Andrew Yasinishyn
63d96bfc61
ModuleAPI SSO auth callbacks ( #15207 )
...
Signed-off-by: Andrii Yasynyshyn yasinishyn.a.n@gmail.com
2023-12-01 14:31:50 +00:00
David Robertson
62a1a9be52
Describe which rate limiter was hit in logs ( #16135 )
2023-08-30 00:39:39 +01:00
Erik Johnston
25c55a9d22
Add login spam checker API ( #15838 )
2023-06-26 14:12:20 +00:00
Hugh Nimmo-Smith
d1693f0362
Implement stable support for MSC3882 to allow an existing device/session to generate a login token for use on a new device/session ( #15388 )
...
Implements stable support for MSC3882; this involves updating Synapse's support to
match the MSC / the spec says.
Continue to support the unstable version to allow clients to transition.
2023-06-01 08:52:51 -04:00
Hugh Nimmo-Smith
249f4a338d
Refactor config to be an experimental feature
...
Also enforce you can't combine it with incompatible config options
2023-05-30 09:43:06 -04:00
Quentin Gliech
31691d6151
Disable account related endpoints when using OAuth delegation
2023-05-30 09:43:06 -04:00
Patrick Cloke
7c9b91790c
Consolidate logic to check for deactivated users. ( #15634 )
...
This moves the deactivated user check to the method which
all login types call.
Additionally updates the application service tests to be more
realistic by removing invalid tests and fixing server names.
2023-05-23 10:35:43 -04:00
Patrick Cloke
89a23c9406
Do not allow deactivated users to login with JWT. ( #15624 )
...
To improve the organization of this code it moves the JWT login
checks to a separate handler and then fixes the bug (and a
deprecation warning).
2023-05-19 08:06:54 -04:00
Dirk Klimpel
c9723a1c1f
Only load the SSO redirect servlet if SSO is enabled. ( #15421 )
2023-04-13 13:08:00 +00:00
Dirk Klimpel
be36600327
Disable loading `RefreshTokenServlet` on workers ( #15428 )
2023-04-13 13:28:55 +02:00
reivilibre
98fd558382
Add a primitive helper script for listing worker endpoints. ( #15243 )
...
Co-authored-by: Patrick Cloke <patrickc@matrix.org>
2023-03-23 12:11:14 +00:00
Patrick Cloke
d8cc86eff4
Remove redundant types from comments. ( #14412 )
...
Remove type hints from comments which have been added
as Python type hints. This helps avoid drift between comments
and reality, as well as removing redundant information.
Also adds some missing type hints which were simple to fill in.
2022-11-16 15:25:24 +00:00
Tulir Asokan
a4b1f64562
Fix /refresh endpoint version ( #14364 )
2022-11-04 16:43:51 +00:00
Quentin Gliech
8756d5c87e
Save login tokens in database ( #13844 )
...
* Save login tokens in database
Signed-off-by: Quentin Gliech <quenting@element.io>
* Add upgrade notes
* Track login token reuse in a Prometheus metric
Signed-off-by: Quentin Gliech <quenting@element.io>
2022-10-26 11:45:41 +01:00
Brendan Abolivier
be76cd8200
Allow admins to require a manual approval process before new accounts can be used (using MSC3866) ( #13556 )
2022-09-29 15:23:24 +02:00
Quentin Gliech
b19060a29b
Make the AS login method call `Auth.get_user_by_req` for checking the AS token. ( #13094 )
...
This gets rid of another usage of get_appservice_by_req, with all the benefits, including correctly tracking the appservice IP and setting the tracing attributes correctly.
Signed-off-by: Quentin Gliech <quenting@element.io>
2022-07-12 18:06:29 +01:00
Hannes Lerchl
7d99414edf
Replace pyjwt with authlib in `org.matrix.login.jwt` ( #13011 )
2022-06-15 16:45:16 +00:00
Patrick Cloke
7fbf42499d
Use `getClientAddress` instead of `getClientIP`. ( #12599 )
...
getClientIP was deprecated in Twisted 18.4.0, which also added
getClientAddress. The Synapse minimum version for Twisted is
currently 18.9.0, so all supported versions have the new API.
2022-05-04 14:11:21 -04:00
Patrick Cloke
ba3fd54bad
Remove unstable/unspecced login types. ( #12597 )
...
* `m.login.jwt`, which was never specced and has been deprecated
since Synapse 1.16.0. (`org.matrix.login.jwt` can be used instead.)
