diff options
| author | Michael Telatynski <7t3chguy@gmail.com> | 2024-04-26 09:54:30 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-26 09:54:30 +0100 |
| commit | 41fbe387d64c3b47202926711bb574d4a7b74d47 (patch) | |
| tree | e312813a7974f4760e9dd418777910bfab9533c8 | |
| parent | Rephrase enable_notifs configuration (#17116) (diff) | |
| download | synapse-41fbe387d64c3b47202926711bb574d4a7b74d47.tar.xz | |
Improve error message for cross signing reset with MSC3861 enabled (#17121)
| -rw-r--r-- | changelog.d/17121.bugfix | 1 | ||||
| -rw-r--r-- | synapse/rest/client/keys.py | 13 |
2 files changed, 9 insertions, 5 deletions
diff --git a/changelog.d/17121.bugfix b/changelog.d/17121.bugfix new file mode 100644 index 0000000000..f160839aac --- /dev/null +++ b/changelog.d/17121.bugfix @@ -0,0 +1 @@ +Improve error message for cross signing reset with MSC3861 enabled. diff --git a/synapse/rest/client/keys.py b/synapse/rest/client/keys.py index 86c9515854..a0017257ce 100644 --- a/synapse/rest/client/keys.py +++ b/synapse/rest/client/keys.py @@ -393,17 +393,20 @@ class SigningKeyUploadServlet(RestServlet): # time. Because there is no UIA in MSC3861, for now we throw an error if the # user tries to reset the device signing key when MSC3861 is enabled, but allow # first-time setup. - # - # XXX: We now have a get-out clause by which MAS can temporarily mark the master - # key as replaceable. It should do its own equivalent of user interactive auth - # before doing so. if self.hs.config.experimental.msc3861.enabled: # The auth service has to explicitly mark the master key as replaceable # without UIA to reset the device signing key with MSC3861. if is_cross_signing_setup and not master_key_updatable_without_uia: + config = self.hs.config.experimental.msc3861 + if config.account_management_url is not None: + url = f"{config.account_management_url}?action=org.matrix.cross_signing_reset" + else: + url = config.issuer + raise SynapseError( HTTPStatus.NOT_IMPLEMENTED, - "Resetting cross signing keys is not yet supported with MSC3861", + "To reset your end-to-end encryption cross-signing identity, " + f"you first need to approve it at {url} and then try again.", Codes.UNRECOGNIZED, ) # But first-time setup is fine |