matrix-js-sdk 41.4.0 → 41.5.0

package/package.json

@@ -1,13 +1,13 @@
 {
     "name": "matrix-js-sdk",
-    "version": "41.4.0",
+    "version": "41.5.0",
     "description": "Matrix Client-Server SDK for Javascript",
     "engines": {
         "node": ">=22.0.0"
     },
     "scripts": {
         "prepare": "pnpm build",
-        "start": "echo THIS IS FOR LEGACY PURPOSES ONLY. && babel --delete-dir-on-start src -w -s -d lib --verbose --extensions \".ts,.js\"",
+        "start": "concurrently 'pnpm run build:compile --watch' 'pnpm run build:types --watch'",
         "build": "pnpm build:compile && pnpm build:types",
         "build:types": "tsc -p tsconfig-build.json --emitDeclarationOnly",
         "build:compile": "babel --delete-dir-on-start -d lib --verbose --extensions \".ts,.js\" src",
@@ -48,7 +48,7 @@
     ],
     "dependencies": {
         "@babel/runtime": "^7.12.5",
-        "@matrix-org/matrix-sdk-crypto-wasm": "^18.1.0",
+        "@matrix-org/matrix-sdk-crypto-wasm": "^18.2.0",
         "another-json": "^0.2.0",
         "bs58": "^6.0.0",
         "content-type": "^1.0.4",
@@ -59,8 +59,7 @@
         "oidc-client-ts": "^3.0.1",
         "p-retry": "8",
         "sdp-transform": "^3.0.0",
-        "unhomoglyph": "^1.0.6",
-        "uuid": "13"
+        "unhomoglyph": "^1.0.6"
     },
     "devDependencies": {
         "@action-validator/cli": "^0.6.0",
@@ -91,6 +90,7 @@
         "@vitest/eslint-plugin": "^1.6.6",
         "@vitest/ui": "^4.0.17",
         "babel-plugin-search-and-replace": "^1.1.1",
+        "concurrently": "^9.2.1",
         "debug": "^4.3.4",
         "eslint": "8.57.1",
         "eslint-config-google": "^0.14.0",
@@ -132,8 +132,8 @@
             "flatted@<=3.4.1": "^3.4.2",
             "picomatch@>=4.0.0 <4.0.4": "^4.0.4",
             "yaml@>=2.0.0 <2.8.3": "^2.8.3",
-            "vite": "7.3.2"
+            "vite": "8.0.8"
         }
     },
-    "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
+    "packageManager": "pnpm@10.33.2+sha512.a90faf6feeab71ad6c6e57f94e0fe1a12f5dcc22cd754db40ae9593eb6a3e0b6b12e3540218bb37ae083404b1f2ce6db2a4121e979829b4aff94b99f49da1cf8"
 }

package/src/@types/json.ts

@@ -0,0 +1,16 @@
+/*
+Copyright 2024 New Vector Ltd.
+
+SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
+Please see LICENSE files in the repository root for full details.
+*/
+
+// Types for JSON and JSON objects, copied from element-web (left in both places as I don't think we
+// want this as a part of js-sdk's interface and I don't think it's worth it being its own package)
+
+export type JsonValue = null | string | number | boolean;
+export type JsonArray = Array<JsonValue | JsonObject | JsonArray>;
+export interface JsonObject {
+    [key: string]: JsonObject | JsonArray | JsonValue;
+}
+export type Json = JsonArray | JsonObject;

package/src/@types/requests.ts

@@ -40,10 +40,10 @@ export interface IJoinRoomOpts {
     viaServers?: string[];
 
     /**
-     * When accepting an invite, whether to accept encrypted history shared by the inviter via the experimental
-     * support for [MSC4268](https://github.com/matrix-org/matrix-spec-proposals/pull/4268).
+     * Previously, configured whether to accept encrypted history shared by the inviter. This is now always enabled,
+     * and the setting is only retained to avoid a breaking change to the API. It has no effect.
      *
-     * @experimental
+     * @deprecated
      */
     acceptSharedHistory?: boolean;
 }
@@ -56,13 +56,10 @@ export interface InviteOpts {
     reason?: string;
 
