Implement MSC3231: Token authenticated registration

docs/usage/administration/admin_api/registration_tokens.md

@@ -5,6 +5,7 @@ registration requests, as proposed in [MSC3231](https://github.com/govynnus/matr
 To use it, you will need to enable the `registration_requires_token` config
 option, and authenticate by providing an `access_token` for a server admin:
 see [Admin API](../../usage/administration/admin_api).
+Note that this API is still experimental; not all clients may support it yet.
 
 
 ## Registration token objects
@@ -23,9 +24,6 @@ These objects have the following fields:
   complete a registration.
 - `expiry_time`: The latest time the token is valid. Given as the number of
   milliseconds since 1970-01-01 00:00:00 UTC (the start of the Unix epoch).
-  A more human friendly format will be provided at some point, but in the
-  meantime you can remove the milliseconds and use the `date` command.
-  For example, `date -d '@1625394937'`.
 
 
 ## List all tokens
@@ -40,8 +38,8 @@ GET /_synapse/admin/v1/registration_tokens
 
 Optional query parameters:
 - `valid`: `true` or `false`. If `true`, only valid tokens are returned.
-  If `false`, only invalid tokens are returned. If omitted, all tokens are
-  returned regardless of validity.
+  If `false`, only tokens that have expired or have had all uses exhausted are
+  returned. If omitted, all tokens are returned regardless of validity.
 
 Example:
 

synapse/handlers/ui_auth/__init__.py

@@ -35,7 +35,7 @@ class UIAuthSessionDataConstants:
     # for.
     REQUEST_USER_ID = "request_user_id"
 
-    # used during registration to store the registration used (if required) so that
+    # used during registration to store the registration token used (if required) so that:
     # - we can prevent a token being used twice by one session
     # - we can 'use up' the token after registration has successfully completed
     REGISTRATION_TOKEN = "org.matrix.msc3231.login.registration_token"

synapse/handlers/ui_auth/checkers.py

@@ -263,11 +263,11 @@ async def check_auth(self, authdict: dict, clientip: str) -> Any:
         if "session" not in authdict:
             raise LoginError(400, "Missing UIA session", Codes.MISSING_PARAM)
 
-        # Import here to avoid a cyclic dependency
+        # Get these here to avoid cyclic dependencies
         from synapse.handlers.ui_auth import UIAuthSessionDataConstants
 
-        # Retrieve the auth handler here to avoid a cyclic dependency
         auth_handler = self.hs.get_auth_handler()
+
         session = authdict["session"]
         token = authdict["token"]
 

synapse/rest/admin/registration_tokens.py

@@ -61,8 +61,10 @@ class ListRegistrationTokensRestServlet(RestServlet):
             ]
         }
 
-    The optional query parameter `valid` is used to the response to only
-    valid or invalid tokens. It can be `true` or `false`.
+    The optional query parameter `valid` can be used to filter the response.
+    If it is `true`, only valid tokens are returned. If it is `false`, only
+    tokens that have expired or have had all uses exhausted are returned.
+    If it is omitted, all tokens are returned regardless of validity.
     """
 
     PATTERNS = admin_patterns("/registration_tokens$")
@@ -262,26 +264,29 @@ async def on_PUT(self, request: SynapseRequest, token: str) -> Tuple[int, JsonDi
 
         # Only add uses_allowed to new_attributes if it is present and valid
         if "uses_allowed" in body:
-            ua = body["uses_allowed"]
-            if not (ua is None or (isinstance(ua, int) and ua >= 0)):
+            uses_allowed = body["uses_allowed"]
+            if not (
+                uses_allowed is None
+                or (isinstance(uses_allowed, int) and uses_allowed >= 0)
+            ):
                 raise SynapseError(
                     400,
                     "uses_allowed must be a non-negative integer or null",
                     Codes.INVALID_PARAM,
                 )
-            new_attributes["uses_allowed"] = ua
+            new_attributes["uses_allowed"] = uses_allowed
 
         if "expiry_time" in body:
-            et = body["expiry_time"]
-            if not isinstance(et, (int, type(None))):
+            expiry_time = body["expiry_time"]
+            if not isinstance(expiry_time, (int, type(None))):
                 raise SynapseError(
                     400, "expiry_time must be an integer or null", Codes.INVALID_PARAM
                 )
-            if isinstance(et, int) and et < self.clock.time_msec():
+            if isinstance(expiry_time, int) and expiry_time < self.clock.time_msec():
                 raise SynapseError(
                     400, "expiry_time must not be in the past", Codes.INVALID_PARAM
                 )
-            new_attributes["expiry_time"] = et
+            new_attributes["expiry_time"] = expiry_time
 
         if len(new_attributes) == 0:
             # Nothing to update, get token info to return