summary refs log tree commit diff
path: root/docs (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Give the user a better error when they present bad SSO credsRichard van der Hoff2021-01-131-0/+8
| | | | | | | | | If a user tries to do UI Auth via SSO, but uses the wrong account on the SSO IdP, try to give them a better error. Previously, the UIA would claim to be successful, but then the operation in question would simply fail with "auth fail". Instead, serve up an error page which explains the failure.
* Register the /devices endpoint on workers. (#9092)Patrick Cloke2021-01-131-0/+1
|
* Remove user's avatar URL and displayname when deactivated. (#8932)Dirk Klimpel2021-01-121-0/+21
| | | This only applies if the user's data is to be erased.
* Also support remote users on the joined_rooms admin API. (#8948)David Teller2021-01-111-0/+4
| | | | For remote users, only the rooms which the server knows about are returned. Local users have all of their joined rooms returned.
* Use a chain cover index to efficiently calculate auth chain difference (#8868)Erik Johnston2021-01-113-0/+140
|
* Keycloak mapping_provider example (#9037) (#9057)Christopher Rücker2021-01-081-0/+4
| | | | | This PR adds the missing user_mapping_provider section in oidc.md Signed-off-by: Christopher Rücker chris-ruecker@protonmail.com
* Fix typo in docs/systemd-with-workers/README.md (#9035)Emelie2021-01-071-1/+1
| | | Signed-off-by: Emelie em@nao.sh
* Add initial support for a "pick your IdP" page (#9017)Richard van der Hoff2021-01-051-0/+25
| | | | | During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
* Update the value of group_creation_prefix in sample config. (#8992)Jerin J Titus2020-12-291-1/+1
| | | Removes the trailing slash with causes issues with matrix.to/Element.
* Allow redacting events on workers (#8994)Patrick Cloke2020-12-291-0/+1
| | | Adds the redacts endpoint to workers that have the client listener.
* Refactor the CAS handler in prep for using the abstracted SSO code. (#8958)Patrick Cloke2020-12-181-3/+3
| | | | | | This makes the CAS handler look more like the SAML/OIDC handlers: * Render errors to users instead of throwing JSON errors. * Internal reorganization.
* Send the location of the web client to the IS when inviting via 3PIDs. (#8930)Patrick Cloke2020-12-181-0/+6
| | | | Adds a new setting `email.invite_client_location` which, if defined, is passed to the identity server during invites.
* Allow server admin to get admin bit in rooms where local user is an admin ↵Erik Johnston2020-12-181-1/+19
| | | | | | | (#8756) This adds an admin API that allows a server admin to get power in a room if a local user has power in a room. Will also invite the user if they're not in the room and its a private room. Can specify another user (rather than the admin user) to be granted power. Co-authored-by: Matthew Hodgson <matthew@matrix.org>
* Implement a username picker for synapse (#8942)Richard van der Hoff2020-12-182-12/+21
| | | | | | | | | | | | | | The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow `UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser back to the client, we redirect to a username-picker resource, which allows the user to enter a username. We *then* complete the SSO flow (including doing the client permission checks). The static resources for the username picker itself (in https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker) are essentially lifted wholesale from https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. As the comment says, we might want to think about making them customisable, but that can be a follow-up. Fixes #8876.
* Allow re-using a UI auth validation for a period of time (#8970)Patrick Cloke2020-12-181-0/+15
|
* Make search statement in List Room and User Admin API case-insensitive (#8931)Dirk Klimpel2020-12-171-3/+6
|
* Fix the sample config location for the ip_range_whitelist setting. (#8954)Patrick Cloke2020-12-161-12/+12
| | | | Move it from the federation section to the server section to match ip_range_blacklist.
* Allow spam-checker modules to be provide async methods. (#8890)David Teller2020-12-111-6/+13
| | | | Spam checker modules can now provide async methods. This is implemented in a backwards-compatible manner.
* Add number of local devices to Room Details Admin API (#8886)Dirk Klimpel2020-12-111-11/+13
|
* Deprecate Shutdown Room and Purge Room Admin API (#8829)Dirk Klimpel2020-12-103-9/+47
| | | | | Deprecate both APIs in favour of the Delete Room API. Related: #8663 and #8810
* Default to blacklisting reserved IP ranges and add a whitelist. (#8870)Patrick Cloke2020-12-091-21/+45
| | | | This defaults `ip_range_blacklist` to reserved IP ranges and also adds an `ip_range_whitelist` setting to override it.
* Combine related media admin API docs (#8839)Dirk Klimpel2020-12-092-50/+86
| | | | | | Related: #8810 Also a few small improvements. Signed-off-by: Dirk Klimpel dirk@klimpel.org
* Clarify config template comments (#8891)Richard van der Hoff2020-12-081-8/+4
|
* Add authentication to replication endpoints. (#8853)Patrick Cloke2020-12-042-1/+12
| | | | Authentication is done by checking a shared secret provided in the Synapse configuration file.
* Merge tag 'v1.24.0rc2' into developPatrick Cloke2020-12-041-0/+7
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.24.0rc2 (2020-12-04) ============================== Bugfixes -------- - Fix a regression in v1.24.0rc1 which failed to allow SAML mapping providers which were unable to redirect users to an additional page. ([\#8878](https://github.com/matrix-org/synapse/issues/8878)) Internal Changes ---------------- - Add support for the `prometheus_client` newer than 0.9.0. Contributed by Jordan Bancino. ([\#8875](https://github.com/matrix-org/synapse/issues/8875))
| * Fix a regression that mapping providers should be able to redirect users. ↵Patrick Cloke2020-12-041-0/+7
| | | | | | | | | | (#8878) This was broken in #8801.
* | Fix a buglet in the SAML username mapping provider doc (#8873)Richard van der Hoff2020-12-041-1/+3
| | | | | | the constructor is called with a `module_api`.