     /**
-     * Before sending the invite, if the room is encrypted, share the keys for any messages sent while the history
-     * visibility was `shared`, via the experimental
-     * support for [MSC4268](https://github.com/matrix-org/matrix-spec-proposals/pull/4268). If the room's current
-     * history visibility setting is neither `shared` nor `world_readable`, history sharing will be disabled to prevent
-     * exposing keys for messages sent prior to the visibility restriction.
+     * Previously, configured whether to send encrypted history if the visibility settings allow it.
+     * This is now always enabled, and the setting is only retained to avoid a breaking change to the API. It has no effect.
      *
-     * @experimental
+     * @deprecated
      */
     shareEncryptedHistory?: boolean;
 }

package/src/client.ts

@@ -78,7 +78,7 @@ import {
     type UploadOpts,
     type UploadResponse,
 } from "./http-api/index.ts";
-import { User, UserEvent, type UserEventHandlerMap } from "./models/user.ts";
+import { type SyncUserProfile, User, UserEvent, type UserEventHandlerMap } from "./models/user.ts";
 import { getHttpUriForMxc } from "./content-repo.ts";
 import { SearchResult } from "./models/search-result.ts";
 import { type IIdentityServerProvider } from "./@types/IIdentityServerProvider.ts";
@@ -539,6 +539,12 @@ export interface IStartClientOpts {
      * @experimental
      */
     slidingSync?: SlidingSync;
+
+    /**
+     * Include user profiles in sync responses.
+     * Will only work if the server supports MSC4429.
+     */
+    unstableMSC4429SyncUserProfileFields?: string[];
 }
 
 export interface IStoredClientOpts extends IStartClientOpts {}
@@ -1102,6 +1108,7 @@ export enum ClientEvent {
     ReceivedVoipEvent = "received_voip_event",
     TurnServers = "turnServers",
     TurnServersError = "turnServers.error",
+    UserProfileUpdate = "userProfileUpdate",
 }
 
 type RoomEvents =
@@ -1172,6 +1179,12 @@ export type ClientEventHandlerMap = {
     [ClientEvent.ReceivedVoipEvent]: (event: MatrixEvent) => void;
     [ClientEvent.TurnServers]: (servers: ITurnServer[]) => void;
     [ClientEvent.TurnServersError]: (error: Error, fatal: boolean) => void;
+    /**
+     *
+     * @param userId - the user ID of the profile which was updated
+     * @param profile - the updated profile information
+     */
+    [ClientEvent.UserProfileUpdate]: (userId: string, profile: Record<string, unknown> | null) => void;
 } & RoomEventHandlerMap &
     RoomStateEventHandlerMap &
     CryptoEventHandlerMap &
@@ -2428,7 +2441,7 @@ export class MatrixClient extends TypedEventEmitter<EmittedEvents, ClientEventHa
         const res = await this.http.authedRequest<{ room_id: string }>(Method.Post, path, queryParams, data);
 
         const roomId = res.room_id;
-        if (opts.acceptSharedHistory && inviter && this.cryptoBackend) {
+        if (inviter && this.cryptoBackend) {
             // Flag upfront that we are waiting for a key bundle, so that if we crash mid-import, we can try again.
             await this.cryptoBackend.markRoomAsPendingKeyBundle(roomId, inviter);
             // Try to accept the room key bundle specified in a `m.room_key_bundle` to-device message we (might have) already received.
@@ -4086,14 +4099,12 @@ export class MatrixClient extends TypedEventEmitter<EmittedEvents, ClientEventHa
             opts = { reason: opts };
         }
 
-        if (opts.shareEncryptedHistory) {
-            const historyVisibility = this.getRoom(roomId)?.getHistoryVisibility() ?? HistoryVisibility.Shared;
-            // We should only share room history if the *current* visibility allows it.
-            if ([HistoryVisibility.Invited, HistoryVisibility.Joined].includes(historyVisibility)) {
-                this.logger.debug("Not sharing message history as the room history visibility is currently unshared");
-            } else {
-                await this.cryptoBackend?.shareRoomHistoryWithUser(roomId, userId);
-            }
+        const historyVisibility = this.getRoom(roomId)?.getHistoryVisibility() ?? HistoryVisibility.Shared;
+        // We should only share room history if the *current* visibility allows it.
+        if ([HistoryVisibility.Invited, HistoryVisibility.Joined].includes(historyVisibility)) {
+            this.logger.debug("Not sharing message history as the room history visibility is currently unshared");
+        } else {
+            await this.cryptoBackend?.shareRoomHistoryWithUser(roomId, userId);
         }
 
         return await this.membershipChange(roomId, userId, KnownMembership.Invite, opts.reason);
@@ -7364,6 +7375,8 @@ export class MatrixClient extends TypedEventEmitter<EmittedEvents, ClientEventHa
 
