Lifecycle management for Account objects reused accross websocket requests

service/src/main/java/org/whispersystems/textsecuregcm/auth/AccountAuthenticator.java

@@ -21,7 +21,6 @@ import org.apache.commons.lang3.StringUtils;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.AccountsManager;
 import org.whispersystems.textsecuregcm.storage.Device;
-import org.whispersystems.textsecuregcm.storage.RefreshingAccountAndDeviceSupplier;
 import org.whispersystems.textsecuregcm.util.Pair;
 import org.whispersystems.textsecuregcm.util.Util;
 
@@ -108,8 +107,7 @@ public class AccountAuthenticator implements Authenticator<BasicCredentials, Aut
               device.get(),
               SaltedTokenHash.generateFor(basicCredentials.getPassword()));  // new credentials have current version
         }
-        return Optional.of(new AuthenticatedAccount(
-            new RefreshingAccountAndDeviceSupplier(authenticatedAccount, device.get().getId(), accountsManager)));
+        return Optional.of(new AuthenticatedAccount(authenticatedAccount, device.get()));
       }
 
       return Optional.empty();

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthEnablementRefreshRequirementProvider.java

@@ -5,7 +5,6 @@
 
 package org.whispersystems.textsecuregcm.auth;
 
-import com.google.common.annotations.VisibleForTesting;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
@@ -45,10 +44,6 @@ public class AuthEnablementRefreshRequirementProvider implements WebsocketRefres
     this.accountsManager = accountsManager;
   }
 
-  @VisibleForTesting
-  static Map<Byte, Boolean> buildDevicesEnabledMap(final Account account) {
-    return account.getDevices().stream().collect(Collectors.toMap(Device::getId, Device::isEnabled));
-  }
 
   @Override
   public void handleRequestFiltered(final RequestEvent requestEvent) {
@@ -60,10 +55,13 @@ public class AuthEnablementRefreshRequirementProvider implements WebsocketRefres
           setAccount(requestEvent.getContainerRequest(), account));
     }
   }
-
   public static void setAccount(final ContainerRequest containerRequest, final Account account) {
-    containerRequest.setProperty(ACCOUNT_UUID, account.getUuid());
-    containerRequest.setProperty(DEVICES_ENABLED, buildDevicesEnabledMap(account));
+    setAccount(containerRequest, ContainerRequestUtil.AccountInfo.fromAccount(account));
+  }
+
+  private static void setAccount(final ContainerRequest containerRequest, final ContainerRequestUtil.AccountInfo info) {
+    containerRequest.setProperty(ACCOUNT_UUID, info.accountId());
+    containerRequest.setProperty(DEVICES_ENABLED, info.devicesEnabled());
   }
 
   @Override
@@ -75,25 +73,28 @@ public class AuthEnablementRefreshRequirementProvider implements WebsocketRefres
       @SuppressWarnings("unchecked") final Map<Byte, Boolean> initialDevicesEnabled =
           (Map<Byte, Boolean>) requestEvent.getContainerRequest().getProperty(DEVICES_ENABLED);
 
-      return accountsManager.getByAccountIdentifier((UUID) requestEvent.getContainerRequest().getProperty(ACCOUNT_UUID)).map(account -> {
-        final Set<Byte> deviceIdsToDisplace;
-        final Map<Byte, Boolean> currentDevicesEnabled = buildDevicesEnabledMap(account);
+      return accountsManager.getByAccountIdentifier((UUID) requestEvent.getContainerRequest().getProperty(ACCOUNT_UUID))
+          .map(ContainerRequestUtil.AccountInfo::fromAccount)
+          .map(account -> {
+            final Set<Byte> deviceIdsToDisplace;
+            final Map<Byte, Boolean> currentDevicesEnabled = account.devicesEnabled();
 