* | Apply an IP range blacklist to push and key revocation requests. (#8821)Patrick Cloke2020-12-021-6/+8
|/ | | | | | | | | | | | Replaces the `federation_ip_range_blacklist` configuration setting with an `ip_range_blacklist` setting with wider scope. It now applies to: * Federation * Identity servers * Push notifications * Checking key validitity for third-party invite events The old `federation_ip_range_blacklist` setting is still honored if present, but with reduced scope (it only applies to federation and identity servers).
* Fix typo in password_auth_providers docAndrew Morgan2020-12-011-0/+1
| | | | A word got removed accidentally in 83434df3812650f53c60e91fb23c2079db0fb5b8.
* Add a config option to change whether unread push notification counts are ↵Andrew Morgan2020-11-301-0/+10
| | | | | | | | per-message or per-room (#8820) This PR adds a new config option to the `push` section of the homeserver config, `group_unread_count_by_room`. By default Synapse will group push notifications by room (so if you have 1000 unread messages, if they lie in 55 rooms, you'll see an unread count on your phone of 55). However, it is also useful to be able to send out the true count of unread messages if desired. If `group_unread_count_by_room` is set to `false`, then with the above example, one would see an unread count of 1000 (email anyone?).
* Add `force_purge` option to delete-room admin api. (#8843)Richard van der Hoff2020-11-301-1/+5
|
* Improve documentation how to configure prometheus for workers (#8822)Dirk Klimpel2020-11-261-17/+57
|
* Remove deprecated `/_matrix/client/*/admin` endpoints (#8785)Dirk Klimpel2020-11-251-0/+7
| | | These are now only available via `/_synapse/admin/v1`.
* Fix the formatting of push config section (#8818)Andrew Morgan2020-11-251-14/+19
| | | This PR updates the push config's formatting to better align with our [code style guidelines](https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format).
* Support trying multiple localparts for OpenID Connect. (#8801)Patrick Cloke2020-11-251-1/+10
| | | | Abstracts the SAML and OpenID Connect code which attempts to regenerate the localpart of a matrix ID if it is already in use.
* Clarify documentation of the admin list media API (#8795)Dirk Klimpel2020-11-241-0/+1
| | | Clarify that the list media API only shows media from unencrypted events.
* Update turn-howto (#8779)Richard van der Hoff2020-11-241-8/+123
| | | Some hopefully-useful notes on setting up a turnserver.
* Improve error checking for OIDC/SAML mapping providers (#8774)Patrick Cloke2020-11-191-1/+8
| | | | | | Checks that the localpart returned by mapping providers for SAML and OIDC are valid before registering new users. Extends the OIDC tests for existing users and invalid data.
* SAML: Allow specifying the IdP entityid to use. (#8630)Ben Banfield-Zanin2020-11-191-0/+8
| | | | If the SAML metadata includes multiple IdPs it is necessary to specify which IdP to redirect users to for authentication.
* SAML: Document allowing a clock/time difference from IdP (#8731)Marcus Schopen2020-11-181-0/+6
| | | | Updates the sample configuration with the pysaml2 configuration for accepting clock skew/drift between the homeserver and IdP.
* a comma too much (#8771)chagai952020-11-171-1/+1
| | | Signed-off-by: Chagai Friedlander chagai95@gmail.com
* Add admin API for logging in as a user (#8617)Erik Johnston2020-11-171-0/+35
|
* Clarify the usecase for an msisdn delegate (#8734)Adrian Wannenmacher2020-11-141-2/+3
| | | Signed-off-by: Adrian Wannenmacher <tfld@tfld.dev>
* Migrate documentation `docs/admin_api/event_reports` to markdown (#8742)Dirk Klimpel2020-11-132-165/+172
| | | Related to #8714. `event_reports.rst` was introduced in Synapse 1.21.0.
* SAML: add <mdui:UIInfo> element examples (#8718)Marcus Schopen2020-11-131-0/+22
| | | add some mdui:UIInfo element examples for saml2_config in homeserver.yaml
* Notes on SSO logins and media_repository worker (#8701)Marcus Schopen2020-11-061-0/+5
| | | | | | | If SSO login is used (e.g. SAML) in a multi worker setup, it should be mentioned that currently all SAML logins must run on the same worker, see https://github.com/matrix-org/synapse/issues/7530 Also, if you are using different ports (for example 443 and 8448) in a reverse proxy for client and federation, the path `/_matrix/media` on the client and federation port must point to the listener of the `media_repository` worker, otherwise you'll get a 404 on the federation port for the path `/_matrix/media`, if a remote server is trying to get the media object on federation port, see https://github.com/matrix-org/synapse/issues/8695
* Add an admin API for users' media statistics (#8700)Dirk Klimpel2020-11-051-0/+83
| | | | | | | | Add `GET /_synapse/admin/v1/statistics/users/media` to get statisics about local media usage by users. Related to #6094 It is the first API for statistics. Goal is to avoid/reduce usage of sql queries like [Wiki analyzing Synapse](https://github.com/matrix-org/synapse/wiki/SQL-for-analyzing-Synapse-PostgreSQL-database-stats) Signed-off-by: Dirk Klimpel dirk@klimpel.org
* Add `displayname` to Shared-Secret Registration for admins (#8722)Dirk Klimpel2020-11-051-1/+3
| | | Add `displayname` to Shared-Secret Registration for admins to `POST /_synapse/admin/v1/register`
* Remove the "draft" status of the Room Details Admin API (#8702)Dirk Klimpel2020-11-031-3/+1
| | | Fixes #8550
* Document how to set up multiple event persisters (#8706)Erik Johnston2020-11-031-0/+12
|
* grammarMatthew Hodgson2020-11-021-1/+1
|
* typoMatthew Hodgson2020-11-021-1/+1
|
* Fix typos in systemd-with-workers docAndrew Morgan2020-11-021-2/+2
|
* Fix typo in workers docAndrew Morgan2020-11-021-1/+1
|
* Improve the sample config for SSO (OIDC, SAML, and CAS). (#8635)Patrick Cloke2020-10-301-50/+76
|
* Support generating structured logs in addition to standard logs. (#8607)Patrick Cloke2020-10-292-43/+125
| | | | | | | This modifies the configuration of structured logging to be usable from the standard Python logging configuration. This also separates the formatting of logs from the transport allowing JSON logs to files or standard logs to sockets.