     /**
      * Fetch a user's *extended* profile, which may include additional keys.
+     * Always returns all available profile fields, irrespective of what profile fields are set
+     * in the sync filter.
      *
      * @see https://github.com/tcpipuk/matrix-spec-proposals/blob/main/proposals/4133-extended-profiles.md
      * @param userId The user ID to fetch the profile of.
@@ -7376,6 +7389,10 @@ export class MatrixClient extends TypedEventEmitter<EmittedEvents, ClientEventHa
         if (!(await this.doesServerSupportExtendedProfiles())) {
             throw new Error("Server does not support extended profiles");
         }
+
+        // Note that this does not look at the profile cache as this will only contain keys
+        // that we included in the sync filter and this function's purpose is to return the whole profile.
+
         return this.http.authedRequest(
             Method.Get,
             utils.encodeUri("/profile/$userId", { $userId: userId }),
@@ -7388,7 +7405,8 @@ export class MatrixClient extends TypedEventEmitter<EmittedEvents, ClientEventHa
     }
 
     /**
-     * Fetch a specific key from the user's *extended* profile.
+     * Fetch a specific key from the user's *extended* profile by checking local cache (which is updated from
+     * the sync) and querying the server if no data is cached locally.
      *
      * @see https://github.com/tcpipuk/matrix-spec-proposals/blob/main/proposals/4133-extended-profiles.md
      * @param userId The user ID to fetch the profile of.
@@ -7402,6 +7420,12 @@ export class MatrixClient extends TypedEventEmitter<EmittedEvents, ClientEventHa
         if (!(await this.doesServerSupportExtendedProfiles())) {
             throw new Error("Server does not support extended profiles");
         }
+        // NOTE: We only read individual keys from a cached profile as we don't have the full profile
+        // cached, only the keys that the user has configured via their sync filter.
+        const storedProfile = await this.store.getUserProfile(userId);
+        if (storedProfile?.[key] !== undefined) {
+            return storedProfile[key];
+        }
         const profile = (await this.http.authedRequest(
             Method.Get,
             utils.encodeUri("/profile/$userId/$key", { $userId: userId, $key: key }),
@@ -7410,7 +7434,11 @@ export class MatrixClient extends TypedEventEmitter<EmittedEvents, ClientEventHa
             {
                 prefix: await this.getExtendedProfileRequestPrefix(),
             },
-        )) as Record<string, unknown>;
+        )) as SyncUserProfile;
+
+        // write through to the cache
+        await this.store.storeUserProfiles(new Map([[userId, profile]]));
+
         return profile[key];
     }
 

package/src/filter.ts

@@ -18,6 +18,9 @@ import { type EventType, type RelationType } from "./@types/event.ts";
 import { UNREAD_THREAD_NOTIFICATIONS } from "./@types/sync.ts";
 import { FilterComponent, type IFilterComponent } from "./filter-component.ts";
 import { type MatrixEvent } from "./models/event.ts";
+import { NamespacedValue } from "./NamespacedValue.ts";
+
+const profileFieldsFilterName = new NamespacedValue("profile_fields", "org.matrix.msc4429.profile_fields");
 
 /**
  */
@@ -35,11 +38,13 @@ function setProp(obj: Record<string, any>, keyNesting: string, val: any): void {
 
 /* eslint-disable camelcase */
 export interface IFilterDefinition {
-    event_fields?: string[];
-    event_format?: "client" | "federation";
-    presence?: IFilterComponent;
-    account_data?: IFilterComponent;
-    room?: IRoomFilter;
+    "event_fields"?: string[];
+    "event_format"?: "client" | "federation";
+    "presence"?: IFilterComponent;
+    "account_data"?: IFilterComponent;
+    "room"?: IRoomFilter;
+    "profile_fields"?: ProfileFieldsFilter;
+    "org.matrix.msc4429.profile_fields"?: ProfileFieldsFilter;
 }
 
 export interface IRoomEventFilter extends IFilterComponent {
@@ -67,6 +72,14 @@ interface IRoomFilter {
     timeline?: IRoomEventFilter;
     account_data?: IRoomEventFilter;
 }
+
+/**
+ * Filter section used for requesting a set of extended profile fields that will be sent down the sync stream.
+ */
+interface ProfileFieldsFilter {
+    ids: string[];
+}
+
 /* eslint-enable camelcase */
 