* `uk.half-shot.msc2778.login.application_service`, which was
stabilized as part of the Matrix spec v1.2 release.
2022-05-04 13:53:21 +00:00
Shay
8e2759f2d8
Limit `device_id` size to 512B ( #12454 )
...
*
2022-04-13 10:04:01 -07:00
Richard van der Hoff
e24ff8ebe3
Remove `HomeServer.get_datastore()` ( #12031 )
...
The presence of this method was confusing, and mostly present for backwards
compatibility. Let's get rid of it.
Part of #11733
2022-02-23 11:04:02 +00:00
reivilibre
2f053f3f82
Stabilise support for MSC2918 refresh tokens as they have now been merged into the Matrix specification. ( #11435 )
2021-12-06 19:11:43 +00:00
Quentin Gliech
a15a893df8
Save the OIDC session ID (sid) with the device on login ( #11482 )
...
As a step towards allowing back-channel logout for OIDC.
2021-12-06 12:43:06 -05:00
Patrick Cloke
a265fbd397
Register the login redirect endpoint for v3. ( #11451 )
...
As specified for Matrix v1.1.
2021-12-01 07:25:58 -05:00
reivilibre
1b6691dce4
Update MSC2918 refresh token support to confirm with the latest revision: accept the `refresh_tokens` parameter in the request body rather than in the URL parameters. ( #11430 )
2021-11-26 19:06:16 +00:00
reivilibre
1d8b80b334
Support expiry of refresh tokens and expiry of the overall session when refresh tokens are in use. ( #11425 )
2021-11-26 14:27:14 +00:00
reivilibre
f25c75d376
Rename unstable `access_token_lifetime` configuration option to `refreshable_access_token_lifetime` to make it clear it only concerns refreshable access tokens. ( #11388 )
2021-11-23 17:01:34 +00:00
Kostas
1035663833
Add config for customizing the claim used for JWT logins. ( #11361 )
...
Allows specifying a different claim (from the default "sub") to use
when calculating the localpart of the Matrix ID used during the
JWT login.
2021-11-22 13:01:03 -05:00
Tulir Asokan
6f862c5c28
Add support for the stable version of MSC2778 ( #11335 )
...
* Add support for the stable version of MSC2778
Signed-off-by: Tulir Asokan <tulir@maunium.net>
* Expect m.login.application_service in login and password provider tests
Signed-off-by: Tulir Asokan <tulir@maunium.net>
2021-11-15 10:31:22 +00:00
Patrick Cloke
a0f48ee89d
Use direct references for configuration variables (part 7). ( #10959 )
2021-10-04 07:18:54 -04:00
Patrick Cloke
bb7fdd821b
Use direct references for configuration variables (part 5). ( #10897 )
2021-09-24 07:25:21 -04:00
Patrick Cloke
47854c71e9
Use direct references for configuration variables (part 4). ( #10893 )
2021-09-23 12:03:01 -04:00
Patrick Cloke
e584534403
Use direct references for some configuration variables (part 3) ( #10885 )
...
This avoids the overhead of searching through the various
configuration classes by directly referencing the class that
the attributes are in.
It also improves type hints since mypy can now resolve the
types of the configuration variables.
2021-09-23 07:13:34 -04:00
Patrick Cloke
01c88a09cd
Use direct references for some configuration variables ( #10798 )
...
Instead of proxying through the magic getter of the RootConfig
object. This should be more performant (and is more explicit).
2021-09-13 13:07:12 -04:00
Sean
273b6861f2
Remove unstable MSC2858 API, including `experimental.msc2858_enabled` config option ( #10693 )
...
Signed-off-by: Sean Quah <seanq@element.io>
2021-09-09 17:59:59 +01:00
Patrick Cloke
1aa0dad021
Additional type hints for REST servlets (part 2). ( #10674 )
...
Applies the changes from #10665 to additional modules.
2021-08-26 11:53:52 +00:00
Richard van der Hoff
15db8b7c7f
Correctly initialise the `synapse_user_logins` metric. ( #10677 )
...
Fix a bug where the prometheus metrics for SSO logins wouldn't be initialised
until the first user logged in with a given auth provider.
2021-08-24 09:17:51 +00:00
reivilibre
642a42edde
Flatten the synapse.rest.client package ( #10600 )
2021-08-17 11:57:58 +00:00