* Add an admin APIs to allow server admins to list users' pushers (#8610)Dirk Klimpel2020-10-281-0/+79
| | | Add an admin API `GET /_synapse/admin/v1/users/<user_id>/pushers` like https://matrix.org/docs/spec/client_server/latest#get-matrix-client-r0-pushers
* Cross-link documentation to the prometheus recording rules. (#8667)Michael Kaye2020-10-271-0/+2
|
* Add admin API to list users' local media (#8647)Dirk Klimpel2020-10-271-0/+83
| | | Add admin API `GET /_synapse/admin/v1/users/<user_id>/media` to get information of users' uploaded files.
* Split admin API for reported events into a detail and a list view (#8539)Dirk Klimpel2020-10-261-54/+90
| | | | | | | | | | | | Split admin API for reported events in detail und list view. API was introduced with #8217 in synapse v.1.21.0. It makes the list (`GET /_synapse/admin/v1/event_reports`) less complex and provides a better overview. The details can be queried with: `GET /_synapse/admin/v1/event_reports/<report_id>`. It is similar to room and users API. It is a kind of regression in `GET /_synapse/admin/v1/event_reports`. `event_json` was removed. But the api was introduced one version before and it is an admin API (not under spec). Signed-off-by: Dirk Klimpel dirk@klimpel.org
* Added basic instructions for Azure AD to OpenId documentation (#8582)Peter Krantz2020-10-261-0/+26
| | | Signed-off-by: Peter Krantz peter.krantz@gmail.com
* Add an admin api to delete local media. (#8519)Dirk Klimpel2020-10-261-0/+79
| | | | | | Related to: #6459, #3479 Add `DELETE /_synapse/admin/v1/media/<server_name>/<media_id>` to delete a single file from server.
* Fix filepath of Dex example config (#8657)Andrew Morgan2020-10-261-3/+2
|
* Correct the package name in OpenID Connect install instructions (#8634)Andrew Morgan2020-10-261-1/+1
|\ | | | | The OpenID Connect install instructions suggested installing `synapse[oidc]`, but our PyPI package is called `matrix-synapse`.
| * Correct the package name in authlib install instructionsAndrew Morgan2020-10-221-1/+1
| |
* | Add field `total` to device list in admin API (#8644)Dirk Klimpel2020-10-261-1/+4
| |
* | Fix typos and spelling errors. (#8639)Patrick Cloke2020-10-232-4/+4
|/
* Add note to manhole.md about bind_address when using with docker (#8526)Christopher May-Townsend2020-10-141-7/+39
| | | | Signed-off-by: Christopher May-Townsend <chris@maytownsend.co.uk>
* Update documentation on retention policies limits (#8529)Brendan Abolivier2020-10-141-12/+22
| | | | | * Update documentation on retention policies limits Document the changes from https://github.com/matrix-org/synapse/pull/8104
* Make event persisters periodically announce position over replication. (#8499)Erik Johnston2020-10-121-4/+9
| | | | | Currently background proccesses stream the events stream use the "minimum persisted position" (i.e. `get_current_token()`) rather than the vector clock style tokens. This is broadly fine as it doesn't matter if the background processes lag a small amount. However, in extreme cases (i.e. SyTests) where we only write to one event persister the background processes will never make progress. This PR changes it so that the `MultiWriterIDGenerator` keeps the current position of a given instance as up to date as possible (i.e using the latest token it sees if its not in the process of persisting anything), and then periodically announces that over replication. This then allows the "minimum persisted position" to advance, albeit with a small lag.
* Increase default max_upload_size from 10M to 50M (#8502)Mateusz Przybyłowicz2020-10-092-2/+2
| | | Signed-off-by: Mateusz Przybyłowicz <uamfhq@gmail.com>
* Combine `SpamCheckerApi` with the more generic `ModuleApi`. (#8464)Richard van der Hoff2020-10-071-6/+3
| | | | | Lots of different module apis is not easy to maintain. Rather than adding yet another ModuleApi(hs, hs.get_auth_handler()) incantation, first add an hs.get_module_api() method and use it where possible.
* Remove docs/sphinx and related references (#8480)Andrew Morgan2020-10-0758-820/+0
| | | https://github.com/matrix-org/synapse/tree/develop/docs/sphinx doesn't seem to really be utilised or changed recently since the initial commit. I like the idea of exportable documentation of the codebase, but at the moment after running through the build instructions the generated website wasn't very useful...
* Update default room version to 6 (#8461)Richard van der Hoff2020-10-051-1/+1
| | | | Per https://github.com/matrix-org/matrix-doc/pull/2788
* Update manhole documentation for async/await. (#8462)Patrick Cloke2020-10-051-2/+5
|
* Allow background tasks to be run on a separate worker. (#8369)Patrick Cloke2020-10-022-0/+22
|
* Add config option for always using "userinfo endpoint" for OIDC (#7658)BBBSnowball2020-10-012-9/+40
| | | This allows for connecting to certain IdPs, e.g. GitLab.
* Add prometheus metrics to track federation delays (#8430)Richard van der Hoff2020-10-011-0/+12
| | | | | Add a pair of federation metrics to track the delays in sending PDUs to/from particular servers.
* Allow additional SSO properties to be passed to the client (#8413)Patrick Cloke2020-09-303-1/+37
|
* Update description of server_name config option (#8415)Aaron Raimist2020-09-291-4/+17
|
* Add checks for postgres sequence consistency (#8402)Erik Johnston2020-09-281-0/+11
|
* Allow existing users to login via OpenID Connect. (#8345)Tdxdxoz2020-09-251-0/+5
| | | | | | | Co-authored-by: Benjamin Koch <bbbsnowball@gmail.com> This adds configuration flags that will match a user to pre-existing users when logging in via OpenID Connect. This is useful when switching to an existing SSO system.