 export class Filter {
@@ -242,4 +255,17 @@ export class Filter {
     public setIncludeLeaveRooms(includeLeave: boolean): void {
         setProp(this.definition, "room.include_leave", includeLeave);
     }
+
+    /**
+     * Set the list of fields to be included in the profile information sent down the sync stream.
+     * @param ids The field IDs to sync.
+     * @param stable Whether to use the stable or unstable versions of this filter.
+     * @experimental
+     */
+    public setUnstableMSC4429SyncUserProfiles(ids: string[], stable: boolean): void {
+        const field = stable
+            ? profileFieldsFilterName.name
+            : (profileFieldsFilterName.unstable ?? profileFieldsFilterName.name);
+        this.definition[field] = { ids };
+    }
 }

package/src/models/user.ts

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+import { type Json, type JsonValue } from "../@types/json.ts";
 import { type MatrixClient } from "../matrix.ts";
 import { type MatrixEvent } from "./event.ts";
 import { TypedEventEmitter } from "./typed-event-emitter.ts";
@@ -26,6 +27,11 @@ export enum UserEvent {
     LastPresenceTs = "User.lastPresenceTs",
 }
 
+/**
+ * An object of extended profile attributes for a user as it arrives down the sync stream.
+ */
+export type SyncUserProfile = Record<string, Json | JsonValue>;
+
 export type UserEventHandlerMap = {
     /**
      * Fires whenever any user's display name changes.

package/src/oidc/authorize.ts

@@ -37,6 +37,9 @@ import {
 } from "./validate.ts";
 import { sha256 } from "../digest.ts";
 import { encodeUnpaddedBase64Url } from "../base64.ts";
+import { OAuthGrantType } from "./register.ts";
+import { sleep } from "../utils.ts";
+import { Method } from "../http-api/index.ts";
 
 // reexport for backwards compatibility
 export type { BearerTokenResponse };
@@ -271,8 +274,16 @@ export const completeAuthorizationCodeGrant = async (
 
         // throws when response is invalid
         validateBearerTokenResponse(signinResponse);
-        // throws when token is invalid
-        validateIdToken(signinResponse.id_token, client.settings.authority, client.settings.client_id, userState.nonce);
+        if (signinResponse.id_token) {
+            // The token is not yet in the Matrix spec so consider it optional
+            // throws when token is invalid
+            validateIdToken(
+                signinResponse.id_token,
+                client.settings.authority,
+                client.settings.client_id,
+                userState.nonce,
+            );
+        }
         const normalizedTokenResponse = normalizeBearerTokenResponseTokenType(signinResponse);
 
         return {
@@ -296,3 +307,125 @@ export const completeAuthorizationCodeGrant = async (
         throw new Error(OidcError.CodeExchangeFailed);
     }
 };
+
+/**
+ * Response from the OIDC token endpoint when exchanging a token for grant_type device_code.
+ */
+export interface DeviceAccessTokenResponse {
+    id_token?: string;
+    access_token: string;
+    token_type: string;
+    refresh_token?: string;
+    scope?: string;
+    expires_in?: number;
+    session_state?: string;
+}
+
+/**
+ * Error from the OIDC token endpoint when exchanging a token for grant_type device_code.
+ */
+export interface DeviceAccessTokenError {
+    error: string;
+    error_description?: string;
+    error_uri?: string;
+    session_state?: string;
+}
+
+/**
+ * Response from the OIDC device authorization endpoint.
+ */
+export interface DeviceAuthorizationResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete?: string;
+    expires_in: number;
+    interval?: number;
+}
+
+/**
+ * Begin OIDC device authorization flow.
+ * @param options - The device authorization parameters.
+ * @param options.clientId - the client ID returned from client registration.
+ * @param options.scope - the scope to request for authorization.
+ * @param options.metadata - the validated OIDC metadata for the Identity Provider.
+ * @returns a promise that resolves to a device access token response,
+ *   or an error response if the user denies authorization or the device code expires.
+ */
+export const startDeviceAuthorization = async ({
+    clientId,
+    scope,
+    metadata,
+}: {
+    clientId: string;
+    scope: string;
+    metadata: ValidatedAuthMetadata;
+}): Promise<DeviceAuthorizationResponse> => {
+    const body = new URLSearchParams({ client_id: clientId, scope: scope }).toString();
+
+    const url = metadata.device_authorization_endpoint;
+    if (!url) {
+        throw new Error("No device_authorization_endpoint given");
+    }
+
+    const response = await fetch(url, {
+        method: Method.Post,
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body,
+    });
+
+    return (await response.json()) as DeviceAuthorizationResponse;
+};
+
+/**
+ * Polls the OIDC token endpoint until we get a device access token response, or encounter an unrecoverable error.
+ * @param options - The device authorization parameters.
+ * @param options.session - The session returned from a previous call to {@link startDeviceAuthorization}.
+ * @param options.metadata - The validated OIDC metadata for the Identity Provider.
+ * @param options.clientId - The client ID returned from client registration.
+ * @returns a promise that resolves to a device access token response,
+ *   or an error response if the user denies authorization or the device code expires.
+ */
+export const waitForDeviceAuthorization = async ({
+    session,
+    metadata,
+    clientId,
+}: {
+    session: DeviceAuthorizationResponse;
+    metadata: ValidatedAuthMetadata;
+    clientId: string;
+}): Promise<DeviceAccessTokenResponse | DeviceAccessTokenError> => {
+    let interval = (session.interval ?? 5) * 1000; // poll interval
+    const expiration = Date.now() + session.expires_in * 1000;
+    do {
+        const body = new URLSearchParams({
+            device_code: session.device_code,
+            grant_type: OAuthGrantType.DeviceAuthorization,
+            client_id: clientId,
+        }).toString();
+        const response = await fetch(metadata.token_endpoint, {
+            method: Method.Post,
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body,
+        });
+
+        if (response.ok) {
+            return (await response.json()) as DeviceAccessTokenResponse;
+        }
+        const errorResponse = (await response.json()) as DeviceAccessTokenError;
+        switch (errorResponse.error) {
+            case "authorization_pending":
+                break;
+            case "slow_down":
+                interval += 5000;
+                break;
+            case "access_denied":
+            case "expired_token":
+                return errorResponse;
+        }
+        await sleep(interval);
+    } while (Date.now() < expiration);
+    return { error: "expired" };
+};