-        if (!initialDevicesEnabled.equals(currentDevicesEnabled)) {
-          deviceIdsToDisplace = new HashSet<>(initialDevicesEnabled.keySet());
-          deviceIdsToDisplace.addAll(currentDevicesEnabled.keySet());
-        } else {
-          deviceIdsToDisplace = Collections.emptySet();
-        }
+            if (!initialDevicesEnabled.equals(currentDevicesEnabled)) {
+              deviceIdsToDisplace = new HashSet<>(initialDevicesEnabled.keySet());
+              deviceIdsToDisplace.addAll(currentDevicesEnabled.keySet());
+            } else {
+              deviceIdsToDisplace = Collections.emptySet();
+            }
 
-        return deviceIdsToDisplace.stream()
-            .map(deviceId -> new Pair<>(account.getUuid(), deviceId))
-            .collect(Collectors.toList());
-      }).orElseGet(() -> {
-        logger.error("Request had account, but it is no longer present");
-        return Collections.emptyList();
-      });
-    } else
+            return deviceIdsToDisplace.stream()
+                .map(deviceId -> new Pair<>(account.accountId(), deviceId))
+                .collect(Collectors.toList());
+          }).orElseGet(() -> {
+            logger.error("Request had account, but it is no longer present");
+            return Collections.emptyList();
+          });
+    } else {
       return Collections.emptyList();
+    }
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticatedAccount.java

@@ -10,24 +10,24 @@ import java.util.function.Supplier;
 import javax.security.auth.Subject;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.Device;
-import org.whispersystems.textsecuregcm.util.Pair;
 
 public class AuthenticatedAccount implements Principal, AccountAndAuthenticatedDeviceHolder {
+  private final Account account;
+  private final Device device;
 
-  private final Supplier<Pair<Account, Device>> accountAndDevice;
-
-  public AuthenticatedAccount(final Supplier<Pair<Account, Device>> accountAndDevice) {
-    this.accountAndDevice = accountAndDevice;
+ public AuthenticatedAccount(final Account account, final Device device) {
+    this.account = account;
+    this.device = device;
   }
 
   @Override
   public Account getAccount() {
-    return accountAndDevice.get().first();
+    return account;
   }
 
   @Override
   public Device getAuthenticatedDevice() {
-    return accountAndDevice.get().second();
+    return device;
   }
 
   // Principal implementation

service/src/main/java/org/whispersystems/textsecuregcm/auth/ChangesPhoneNumber.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2024 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Indicates that an endpoint changes the phone number and PNI keys associated with an account, and that
+ * any websockets associated with the account may need to be refreshed after a call to that endpoint.
+ */
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+public @interface ChangesPhoneNumber {
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/ContainerRequestUtil.java

@@ -7,15 +7,42 @@ package org.whispersystems.textsecuregcm.auth;
 
 import org.glassfish.jersey.server.ContainerRequest;
 import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
 import javax.ws.rs.core.SecurityContext;
+import java.util.Map;
 import java.util.Optional;
+import java.util.UUID;
+import java.util.stream.Collectors;
 
 class ContainerRequestUtil {
 
-  static Optional<Account> getAuthenticatedAccount(final ContainerRequest request) {
+  private static Map<Byte, Boolean> buildDevicesEnabledMap(final Account account) {
+    return account.getDevices().stream().collect(Collectors.toMap(Device::getId, Device::isEnabled));
+  }
+
+  /**
+   * A read-only subset of the authenticated Account object, to enforce that filter-based consumers do not perform
+   * account modifying operations.
+   */
+  record AccountInfo(UUID accountId, String e164, Map<Byte, Boolean> devicesEnabled) {
+
+    static AccountInfo fromAccount(final Account account) {
+      return new AccountInfo(
+          account.getUuid(),
+          account.getNumber(),
+          buildDevicesEnabledMap(account));
+    }
+  }
+
+  static Optional<AccountInfo> getAuthenticatedAccount(final ContainerRequest request) {
     return Optional.ofNullable(request.getSecurityContext())
         .map(SecurityContext::getUserPrincipal)
-        .map(principal -> principal instanceof AccountAndAuthenticatedDeviceHolder
-            ? ((AccountAndAuthenticatedDeviceHolder) principal).getAccount() : null);
+        .map(principal -> {
+          if (principal instanceof AccountAndAuthenticatedDeviceHolder aaadh) {
+            return aaadh.getAccount();
+          }
+          return null;
+        })
+        .map(AccountInfo::fromAccount);
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/PhoneNumberChangeRefreshRequirementProvider.java