* Add note to reverse_proxy.md about disabling Apache's mod_security2 (#8375)Julian Fietkau2020-09-231-0/+8
| | | This change adds a note and a few lines of configuration settings for Apache users to disable ModSecurity for Synapse's virtual hosts. With ModSecurity enabled and running with its default settings, Matrix clients are unable to send chat messages through the Synapse installation. With this change, ModSecurity can be disabled only for the Synapse virtual hosts.
* Admin API for reported events (#8217)Dirk Klimpel2020-09-221-0/+129
| | | Add an admin API to read entries of table `event_reports`. API: `GET /_synapse/admin/v1/event_reports`
* Admin API for querying rooms where a user is a member (#8306)Dirk Klimpel2020-09-181-0/+37
| | | | Add a new admin API `GET /_synapse/admin/v1/users/<user_id>/joined_rooms` to list all rooms where a user is a member.
* Add the topic and avatar to the room details admin API (#8305)Tulir Asokan2020-09-141-0/+4
|
* Improve SAML error messages (#8248)Patrick Cloke2020-09-141-26/+4
|
* Merge tag 'v1.20.0rc3' into developPatrick Cloke2020-09-111-1/+0
|\ | | | | | | | | | | | | | | | | | | Synapse 1.20.0rc3 (2020-09-11) ============================== Bugfixes -------- - Fix a bug introduced in v1.20.0rc1 where the wrong exception was raised when invalid JSON data is encountered. ([\#8291](https://github.com/matrix-org/synapse/issues/8291))
| * Remove shared rooms info from upgrade/workers doc as it's still experimental ↵Andrew Morgan2020-09-101-1/+0
| | | | | | | | (#8290)
* | Add /_synapse/client to the reverse proxy docs (#8227)Andrew Morgan2020-09-102-2/+22
| | | | | | This PR adds a information about forwarding `/_synapse/client` endpoints through your reverse proxy. The first of these endpoints are introduced in https://github.com/matrix-org/synapse/pull/8004.
* | Show a confirmation page during user password reset (#8004)Andrew Morgan2020-09-101-3/+7
| | | | | | | | | | This PR adds a confirmation step to resetting your user password between clicking the link in your email and your password actually being reset. This is to better align our password reset flow with the industry standard of requiring a confirmation from the user after email validation.
* | Add a config option for validating 'next_link' parameters against a domain ↵Andrew Morgan2020-09-081-0/+18
|/ | | | | | | | | | | whitelist (#8275) This is a config option ported over from DINUM's Sydent: https://github.com/matrix-org/sydent/pull/285 They've switched to validating 3PIDs via Synapse rather than Sydent, and would like to retain this functionality. This original purpose for this change is phishing prevention. This solution could also potentially be replaced by a similar one to https://github.com/matrix-org/synapse/pull/8004, but across all `*/submit_token` endpoint. This option may still be useful to enterprise even with that safeguard in place though, if they want to be absolutely sure that their employees don't follow links to other domains.
* Systemd docs: configure workers to start after main process. (#8276)Richard van der Hoff2020-09-081-0/+5
|
* Add /user/{user_id}/shared_rooms/ api (#7785)Will Hunt2020-09-021-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add shared_rooms api * Add changelog * Add . * Wrap response in {"rooms": } * linting * Add unstable_features key * Remove options from isort that aren't part of 5.x `-y` and `-rc` are now default behaviour and no longer exist. `dont-skip` is no longer required https://timothycrosley.github.io/isort/CHANGELOG/#500-penny-july-4-2020 * Update imports to make isort happy * Add changelog * Update tox.ini file with correct invocation * fix linting again for isort * Vendor prefix unstable API * Fix to match spec * import Codes * import Codes * Use FORBIDDEN * Update changelog.d/7785.feature Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> * Implement get_shared_rooms_for_users * a comma * trailing whitespace * Handle the easy feedback * Switch to using runInteraction * Add tests * Feedback * Seperate unstable endpoint from v2 * Add upgrade node * a line * Fix style by adding a blank line at EOF. * Update synapse/storage/databases/main/user_directory.py Co-authored-by: Tulir Asokan <tulir@maunium.net> * Update synapse/storage/databases/main/user_directory.py Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> * Update UPGRADE.rst Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> * Fix UPGRADE/CHANGELOG unstable paths unstable unstable unstable Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Co-authored-by: Tulir Asokan <tulir@maunium.net> Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com> Co-authored-by: Tulir Asokan <tulir@maunium.net>
* Explain better what GDPR-erased means (#8189)Brendan Abolivier2020-09-011-3/+5
| | | Fixes https://github.com/matrix-org/synapse/issues/8185
* Wording fixes to 'name' user admin api filter (#8163)Andrew Morgan2020-08-251-3/+4
| | | Some fixes to wording I noticed after merging #7377.
