2 files changed, 14 insertions, 3 deletions

diff --git a/settings.cpp b/settings.cpp
index 68914642..ac9c091c 100644
--- a/settings.cpp
+++ b/settings.cpp
@@ -1,7 +1,8 @@
 #include "settings.h"

 

+#include "logging.h"

+

 #include <QtCore/QUrl>

-#include <QtCore/QDebug>

 

 using namespace QMatrixClient;

 

@@ -19,6 +20,8 @@ void Settings::setValue(const QString& key, const QVariant& value)
 {

 //    qCDebug() << "Setting" << key << "to" << value;

     QSettings::setValue(key, value);

+    if (legacySettings.contains(key))

+        legacySettings.remove(key);

 }

 

 QVariant Settings::value(const QString& key, const QVariant& defaultValue) const

@@ -133,10 +136,14 @@ QString AccountSettings::accessToken() const
 

 void AccountSettings::setAccessToken(const QString& accessToken)

 {

+    qCWarning(MAIN) << "Saving access_token to QSettings is insecure."

+                       " Developers, please save access_token separately.";

     setValue("access_token", accessToken);

 }

 

 void AccountSettings::clearAccessToken()

 {

+    legacySettings.remove("access_token");

+    legacySettings.remove("device_id"); // Force the server to re-issue it

     remove("access_token");

 }

diff --git a/settings.h b/settings.h
index ab3aae8b..36e29cf1 100644
--- a/settings.h
+++ b/settings.h
@@ -59,8 +59,8 @@ namespace QMatrixClient
             static QString legacyApplicationName;

 

         protected:

-            const QSettings legacySettings { legacyOrganizationName,

-                                             legacyApplicationName };

+            QSettings legacySettings { legacyOrganizationName,

+                                       legacyApplicationName };

     };

 

     class SettingsGroup: public Settings

@@ -94,6 +94,7 @@ namespace QMatrixClient
             Q_PROPERTY(QString deviceName READ deviceName WRITE setDeviceName)

             Q_PROPERTY(QUrl homeserver READ homeserver WRITE setHomeserver)

             Q_PROPERTY(bool keepLoggedIn READ keepLoggedIn WRITE setKeepLoggedIn)

+            /** \deprecated \sa setToken */

             Q_PROPERTY(QString accessToken READ accessToken WRITE setAccessToken)

         public:

             template <typename... ArgTs>

@@ -115,7 +116,10 @@ namespace QMatrixClient
             bool keepLoggedIn() const;

             void setKeepLoggedIn(bool newSetting);

 

+            /** \deprecated \sa setToken */

             QString accessToken() const;

+            /** \deprecated Storing accessToken in QSettings is unsafe,

+             * see QMatrixClient/Quaternion#181 */

             void setAccessToken(const QString& accessToken);

             Q_INVOKABLE void clearAccessToken();

     };