package/src/oidc/register.ts

@@ -111,6 +111,11 @@ export const registerOidcClient = async (
         throw new Error(OidcError.DynamicRegistrationNotSupported);
     }
 
+    // ask for device authorization grant if supported
+    if (delegatedAuthConfig.grant_types_supported.includes(OAuthGrantType.DeviceAuthorization)) {
+        grantTypes.push(OAuthGrantType.DeviceAuthorization);
+    }
+
     const commonBase = new URL(clientMetadata.clientUri);
 
     // https://openid.net/specs/openid-connect-registration-1_0.html

package/src/rendezvous/MSC4108SignInWithQR.ts

@@ -27,7 +27,16 @@ import { logger } from "../logger.ts";
 import { type MSC4108SecureChannel } from "./channels/MSC4108SecureChannel.ts";
 import { MatrixError } from "../http-api/index.ts";
 import { sleep } from "../utils.ts";
-import { OAuthGrantType, type OidcClientConfig } from "../oidc/index.ts";
+import {
+    type DeviceAccessTokenResponse,
+    type DeviceAuthorizationResponse,
+    generateScope,
+    OAuthGrantType,
+    startDeviceAuthorization,
+    type ValidatedAuthMetadata,
+    waitForDeviceAuthorization,
+    type OidcClientConfig,
+} from "../oidc/index.ts";
 import { type CryptoApi } from "../crypto-api/index.ts";
 
 /**
@@ -111,6 +120,8 @@ export class MSC4108SignInWithQR {
     private readonly ourIntent: QrCodeIntent;
     private _code?: Uint8Array;
     private expectingNewDeviceId?: string;
+    private metadata?: ValidatedAuthMetadata;
+    private grantInProgress?: DeviceAuthorizationResponse;
 