@@ -7,40 +7,50 @@ package org.whispersystems.textsecuregcm.auth;
 
 import java.util.Collections;
 import java.util.List;
-import java.util.Optional;
 import java.util.UUID;
 import java.util.stream.Collectors;
 import org.glassfish.jersey.server.monitoring.RequestEvent;
-import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
 import org.whispersystems.textsecuregcm.util.Pair;
 
 public class PhoneNumberChangeRefreshRequirementProvider implements WebsocketRefreshRequirementProvider {
 
+  private static final String ACCOUNT_UUID =
+      PhoneNumberChangeRefreshRequirementProvider.class.getName() + ".accountUuid";
+
   private static final String INITIAL_NUMBER_KEY =
       PhoneNumberChangeRefreshRequirementProvider.class.getName() + ".initialNumber";
+  private final AccountsManager accountsManager;
+
+  public PhoneNumberChangeRefreshRequirementProvider(final AccountsManager accountsManager) {
+    this.accountsManager = accountsManager;
+  }
 
   @Override
   public void handleRequestFiltered(final RequestEvent requestEvent) {
+    if (requestEvent.getUriInfo().getMatchedResourceMethod().getInvocable().getHandlingMethod()
+        .getAnnotation(ChangesPhoneNumber.class) == null) {
+      return;
+    }
     ContainerRequestUtil.getAuthenticatedAccount(requestEvent.getContainerRequest())
-        .ifPresent(account -> requestEvent.getContainerRequest().setProperty(INITIAL_NUMBER_KEY, account.getNumber()));
+        .ifPresent(account -> {
+          requestEvent.getContainerRequest().setProperty(INITIAL_NUMBER_KEY, account.e164());
+          requestEvent.getContainerRequest().setProperty(ACCOUNT_UUID, account.accountId());
+        });
   }
 
   @Override
   public List<Pair<UUID, Byte>> handleRequestFinished(final RequestEvent requestEvent) {
     final String initialNumber = (String) requestEvent.getContainerRequest().getProperty(INITIAL_NUMBER_KEY);
 
-    if (initialNumber != null) {
-      final Optional<Account> maybeAuthenticatedAccount =
-          ContainerRequestUtil.getAuthenticatedAccount(requestEvent.getContainerRequest());
-
-      return maybeAuthenticatedAccount
-          .filter(account -> !initialNumber.equals(account.getNumber()))
-          .map(account -> account.getDevices().stream()
-              .map(device -> new Pair<>(account.getUuid(), device.getId()))
-              .collect(Collectors.toList()))
-          .orElse(Collections.emptyList());
-    } else {
+    if (initialNumber == null) {
       return Collections.emptyList();
     }
+    return accountsManager.getByAccountIdentifier((UUID) requestEvent.getContainerRequest().getProperty(ACCOUNT_UUID))
+        .filter(account -> !initialNumber.equals(account.getNumber()))
+        .map(account -> account.getDevices().stream()
+            .map(device -> new Pair<>(account.getUuid(), device.getId()))
+            .collect(Collectors.toList()))
+        .orElse(Collections.emptyList());
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/WebsocketRefreshApplicationEventListener.java

@@ -24,7 +24,7 @@ public class WebsocketRefreshApplicationEventListener implements ApplicationEven
 
     this.websocketRefreshRequestEventListener = new WebsocketRefreshRequestEventListener(clientPresenceManager,
         new AuthEnablementRefreshRequirementProvider(accountsManager),
-        new PhoneNumberChangeRefreshRequirementProvider());
+        new PhoneNumberChangeRefreshRequirementProvider(accountsManager));
   }
 
   @Override