* Fix missing double-backtick in RST documentAndrew Morgan2020-08-251-1/+1
|
* Search in columns 'name' and 'displayname' in the admin users endpoint (#7377)Manuel Stahl2020-08-251-2/+4
| | | | | * Search in columns 'name' and 'displayname' in the admin users endpoint Signed-off-by: Manuel Stahl <manuel.stahl@awesome-technologies.de>
* Allow capping a room's retention policy (#8104)Brendan Abolivier2020-08-241-8/+14
|
* Updated docs: Added note about missing 308 redirect support. (#8120)Ryan Cole2020-08-191-0/+12
| | | | | * Updated docs: Added note about missing 308 redirect support. * Added changelog
* Add a link to the matrix-synapse-rest-password-provider. (#8111)Patrick Cloke2020-08-181-0/+1
|
* Use the default templates when a custom template file cannot be found (#8037)Andrew Morgan2020-08-171-3/+1
| | | Fixes https://github.com/matrix-org/synapse/issues/6583
* Move setting of Filter into code.Erik Johnston2020-08-111-7/+0
| | | | | | | | | | | | | | We do this to prevent foot guns. The default config uses a MemoryFilter, but users are free to change to logging to files directly. If they do then they have to ensure to set the `filters: [context]` on the right handler, otherwise records get written with the wrong context. Instead we move the logic to happen when we generate a record, which is when we *log* rather than *handle*. (It's possible to add filters to loggers in the config, however they don't apply to descendant loggers and so they have to be manually set on *every* logger used in the code base)
* Change the default log config to reduce disk I/O and storage (#8040)Erik Johnston2020-08-111-5/+36
| | | | | | | | | | | | | | | | | | | | * Change default log config to buffer by default. This batches up writes to the filesystem, which is more efficient for disk I/O. This means that it can take some time for logs to get written to disk. Note that ERROR logs (and above) immediately flush the buffer. This only effects new installs, as we only write the log config if started with `--generate-config` (in the same way we do for generating signing keys). * Default to keeping last 4 days of logs. This hopefully reduces the amount of logs kept for new servers. Keeping the last 1GB of logs is likely overkill for new servers, but equally may not be enough for busy ones. Instead, we keep the last four days worth of logs, enough so that admins can investigate any problems that happened over e.g. a long weekend.
* Implement login blocking based on SAML attributes (#8052)Richard van der Hoff2020-08-111-0/+11
| | | | | | | Hopefully this mostly speaks for itself. I also did a bit of cleaning up of the error handling. Fixes #8047
* Clarify that undoing a shutdown might not be possible (#8010)Travis Ralston2020-08-071-3/+10
|
* Add health check endpoint (#8048)Erik Johnston2020-08-071-0/+7
|
* Fixup worker doc (again) (#8000)Erik Johnston2020-08-062-14/+42
|
* Rename database classes to make some sense (#8033)Erik Johnston2020-08-051-1/+1
|
* Merge branch 'develop' of github.com:matrix-org/synapse into ↵Erik Johnston2020-07-317-50/+95
|\ | | | | | | erikj/add_rate_limiting_to_joins
| * Add docs for undoing room shutdowns (#7998)Travis Ralston2020-07-311-1/+21
| | | | | | These docs were tested successfully in production by a customer, so it's probably fine.
| * Update workers docs (#7990)Stuart Mumford2020-07-301-25/+34
| |
| * Fix typo in docs/workers.md (#7992)Erik Johnston2020-07-301-1/+1
| |
| * Merge branch 'master' into developOlivier Wilkinson (reivilibre)2020-07-303-213/+332
| |\
| * | Various improvements to the docs (#7899)Aaron Raimist2020-07-293-18/+25
| | |
| * | Add an option to disable purge in delete room admin API (#7964)Dirk Klimpel2020-07-281-4/+9
| | | | | | | | | | | | | | | | | | Add option ```purge``` to ```POST /_synapse/admin/v1/rooms/<room_id>/delete``` Fixes: #3761 Signed-off-by: Dirk Klimpel dirk@klimpel.org
| * | Option to allow server admins to join complex rooms (#7902)lugino-emeritus2020-07-281-0/+4
| | | | | | | | | | | | | | | Fixes #7901. Signed-off-by: Niklas Tittjung <nik_t.01@web.de>
| * | Fix typo in metrics docs (#7966)Erik Johnston2020-07-281-1/+1
| | |
* | | Add ratelimiting on joinsErik Johnston2020-07-311-0/+12
| |/ |/|
* | Update worker docs with recent enhancements (#7969)Erik Johnston2020-07-293-213/+332
|/
* Update the auth providers to be async. (#7935)Patrick Cloke2020-07-231-93/+94
|
* Update the dates for ACME v1 EOLBrendan Abolivier2020-07-221-2/+3
| | | | As per https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430
* Fix a typo in the sample config. (#7890)Adrian2020-07-201-1/+1
|
* Change sample config's postgres user to synapse_user (#7889)Andrew Morgan2020-07-201-1/+1
| | | | | | | The [postgres setup docs](https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#set-up-database) recommend setting up your database with user `synapse_user`. However, uncommenting the postgres defaults in the sample config leave you with user `synapse`. This PR switches the sample config to recommend `synapse_user`. Took a me a second to figure this out, so assume this will beneficial to others.
* Add a default limit (of 100) to get/sync operations. (#7858)Patrick Cloke2020-07-171-1/+3
|
* Add admin endpoint to get members in a room. (#7842)Michael Albert2020-07-161-1/+33
|
* Combine nginx federation server blocks (#7823)Luke Faraone2020-07-161-11/+5
| | | | | | I'm pretty sure there's no technical reason these have to be distinct server blocks, so collapse into one and go with the more terse location block. Signed-off-by: Luke W Faraone <luke@faraone.cc>
* Allow accounts to be re-activated from the admin APIs. (#7847)Patrick Cloke2020-07-151-1/+5
|
* Return the proper 403 Forbidden error during errors with JWT logins. (#7844)Patrick Cloke2020-07-151-4/+1
|
* Allow email subjects to be customised through Synapse's configuration (#7846)Brendan Abolivier2020-07-141-2/+69
|
* Add delete room admin endpoint (#7613)Dirk Klimpel2020-07-143-0/+98
| | | | | | | | | | | | | | | | | | The Delete Room admin API allows server admins to remove rooms from server and block these rooms. `DELETE /_synapse/admin/v1/rooms/<room_id>` It is a combination and improvement of "[Shutdown room](https://github.com/matrix-org/synapse/blob/develop/docs/admin_api/shutdown_room.md)" and "[Purge room](https://github.com/matrix-org/synapse/blob/develop/docs/admin_api/purge_room.md)" API. Fixes: #6425 It also fixes a bug in [synapse/storage/data_stores/main/room.py](synapse/storage/data_stores/main/room.py) in ` get_room_with_stats`. It should return `None` if the room is unknown. But it returns an `IndexError`. https://github.com/matrix-org/synapse/blob/901b1fa561e3cc661d78aa96d59802cf2078cb0d/synapse/storage/data_stores/main/room.py#L99-L105 Related to: - #5575 - https://github.com/Awesome-Technologies/synapse-admin/issues/17 Signed-off-by: Dirk Klimpel dirk@klimpel.org
* Add the option to validate the `iss` and `aud` claims for JWT logins. (#7827)Patrick Cloke2020-07-142-3/+34
|
* Add ability to shard the federation sender (#7798)Erik Johnston2020-07-101-32/+33
|
* Change Caddy links (old is deprecated) (#7789)Nicolai Søborg2020-07-081-1/+1
| | | | | | | * Change Caddy links Current links points to Caddy v1 which is deprecated. Signed-off-by: Nicolai Søborg <git@xn--sb-lka.org>
* Add documentation for JWT login type and improve sample config. (#7776)Patrick Cloke2020-07-062-4/+121
|
* Additional configuration options for auto-join rooms (#7763)Patrick Cloke2020-06-301-2/+58
|
* Support running multiple media repos. (#7706)Erik Johnston2020-06-171-1/+6
| | | | | This requires a new config option to specify which media repo should be responsible for running background jobs to e.g. clear out expired URL preview caches.
