From a0eba40e90b030e8033ff3c59de4df0c5fc38479 Mon Sep 17 00:00:00 2001
From: Kitsune Ral <Kitsune-Ral@users.sf.net>
Date: Wed, 20 Dec 2017 19:42:37 +0900
Subject: Clean away legacy settings when possible

Otherwise they stick around when deleting actual settings (e.g. at logout).
---
 settings.cpp | 9 ++++++++-
 settings.h   | 8 ++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/settings.cpp b/settings.cpp
index 68914642..ac9c091c 100644
--- a/settings.cpp
+++ b/settings.cpp
@@ -1,7 +1,8 @@
 #include "settings.h"
 
+#include "logging.h"
+
 #include <QtCore/QUrl>
-#include <QtCore/QDebug>
 
 using namespace QMatrixClient;
 
@@ -19,6 +20,8 @@ void Settings::setValue(const QString& key, const QVariant& value)
 {
 //    qCDebug() << "Setting" << key << "to" << value;
     QSettings::setValue(key, value);
+    if (legacySettings.contains(key))
+        legacySettings.remove(key);
 }
 
 QVariant Settings::value(const QString& key, const QVariant& defaultValue) const
@@ -133,10 +136,14 @@ QString AccountSettings::accessToken() const
 
 void AccountSettings::setAccessToken(const QString& accessToken)
 {
+    qCWarning(MAIN) << "Saving access_token to QSettings is insecure."
+                       " Developers, please save access_token separately.";
     setValue("access_token", accessToken);
 }
 
 void AccountSettings::clearAccessToken()
 {
+    legacySettings.remove("access_token");
+    legacySettings.remove("device_id"); // Force the server to re-issue it
     remove("access_token");
 }
diff --git a/settings.h b/settings.h
index ab3aae8b..36e29cf1 100644
--- a/settings.h
+++ b/settings.h
@@ -59,8 +59,8 @@ namespace QMatrixClient
             static QString legacyApplicationName;
 
         protected:
-            const QSettings legacySettings { legacyOrganizationName,
-                                             legacyApplicationName };
+            QSettings legacySettings { legacyOrganizationName,
+                                       legacyApplicationName };
     };
 
     class SettingsGroup: public Settings
@@ -94,6 +94,7 @@ namespace QMatrixClient
             Q_PROPERTY(QString deviceName READ deviceName WRITE setDeviceName)
             Q_PROPERTY(QUrl homeserver READ homeserver WRITE setHomeserver)
             Q_PROPERTY(bool keepLoggedIn READ keepLoggedIn WRITE setKeepLoggedIn)
+            /** \deprecated \sa setToken */
             Q_PROPERTY(QString accessToken READ accessToken WRITE setAccessToken)
         public:
             template <typename... ArgTs>
@@ -115,7 +116,10 @@ namespace QMatrixClient
             bool keepLoggedIn() const;
             void setKeepLoggedIn(bool newSetting);
 
+            /** \deprecated \sa setToken */
             QString accessToken() const;
+            /** \deprecated Storing accessToken in QSettings is unsafe,
+             * see QMatrixClient/Quaternion#181 */
             void setAccessToken(const QString& accessToken);
             Q_INVOKABLE void clearAccessToken();
     };
-- 
cgit v1.2.3