Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Implement MSC3231: Token authenticated registration #10142

Merged
merged 54 commits into from
Aug 21, 2021
Merged

Implement MSC3231: Token authenticated registration #10142

merged 54 commits into from
Aug 21, 2021

Conversation

govynnus
Copy link
Contributor

@govynnus govynnus commented Jun 8, 2021
edited
Loading

Signed-off-by: Callum Brown callum@calcuode.com

This is part of my GSoC project implementing MSC3231.

Status:

  • Works with a list of hard-coded tokens
  • Checks against tokens stored in the database
  • Validity checking endpoint
  • Fallback
  • Admin API for managing tokens

@govynnus
Hard-coded token authenticated registration
5856f81 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus govynnus mentioned this pull request Jun 8, 2021
Merged
@govynnus
Create registration_tokens table
5f21580 
Signed-off-by: Callum Brown <callum@calcuode.com>
anoadragon453
anoadragon453 reviewed Jun 16, 2021
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking excellent so far, nice work! I've dropped a myriad of comments all over the place, and I realise the PR is still in a draft state. In any case, let me know if any of them are unclear or don't make sense at this point 🙂

synapse/config/registration.py Outdated Show resolved Hide resolved
synapse/config/registration.py Outdated Show resolved Hide resolved
synapse/config/registration.py Outdated Show resolved Hide resolved
synapse/handlers/ui_auth/checkers.py Outdated Show resolved Hide resolved
synapse/storage/databases/main/registration.py Outdated Show resolved Hide resolved
tests/rest/client/v2_alpha/test_register.py Outdated Show resolved Hide resolved
tests/rest/client/v2_alpha/test_register.py Outdated Show resolved Hide resolved
synapse/handlers/ui_auth/checkers.py Outdated Show resolved Hide resolved
synapse/handlers/ui_auth/checkers.py Show resolved Hide resolved
synapse/storage/schema/main/delta/59/999create_registration_tokens.sql Outdated Show resolved Hide resolved
@govynnus
Check in database to validate registration token
2b8726c 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Increment completed when registration token used
5b1ec0b 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Rename total_uses to uses_allowed
15e5769 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Improve unit tests
9c502b0 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Increment pending while registration in progress
e7754a9 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Add unit test for registration token expiry
ef05a6d 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Fix config file related bits
53f0e05 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Run connected database ops in same transaction
7883191 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Fix some formatting problems
1debc22 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Test completed is empty when auth should fail
6ac376d 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Override type of simple_select_one_txn
dfa8fec 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Raise error if token changes during UIA
c89d786 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Add validity checking endpoint
e7bd00a 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Use AuthHandler methods for accessing UIA session
d6704fd 
rather than using storage methods directly.
Also use UIAuthSessionDataConstants.

Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Rate limit validity checking endpoint
003e67d 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Use LoginError rather than SynapseError in checker
3c51680 
So error fields are merged into UIA response.
(Failures are due to authentication)

Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Add fallback
af90be7 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Docs for currently non-existent admin API
1552b70 
Signed-off-by: Callum Brown <callum@calcuode.com>
anoadragon453
anoadragon453 reviewed Jul 12, 2021
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for taking a while to get back to this. I left a review mid-way and only now realised.

synapse/rest/client/v2_alpha/auth.py Outdated Show resolved Hide resolved
synapse/rest/client/v2_alpha/auth.py Outdated Show resolved Hide resolved
dklimpel
dklimpel reviewed Jul 16, 2021
View reviewed changes
docs/SUMMARY.md Outdated Show resolved Hide resolved
anoadragon453
anoadragon453 suggested changes Jul 19, 2021
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Broadly this is looking excellent. I've got just a few notes below, but overall this looks solid.