* fix broken link in sample config (#7712)Richard van der Hoff2020-06-161-1/+1
|
* Add instructions for authing with Keycloak via OpenID (#7659)hungrymonkey2020-06-161-0/+44
|
* Increase the default SAML session expirary time to 15 minutes. (#7664)Patrick Cloke2020-06-111-1/+1
|
* fix typo in sample_config.yaml (#7652)wondratsch2020-06-111-1/+1
| | | | | Just a simple typo fix. Signed-off-by: wondratsch 28294257+wondratsch@users.noreply.github.com
* Add option to enable encryption by default for new rooms (#7639)Andrew Morgan2020-06-101-0/+20
| | | | | | | | | Fixes https://github.com/matrix-org/synapse/issues/2431 Adds config option `encryption_enabled_by_default_for_room_type`, which determines whether encryption should be enabled with the default encryption algorithm in private or public rooms upon creation. Whether the room is private or public is decided based upon the room creation preset that is used. Part of this PR is also pulling out all of the individual instances of `m.megolm.v1.aes-sha2` into a constant variable to eliminate typos ala https://github.com/matrix-org/synapse/pull/7637 Based on #7637
* Add an option to disable autojoin for guest accounts (#6637)Travis Ralston2020-06-051-0/+7
| | | | Fixes https://github.com/matrix-org/synapse/issues/3177
* Clarifications to the admin api documentation (#7647)Richard van der Hoff2020-06-057-89/+125
| | | | | | * Clarify how to authenticate * path params are not the same thing as query params * Fix documentation for `/_synapse/admin/v2/users/<user_id>`
* Add device management to admin API (#7481)Dirk Klimpel2020-06-051-0/+209
| | | | | | | | | | - Admin is able to - change displaynames - delete devices - list devices - get device informations Fixes #7330
* Cleanups to the OpenID Connect integration (#7628)Richard van der Hoff2020-06-033-241/+302
| | | | docs, default configs, comments. Nothing very significant.
* Clean up exception handling in SAML2ResponseResource (#7614)Richard van der Hoff2020-06-031-1/+7
| | | | | | | | | | | | | * Expose `return_html_error`, and allow it to take a Jinja2 template instead of a raw string * Clean up exception handling in SAML2ResponseResource * use the existing code in `return_html_error` instead of re-implementing it (giving it a jinja2 template rather than inventing a new form of template) * do the exception-catching in the REST layer rather than in the handler layer, to make sure we catch all exceptions.
* allow emails to be passed through SAML (#7385)Christopher Cooper2020-05-271-0/+2
| | | Signed-off-by: Christopher Cooper <cooperc@ocf.berkeley.edu>
* Fix sample config docs error (#7581)Jason Robinson2020-05-271-1/+1
| | | | | | 'client_auth_method' commented out value was erronously 'client_auth_basic', when code and docstring says it should be 'client_secret_basic'. Signed-off-by: Jason Robinson <jasonr@matrix.org>
* Fix up commentsErik Johnston2020-05-271-1/+1
|
* Fix specifying cache factors via env vars with * in name. (#7580)Erik Johnston2020-05-271-0/+6
| | | | | This mostly applise to `*stateGroupCache*` and co. Broke in #6391.
