From 87e4857eec7ec47a1780e10d1ac8bbe5e9210af9 Mon Sep 17 00:00:00 2001 From: richvdh Date: Fri, 26 Aug 2022 13:30:09 +0000 Subject: deploy: c4e29b6908ac8ae57b5e9a3e7662ad638b61e94a --- .../usage/configuration/config_documentation.html | 151 ++++++++++++--------- 1 file changed, 84 insertions(+), 67 deletions(-) (limited to 'develop/usage/configuration/config_documentation.html') diff --git a/develop/usage/configuration/config_documentation.html b/develop/usage/configuration/config_documentation.html index 0de761515c..c056038523 100644 --- a/develop/usage/configuration/config_documentation.html +++ b/develop/usage/configuration/config_documentation.html @@ -1713,23 +1713,25 @@ should be in the form of providers.json). By default this list is empty.

See here for full details on setting up captcha.

recaptcha_public_key

-

This homeserver's ReCAPTCHA public key. Must be specified if enable_registration_captcha is -enabled.

+

This homeserver's ReCAPTCHA public key. Must be specified if +enable_registration_captcha is enabled.

Example configuration:

recaptcha_public_key: "YOUR_PUBLIC_KEY"

recaptcha_private_key

-

This homeserver's ReCAPTCHA private key. Must be specified if enable_registration_captcha is +

This homeserver's ReCAPTCHA private key. Must be specified if +enable_registration_captcha is enabled.

Example configuration:

recaptcha_private_key: "YOUR_PRIVATE_KEY"

enable_registration_captcha

-

Set to true to enable ReCaptcha checks when registering, preventing signup -unless a captcha is answered. Requires a valid ReCaptcha public/private key. -Defaults to false.

+

Set to true to require users to complete a CAPTCHA test when registering an account. +Requires a valid ReCaptcha public/private key. +Defaults to false.

+

Note that enable_registration must also be set to allow account registration.

Example configuration:

enable_registration_captcha: true
@@ -1781,69 +1783,34 @@ it allows users to connect to arbitrary endpoints without having first signed up

Registration can be rate-limited using the parameters in the Ratelimiting section of this manual.

enable_registration

-

Enable registration for new users. Defaults to false. It is highly recommended that if you enable registration, -you use either captcha, email, or token-based verification to verify that new users are not bots. In order to enable registration -without any verification, you must also set enable_registration_without_verification to true.

+

Enable registration for new users. Defaults to false.

+

It is highly recommended that if you enable registration, you set one or more +or the following options, to avoid abuse of your server by "bots":

+ +

(In order to enable registration without any verification, you must also set +enable_registration_without_verification.)

+

Note that even if this setting is disabled, new accounts can still be created +via the admin API if +registration_shared_secret is set.

Example configuration:

enable_registration: true

enable_registration_without_verification

Enable registration without email or captcha verification. Note: this option is not recommended, -as registration without verification is a known vector for spam and abuse. Defaults to false. Has no effect -unless enable_registration is also enabled.

+as registration without verification is a known vector for spam and abuse. Defaults to false. Has no effect +unless enable_registration is also enabled.

Example configuration:

enable_registration_without_verification: true
-

session_lifetime

-

Time that a user's session remains valid for, after they log in.

-

Note that this is not currently compatible with guest logins.

-

Note also that this is calculated at login time: changes are not applied retrospectively to users who have already -logged in.

-

By default, this is infinite.

-

Example configuration:

-
session_lifetime: 24h
-
-
-

refresh_access_token_lifetime

-

Time that an access token remains valid for, if the session is using refresh tokens.

-

For more information about refresh tokens, please see the manual.

-

Note that this only applies to clients which advertise support for refresh tokens.

-

Note also that this is calculated at login time and refresh time: changes are not applied to -existing sessions until they are refreshed.

-

By default, this is 5 minutes.

-

Example configuration:

-
refreshable_access_token_lifetime: 10m
-
-
-

refresh_token_lifetime: 24h

-

Time that a refresh token remains valid for (provided that it is not -exchanged for another one first). -This option can be used to automatically log-out inactive sessions. -Please see the manual for more information.

-

Note also that this is calculated at login time and refresh time: -changes are not applied to existing sessions until they are refreshed.

-

By default, this is infinite.

