Deleting a Sqrl Identity with the Android App doesnt work


Sqrirrlerin

Member
Jun 19, 2019
8
0
Hello!

I tried to delete a sqrl identity on a server with the Android app. Unfortunately this did not work.

I have logged the Sqrl protocol data in my Server App. You can see that the Sqrl client first sends the DISABLE command to the server. Then the account is disabled. Then the Sqrl client sends the REMOVE command but this doesn’t work because the Sqrl Account is disabled.

I have also tried to delete my account here in the forum. The Sqrl Client shows a message that the account has been deleted. But if you try to log in again, you get the message that the account is disabled.

Thanks in advance for an answer!
 

ahauser

Well-known member
Feb 22, 2019
222
57
Hi @Sqrirrlerin,

looking at the Android app's code for the remove functionality, what you describe is exactly what it's supposed to be doing:
First it posts a query with the suk flag set, then it disables/locks the account, and finally it removes it:

Java:
private void configureCommFlowHandlerRemoveAccount(SQRLStorage storage) {
    if(communicationFlowHandler.isUrlBasedLogin()) {
        communicationFlowHandler.addAction(CommunicationFlowHandler.Action.QUERY_WITH_SUK);
        communicationFlowHandler.addAction(CommunicationFlowHandler.Action.LOCK_ACCOUNT_CPS);
        communicationFlowHandler.addAction(CommunicationFlowHandler.Action.REMOVE_ACCOUNT_CPS);
    }
    // etc etc ...
}
I think I may also have found the reason why @kalaspuffar has implemented this feature this way:
Quoting from the "SQRL On The Wire" docs regarding the "suk" (Server Unlock Key):

... there are instances where the client may know that it is going to need the stored SUK from the server, such as when it wishes to remove a non-disabled account. The client could first disable the account to induce the server to return the SUK, but it's simpler for the client to request the SUK from the server whenever it wants it.
Reading that in the official documentation would suggest that doing it that way should be legit, and that the server should support it.
I also remember successfully testing the remove functionality of the Android client on GRC's sqrl demo site at https://www.grc.com/sqrl/demo.htm, which unfortunately is offline atm.
 
Last edited:

ahauser

Well-known member
Feb 22, 2019
222
57
Following up on my post above, where I only tried to reason about why the "remove" functionality was implemented in a certain way, I personally would rather get rid of the "disable" step, since it really shouldn't be necessary.
 

Sqrirrlerin

Member
Jun 19, 2019
8
0
Hello!
I've had another look at the problem with the deletion. It should actually work despite the DISABLE command. I noticed that no signature (Unlock Request Signature) is sent with the DELETE command. Is that possible?
Best regards
 

ahauser

Well-known member
Feb 22, 2019
222
57
... the original demo is now back online.
Thanks @Jeffa, that's great news!

I'm pretty busy these days, but I'll try to find some time to re-test the "remove" feature of the Android client as soon as time permits.