* Fix some DETECTED VIOLATIONS in the config file (#7550)Richard van der Hoff2020-05-221-26/+35
| | | consistency ftw
* Ensure worker config exists in systemd service (#7528)David Vo2020-05-211-1/+1
|
* Minor clarifications to the TURN docs (#7533)Richard van der Hoff2020-05-201-15/+42
|
* Improve API doc readability (#7527)Paul Tötterman2020-05-191-10/+11
|
* Formatting for reverse-proxy docs (#7514)Richard van der Hoff2020-05-151-68/+78
| | | also a small clarification to nginx
* Add Caddy 2 example (#7463)Jeff Peeler2020-05-151-1/+11
| | | | | | | | | | The specific headers that are passed using this new configuration format are Host and X-Forwarded-For, which should be all that's required. Note that for production another matcher should be added in the first section to properly handle the base_url lookup: reverse_proxy /.well-known/matrix/* http://localhost:8008 Signed-off-by: Jeff Peeler <jpeeler@gmail.com>
* Merge branch 'master' into developRichard van der Hoff2020-05-145-4/+152
|\
| * Notes on using git (#7496)Richard van der Hoff2020-05-144-0/+148
| | | | | | | | | | | | | | * general updates to CONTRIBUTING.md * notes on updating your PR * Notes on squash-merging or otherwise * document git branching model
| * Update reverse_proxy.mdRichard van der Hoff2020-05-051-4/+4
| | | | | | a couple of cleanups
| * Merge tag 'v1.12.4'Patrick Cloke2020-04-231-0/+2
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse v1.12.4 Features: * Always send users their own device updates. (#7160) * Add support for handling GET requests for account_data on a worker. (#7311) Bugfixes: * Fix a bug that prevented cross-signing with users on worker-mode synapses. (#7255) * Do not treat display names as globs in push rules. (#7271) * Fix a bug with cross-signing devices belonging to remote users who did not share a room with any user on the local homeserver. (#7289)
* | | Update documentation about SSO mapping providers (#7458)Patrick Cloke2020-05-122-77/+146
| | |
* | | Allow configuration of Synapse's cache without using synctl or environment ↵Amber Brown2020-05-111-4/+39
| | | | | | | | | | | | variables (#6391)
* | | Merge branch 'release-v1.13.0' into developAndrew Morgan2020-05-111-60/+107
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * release-v1.13.0: Don't UPGRADE database rows RST indenting Put rollback instructions in upgrade notes Fix changelog typo Oh yeah, RST Absolute URL it is then Fix upgrade notes link Provide summary of upgrade issues in changelog. Fix ) Move next version notes from changelog to upgrade notes Changelog fixes 1.13.0rc1 Documentation on setting up redis (#7446) Rework UI Auth session validation for registration (#7455) Fix errors from malformed log line (#7454) Drop support for redis.dbid (#7450)
| * | | Documentation on setting up redis (#7446)Neil Johnson2020-05-111-60/+107
| | | |
* | | | Extend spam checker to allow for multiple modules (#7435)Andrew Morgan2020-05-082-11/+23
| | | |
* | | | Implement OpenID Connect-based login (#7256)Quentin Gliech2020-05-082-0/+270
| | | |
* | | | Add room details admin endpoint (#7317)Manuel Stahl2020-05-071-0/+54
| | | |
* | | | Merge branch 'release-v1.13.0' into developBrendan Abolivier2020-05-071-0/+12
|\| | |
| * | | Add a configuration setting for the dummy event threshold (#7422)Brendan Abolivier2020-05-071-0/+12
| | | | | | | | | | | | Add dummy_events_threshold which allows configuring the number of forward extremities a room needs for Synapse to send forward extremities in it.
* | | | Support any process writing to cache invalidation stream. (#7436)Erik Johnston2020-05-071-4/+0
|/ / /
* | | Add instance name to RDATA/POSITION commands (#7364)Erik Johnston2020-04-291-17/+24
| | | | | | | | | | | | | | | This is primarily for allowing us to send those commands from workers, but for now simply allows us to ignore echoed RDATA/POSITION commands that we sent (we get echoes of sent commands when using redis). Currently we log a WARNING on the master process every time we receive an echoed RDATA.
* | | Clean up admin api docs (#7361)Andrew Morgan2020-04-281-18/+42
| | |
* | | Return total number of users and profile attributes in admin users endpoint ↵Manuel Stahl2020-04-281-3/+8
| | | | | | | | | | | | | | | (#6881) Signed-off-by: Manuel Stahl <manuel.stahl@awesome-technologies.de>
* | | Document monitoring workers (#7357)Brendan Abolivier2020-04-271-0/+25
| | | | | | | | | It doesn't seem to be documented anywhere and means that you suddenly start losing metrics without any obvious reason when you go from monolith to workers (e.g. #7312).
* | | Add some explanation to application_services.md (#7091)lub2020-04-271-0/+4
| | | | | | | | | Signed-off-by: Simon Körner <git@lubiland.de>
* | | Add documentation to the sample config about the templates for SSO. (#7343)Patrick Cloke2020-04-241-0/+24
| | |
* | | Revert "Revert "Merge pull request #7315 from ↵Brendan Abolivier2020-04-231-0/+10
| | | | | | | | | | | | | | | | | | matrix-org/babolivier/request_token"" This reverts commit 1adf6a55870aa08de272591ff49db9dc49738076.
* | | Merge branch 'master' into developBrendan Abolivier2020-04-231-1/+1
|\| |
| * | Revert "Merge pull request #7315 from matrix-org/babolivier/request_token"Brendan Abolivier2020-04-231-10/+0
| | | | | | | | | | | | | | | This reverts commit 6f4319368b3afab661c55367b9348f9b77bc04a5, reversing changes made to 0d775fcc2d0c7b6a07dad5430256d4d6c75a9f0d.
| * | Merge pull request #7315 from matrix-org/babolivier/request_tokenBrendan Abolivier2020-04-231-0/+10
| |\ \ | | | | | | | | Config option to inhibit 3PID errors on /requestToken
| | * | Config option to inhibit 3PID errors on /requestTokenBrendan Abolivier2020-04-221-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds a request_token_inhibit_errors configuration flag (disabled by default) which, if enabled, change the behaviour of all /requestToken endpoints so that they return a 200 and a fake sid if the 3PID was/was not found associated with an account (depending on the endpoint), instead of an error. Co-Authored-By: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
| * | | Improve example TURN configuration in documentation (#7284)nataraj-hates-MS-for-stealing-github2020-04-171-1/+1
| | | |
| * | | Revert "Merge pull request #7153 from ↵Richard van der Hoff2020-04-031-4/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | matrix-org/babolivier/sso_whitelist_login_fallback" This was incorrectly merged to master. This reverts commit 319c41f573eb14a966367b60b2e6e93bf6b028d9, reversing changes made to 229eb81498b0fe1da81e9b5b333a0285acde9446.
| * | | Merge pull request #7153 from matrix-org/babolivier/sso_whitelist_login_fallbackBrendan Abolivier2020-03-271-0/+4
| |\ \ \ | | | | | | | | | | Always whitelist the login fallback for SSO
| | * | | Update the wording of the config commentBrendan Abolivier2020-03-271-3/+3
| | | | |
| | * | | Regenerate sample configBrendan Abolivier2020-03-261-1/+5
| | |/ /
* | | | Stop the master relaying USER_SYNC for other workers (#7318)Richard van der Hoff2020-04-221-5/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Long story short: if we're handling presence on the current worker, we shouldn't be sending USER_SYNC commands over replication. In an attempt to figure out what is going on here, I ended up refactoring some bits of the presencehandler code, so the first 4 commits here are non-functional refactors to move this code slightly closer to sanity. (There's still plenty to do here :/). Suggest reviewing individual commits. Fixes (I hope) #7257.