     /**
      * Returns the check code for the secure channel or undefined if not generated yet.
@@ -241,14 +252,53 @@ export class MSC4108SignInWithQR {
     /**
      * The second & third step in the OIDC QR login process.
      * To be called after `negotiateProtocols` for the existing device.
-     * To be called after OIDC negotiation for the new device. (Currently unsupported)
+     * To be called after OIDC negotiation for the new device.
+     *
+     * @param input - Required for the new device to start the device authorization grant, not required for the existing device reciprocating the login
      */
-    public async deviceAuthorizationGrant(): Promise<{
+    public async deviceAuthorizationGrant(input?: {
+        metadata: ValidatedAuthMetadata;
+        clientId: string;
+        deviceId: string;
+    }): Promise<{
         verificationUri?: string;
         userCode?: string;
     }> {
         if (this.isNewDevice) {
-            throw new Error("New device flows around OIDC are not yet implemented");
+            if (!input) {
+                throw new Error("Input must be provided for new device");
+            }
+
+            const { metadata, clientId, deviceId } = input;
+
+            const scope = generateScope(deviceId);
+
+            // MSC4108-Flow: NewDevice - start device authorization grant
+            const dagResponse = await startDeviceAuthorization({
+                clientId,
+                scope,
+                metadata,
+            });
+
+            this.metadata = metadata;
+            this.grantInProgress = dagResponse;
+
+            const protocol: DeviceAuthorizationGrantProtocolPayload = {
+                type: PayloadType.Protocol,
+                protocol: "device_authorization_grant",
+                device_id: deviceId,
+                device_authorization_grant: {
+                    verification_uri: dagResponse.verification_uri,
+                    verification_uri_complete: dagResponse.verification_uri_complete,
+                },
+            };
+
+            await this.send(protocol);
+
+            return {
+                verificationUri: dagResponse.verification_uri_complete ?? dagResponse.verification_uri,
+                userCode: dagResponse.user_code,
+            };
         } else {
             // The user needs to do step 7 for the out-of-band confirmation
             // but, first we receive the protocol chosen by the other device so that
@@ -311,6 +361,69 @@ export class MSC4108SignInWithQR {
         }
     }
 
+    /**
+     * The fourth step in the OIDC QR login process.
+     * The reciprocating device must perform step 5 for this method to resolve.
+     * To be called after {@link deviceAuthorizationGrant} only on the new device.
+     */
+    public async completeLoginOnNewDevice({
+        clientId,
+    }: {
+        clientId: string;
+    }): Promise<DeviceAccessTokenResponse | undefined> {
+        if (!this.isNewDevice || !this.grantInProgress || !this.metadata) {
+            throw new Error("Can only complete login on new device");
+        }
+
+        logger.info("Waiting for protocol accepted message");
+        // wait for accepted message
+        const payload = await this.receive<AcceptedPayload | FailurePayload>();
+
+        if (!payload) {
+            throw new RendezvousError(
+                "No response from existing device",
+                MSC4108FailureReason.UnexpectedMessageReceived,
+            );
+        }
+        if (payload.type === PayloadType.Failure) {
+            throw new RendezvousError("Failed", (payload as FailurePayload).reason);
+        }
+        if (payload.type !== PayloadType.ProtocolAccepted) {
+            throw new RendezvousError("Unexpected message received", MSC4108FailureReason.UnexpectedMessageReceived);
+        }
+
+        // poll for DAG
+        const res = await waitForDeviceAuthorization({
+            session: this.grantInProgress,
+            metadata: this.metadata,
+            clientId,
+        });
+
+        if (!res) {
+            throw new RendezvousError(
+                "No response from device authorization endpoint",
+                ClientRendezvousFailureReason.Unknown,
+            );
+        }
+
+        if ("error" in res) {
+            let reason: MSC4108FailureReason = MSC4108FailureReason.UnexpectedMessageReceived;
+            if (res.error === "expired_token") {
+                reason = MSC4108FailureReason.AuthorizationExpired;
+            } else if (res.error === "access_denied") {
+                reason = MSC4108FailureReason.UserCancelled;
+            }
+            const payload: FailurePayload = {
+                type: PayloadType.Failure,
+                reason,
+            };
+            await this.send(payload);
+            return undefined;
+        }
+
+        return res;
+    }
+
     /**
      * The fifth (and final) step in the OIDC QR login process.
      * To be called after the new device has completed authentication.

package/src/rendezvous/channels/MSC4108SecureChannel.ts

@@ -164,7 +164,10 @@ export class MSC4108SecureChannel {
             logger.info("Waiting for LoginInitiateMessage");
             const loginInitiateMessage = await this.rendezvousSession.receive();
             if (!loginInitiateMessage) {
-                throw new Error("No response from other device");
+                throw new RendezvousError(
+                    "No response from other device",
+                    MSC4108FailureReason.UnexpectedMessageReceived,
+                );
             }
 
             const { channel, message: candidateLoginInitiateMessage } =
@@ -257,7 +260,12 @@ export class MSC4108SecureChannel {
             await this.rendezvousSession.cancel(reason);
             this.onFailure?.(reason);
         } finally {
-            await this.close();
+            if (
+                reason !== ClientRendezvousFailureReason.UserDeclined &&
+                reason !== MSC4108FailureReason.UserCancelled
+            ) {
+                await this.close();
+            }
         }
     }