-

Example configuration:

-
refresh_token_lifetime: 24h
-
-
-

nonrefreshable_access_token_lifetime

-

Time that an access token remains valid for, if the session is NOT -using refresh tokens.

-

Please note that not all clients support refresh tokens, so setting -this to a short value may be inconvenient for some users who will -then be logged out frequently.

-

Note also that this is calculated at login time: changes are not applied -retrospectively to existing sessions for users that have already logged in.

-

By default, this is infinite.

-

Example configuration:

-
nonrefreshable_access_token_lifetime: 24h
-
-

registrations_require_3pid

-

If this is set, the user must provide all of the specified types of 3PID when registering.

+

If this is set, users must provide all of the specified types of 3PID when registering an account.

+

Note that enable_registration must also be set to allow account registration.

Example configuration:

registrations_require_3pid:
   - email
@@ -1879,16 +1846,20 @@ flow (overrides registrations_require_3pid if MSISDNs are set as re
 
registration_requires_token

 
Require users to submit a token during registration.
 Tokens can be managed using the admin API.
-Note that enable_registration must be set to true.
 Disabling this option will not delete any tokens previously generated.
-Defaults to false. Set to true to enable.

+Defaults to false. Set to true to enable.

+
Note that enable_registration must also be set to allow account registration.

 
Example configuration:

 
registration_requires_token: true
 

 

 
registration_shared_secret

-
If set, allows registration of standard or admin accounts by anyone who
-has the shared secret, even if registration is otherwise disabled.

+
If set, allows registration of standard or admin accounts by anyone who has the
+shared secret, even if enable_registration is not
+set.

+
This is primarily intended for use with the register_new_matrix_user script
+(see Registering a user);
+however, the interface is documented.

 
See also registration_shared_secret_path.

 
Example configuration:

 
registration_shared_secret: <PRIVATE STRING>
@@ -2072,6 +2043,54 @@ raise an error if the registration completes and the username conflicts.

 
inhibit_user_in_use_error: true
 

 

+
User session management

+

+
session_lifetime

+
Time that a user's session remains valid for, after they log in.

+
Note that this is not currently compatible with guest logins.

+
Note also that this is calculated at login time: changes are not applied retrospectively to users who have already
+logged in.

+
By default, this is infinite.

+
Example configuration:

+
session_lifetime: 24h
+

+

+
refresh_access_token_lifetime

+
Time that an access token remains valid for, if the session is using refresh tokens.

+
For more information about refresh tokens, please see the manual.

+
Note that this only applies to clients which advertise support for refresh tokens.

+
Note also that this is calculated at login time and refresh time: changes are not applied to
+existing sessions until they are refreshed.

+
By default, this is 5 minutes.

+
Example configuration:

+
refreshable_access_token_lifetime: 10m
+

+

+
refresh_token_lifetime: 24h

+
Time that a refresh token remains valid for (provided that it is not
+exchanged for another one first).
+This option can be used to automatically log-out inactive sessions.
+Please see the manual for more information.

+
Note also that this is calculated at login time and refresh time:
+changes are not applied to existing sessions until they are refreshed.

+
By default, this is infinite.

+
Example configuration:

+
refresh_token_lifetime: 24h
+

+

+
nonrefreshable_access_token_lifetime

+
Time that an access token remains valid for, if the session is NOT
+using refresh tokens.

+
Please note that not all clients support refresh tokens, so setting
+this to a short value may be inconvenient for some users who will
+then be logged out frequently.

+
Note also that this is calculated at login time: changes are not applied
+retrospectively to existing sessions for users that have already logged in.

+
By default, this is infinite.

+
Example configuration:

+
nonrefreshable_access_token_lifetime: 24h
+

+

 
Metrics

 
Config options related to metrics.

 

@@ -2295,14 +2314,12 @@ defaults to the server signing key.

 
Single sign-on integration

 
The following settings can be used to make Synapse use a single sign-on
 provider for authentication, instead of its internal password database.

-
You will probably also want to set the following options to false to
+
You will probably also want to set the following options to false to
 disable the regular login/registration flows:

 
-
You will also want to investigate the settings under the "sso" configuration
-section below.

 

 
saml2_config

 
Enable SAML2 for registration and login. Uses pysaml2. To learn more about pysaml and
-- 
cgit 1.5.1