synapse/rest/admin/__init__.py Outdated Show resolved Hide resolved
synapse/rest/admin/registration_tokens.py Outdated Show resolved Hide resolved
synapse/rest/admin/registration_tokens.py Outdated Show resolved Hide resolved
synapse/rest/admin/registration_tokens.py Outdated Show resolved Hide resolved
synapse/rest/admin/registration_tokens.py Outdated Show resolved Hide resolved
synapse/storage/databases/main/registration.py Outdated Show resolved Hide resolved
synapse/storage/databases/main/registration.py Outdated Show resolved Hide resolved
synapse/rest/admin/registration_tokens.py Show resolved Hide resolved
tests/rest/admin/test_registration_tokens.py Outdated Show resolved Hide resolved
synapse/storage/databases/main/registration.py Outdated Show resolved Hide resolved
@govynnus govynnus marked this pull request as ready for review August 19, 2021 16:36
anoadragon453
anoadragon453 suggested changes Aug 19, 2021
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, note that 63 is actually the latest schema delta, rather than 62. It was raised in this commit. It didn't involve a migration though, which could be confusing if one is just looking at the list of schema delta directories.

I'll need to take another overarching look at this tomorrow - but it's looking very close! I'd also at least try using it from a worker setup manually, by creating a generic worker alongside the main process that handles client traffic. Then, attempt to register through it using a token.

I need to try it again, but during my last review I was unable to call the verify endpoint on the worker (I got back an "Unrecognised request" error). So it looks like the endpoint wasn't mounted on the worker, but didn't look at deeper than that yet.

synapse/storage/databases/main/registration.py Outdated Show resolved Hide resolved
@govynnus
Move table creation sql to actual newest delta
c6bcae2 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Avoid integrity error when creating tokens
01a74da 
Check if token already exists before trying to create it

Signed-off-by: Callum Brown <callum@calcuode.com>
anoadragon453
anoadragon453 suggested changes Aug 20, 2021
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few remaining bits and pieces, but otherwise this is looking ready to go!

docs/usage/administration/admin_api/registration_tokens.md Show resolved Hide resolved
synapse/rest/admin/registration_tokens.py Show resolved Hide resolved
synapse/rest/admin/registration_tokens.py Show resolved Hide resolved
docs/usage/administration/admin_api/registration_tokens.md Outdated Show resolved Hide resolved
synapse/rest/admin/registration_tokens.py Outdated Show resolved Hide resolved
synapse/rest/client/register.py Show resolved Hide resolved
synapse/handlers/ui_auth/__init__.py Outdated Show resolved Hide resolved
synapse/handlers/ui_auth/checkers.py Outdated Show resolved Hide resolved
synapse/rest/admin/registration_tokens.py Outdated Show resolved Hide resolved
synapse/rest/admin/registration_tokens.py Outdated Show resolved Hide resolved
govynnus and others added 5 commits August 20, 2021 13:27
@govynnus @anoadragon453
Fix docs, comments and variable names
5bfc707 
Signed-off-by: Callum Brown <callum@calcuode.com>

Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
@govynnus
Try again if generated token already exists
b5608c3 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Let validity checking endpoint be used by workers
bf28876 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Document usage of null when updating tokens
2e59dda 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Merge remote-tracking branch 'upstream/develop' into token-registration
df0077d 
To get the flattened tests/rest/client directory of matrix-org#10667
anoadragon453
anoadragon453 reviewed Aug 20, 2021
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm other than the outstanding comments!

docs/usage/administration/admin_api/registration_tokens.md Outdated Show resolved Hide resolved
synapse/rest/admin/registration_tokens.py Show resolved Hide resolved
@govynnus
Simplify retrying of token generation
54867ef 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Small additions to admin api documentation
20b566c 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus govynnus mentioned this pull request Aug 21, 2021
Merged
anoadragon453
anoadragon453 approved these changes Aug 21, 2021
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice method of testing token generation collision.

This LGTM!

synapse/storage/databases/main/registration.py Outdated Show resolved Hide resolved
@anoadragon453 anoadragon453 merged commit 947dbbd into matrix-org:develop Aug 21, 2021
@govynnus govynnus deleted the token-registration branch August 22, 2021 13:18
@Sleuth56 Sleuth56 mentioned this pull request Sep 23, 2021
Closed
@DMRobertson DMRobertson mentioned this pull request Oct 13, 2021
Open
@ShadowJonathan ShadowJonathan mentioned this pull request Jan 31, 2022
Merged
4 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dklimpel dklimpel dklimpel left review comments

@anoadragon453 anoadragon453 anoadragon453 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@govynnus @anoadragon453 @dklimpel