"Allow key storage" fails silently if backup on server is not trusted (or another error occurs)

[richvdh]

Steps to reproduce

1. Have an account where there is a key backup on the server, but it is not signed by the cross-signing key, and the (public) backup encryption key does not match the (private) backup decryption key. For example, do the following:

    curl -H "Authorization: Bearer $token" http://localhost:8008/_matrix/client/v3/room_keys/version -d '{"auth_data": {"public_key":"mJQm88HRj9aJh6pvRk05bh7vNyHmJ/nr7vlfK68z3z0","signatures":{}}, "algorithm":"m.megolm_backup.v1.curve25519-aes-sha2"}'
   

2. Open Element-web; go to Settings -> Encryption. Observe:
   
3. Click the "Allow key storage" toggle

Outcome

What did you expect?

Key storage is enabled. Or at least an error dialog, maybe?

What happened instead?

Brief spinner, then toggle is disabled again.

Application version

Element version: 1.11.99-dev Crypto version: Rust SDK 0.10.0 (3cc301d), Vodozemac 0.9.0

Workarounds

There isn't really a sensible workaround.

You could delete the broken key backup version with a request to DELETE /_matrix/client/v3/room_keys/version/{version}, but that's hardly user-friendly.

Or you could do "Reset cryptographic identity", but that will mean other users will see "Bob's identity has changed!" warnings.

[richvdh]

From the logs:

16:41:55.398 Checking key backup status...
16:41:55.404 FetchHttpApi: --> GET http://localhost:8008/_matrix/client/v3/room_keys/version
16:41:55.426 FetchHttpApi: <-- GET http://localhost:8008/_matrix/client/v3/room_keys/version [23ms 200]
16:41:55.433 Key backup present on server but not trusted: not enabling key backup

[richvdh]

Other errors (e.g. cannot parse the public_key in the /version response) are also swallowed.

[andybalaam]

This rageshake shows a user getting into a "server backup not trusted" state.