries';
 
 export async function createMatrixUserLinkAction(
   data: CreateMatrixUserLinkInput,
@@ -28,3 +30,13 @@ export async function updateEncryptedAccessTokenAction(
   }
   return await updateMatrixUserLink(data, { db });
 }
+
+export async function getMatrixUserLinkAction(
+  data: GetMatrixUserLinkActionInput,
+  { authToken }: { authToken?: string },
+) {
+  if (!authToken) {
+    throw new Error('authToken is required to get Matrix user link');
+  }
+  return await findLinkByPrivyUserId(data, { db });
+}
diff --git a/packages/core/src/matrix/server/queries.ts b/packages/core/src/matrix/server/queries.ts
@@ -1,6 +1,5 @@
 import { MatrixUserLink } from '@hypha-platform/storage-postgres';
 import { DbConfig } from '../../server';
-import { and } from 'drizzle-orm';
 
 export const findLinkByPrivyUserId = async (
   { privyUserId, environment }: { privyUserId: string; environment: string },
diff --git a/packages/core/src/matrix/types.ts b/packages/core/src/matrix/types.ts
@@ -24,6 +24,11 @@ export interface UpdateEncryptedAccessTokenInput {
   environment: string;
 }
 
+export interface GetMatrixUserLinkActionInput {
+  environment: string;
+  privyUserId: string;
+}
+
 export interface Message {
   id: string;
   sender: string;
diff --git a/packages/epics/src/coherence/components/chat-detail.tsx b/packages/epics/src/coherence/components/chat-detail.tsx
@@ -30,6 +30,7 @@ export const ChatDetail = ({
   const { updateCoherenceBySlug } = useCoherenceMutationsWeb2Rsc(authToken);
 
   React.useEffect(() => {
+    //TODO: improve compute views
     if (!conversation) {
       return;
     }

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ export const ChatDetail = ({`
`30`	`30`	`const { updateCoherenceBySlug } = useCoherenceMutationsWeb2Rsc(authToken);`
`31`	`31`
`32`	`32`	`React.useEffect(() => {`
	`33`	`+ //TODO: improve compute views`
`33`	`34`	`if (!conversation) {`
`34`	`35`	`return;`
`35`	`36`	`}`