* | | | Extend room admin api with additional attributes (#7225)Dirk Klimpel2020-04-221-7/+100
| | | |
* | | | Merge branch 'release-v1.12.4' into developRichard van der Hoff2020-04-221-0/+2
|\ \ \ \ | | |_|/ | |/| |
| * | | Support GET account_data requests on a worker (#7311)Richard van der Hoff2020-04-211-0/+2
| | |/ | |/|
* | | Fix indention in generated config file (#7300)Lars Franke2020-04-201-26/+26
| | | | | | | | | | | | | | | | | | Also adjust sample_config.yaml Signed-off-by: Lars Franke <frcl@mailbox.org>
* | | Clarify the comments for media_storage_providers options (#7272)Tristan Lins2020-04-171-4/+3
| | |
* | | Allow specifying the value of Accept-Language header for URL previews (#7265)Andrew Morgan2020-04-151-0/+25
| | |
* | | Add setting to nginx configuration to allow larger file uploads (#7251)Ryan Hovland2020-04-131-0/+3
| | |
* | | Add matrix-synapse-shared-secret-auth as an example password provider (#7248)Andrew Morgan2020-04-091-0/+1
| | |
* | | Make systemd-with-workers doc official (#7234)Richard van der Hoff2020-04-086-15/+160
| | | | | | | | | | | | Simplify and update this documentation, and make it part of the core dist.
* | | Add documentation to password_providers config option (#7238)Andrew Morgan2020-04-082-2/+17
| | |
* | | Extend web_client_location to handle absolute URLs (#7006)Martin Milata2020-04-031-3/+8
| | | | | | | | | | | | | | | Log warning when filesystem path is used. Signed-off-by: Martin Milata <martin@martinmilata.cz>
* | | Update postgres.md (#7119)siroccal2020-04-011-1/+27
| | |
* | | Improve TURN documentation. (#7167)Jostein Kjønigsen2020-03-311-0/+7
| | |
* | | Fix a small typo in the `metrics_flags` config option. (#7171)Andrew Morgan2020-03-301-1/+1
| | |
* | | Remove usage of "conn_id" for presence. (#7128)Erik Johnston2020-03-301-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Remove `conn_id` usage for UserSyncCommand. Each tcp replication connection is assigned a "conn_id", which is used to give an ID to a remotely connected worker. In a redis world, there will no longer be a one to one mapping between connection and instance, so instead we need to replace such usages with an ID generated by the remote instances and included in the replicaiton commands. This really only effects UserSyncCommand. * Add CLEAR_USER_SYNCS command that is sent on shutdown. This should help with the case where a synchrotron gets restarted gracefully, rather than rely on 5 minute timeout.
* | | Add developer documentation for running a local CAS server (#7147)Patrick Cloke2020-03-302-2/+70
| | |
* | | Always whitelist the login fallback for SSO (#7153)Richard van der Hoff2020-03-271-0/+4
| | | | | | | | | | | | | | | | | | | | | That fallback sets the redirect URL to itself (so it can process the login token then return gracefully to the client). This would make it pointless to ask the user for confirmation, since the URL the confirmation page would be showing wouldn't be the client's.
* | | Admin API to join users to a room. (#7051)Dirk Klimpel2020-03-271-0/+34
| | |
* | | Add options to prevent users from changing their profile. (#7096)Dirk Klimpel2020-03-271-0/+23
| | |
* | | Allow server admins to define and enforce a password policy (MSC2000). (#7118)Dirk Klimpel2020-03-261-0/+35
| | |
* | | Remove unused captcha_bypass_secret option (#7137)Aaron Raimist2020-03-251-4/+0
| | | | | | | | | Signed-off-by: Aaron Raimist <aaron@raim.ist>
* | | Move catchup of replication streams to worker. (#7024)Erik Johnston2020-03-251-33/+13
| | | | | | | | | This changes the replication protocol so that the server does not send down `RDATA` for rows that happened before the client connected. Instead, the server will send a `POSITION` and clients then query the database (or master out of band) to get up to date.
* | | Clean up some LoggingContext stuff (#7120)Richard van der Hoff2020-03-241-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Pull Sentinel out of LoggingContext ... and drop a few unnecessary references to it * Factor out LoggingContext.current_context move `current_context` and `set_context` out to top-level functions. Mostly this means that I can more easily trace what's actually referring to LoggingContext, but I think it's generally neater. * move copy-to-parent into `stop` this really just makes `start` and `stop` more symetric. It also means that it behaves correctly if you manually `set_log_context` rather than using the context manager. * Replace `LoggingContext.alive` with `finished` Turn `alive` into `finished` and make it a bit better defined.
* | | Merge branch 'master' into developRichard van der Hoff2020-03-231-2/+1
|\ \ \ | | |/ | |/|
| * | Merge tag 'v1.12.0'Richard van der Hoff2020-03-234-6/+31
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.12.0 (2020-03-23) =========================== No significant changes since 1.12.0rc1. Debian packages and Docker images are rebuilt using the latest versions of dependency libraries, including Twisted 20.3.0. **Please see security advisory below**. Security advisory ----------------- Synapse may be vulnerable to request-smuggling attacks when it is used with a reverse-proxy. The vulnerabilties are fixed in Twisted 20.3.0, and are described in [CVE-2020-10108](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10108) and [CVE-2020-10109](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10109). For a good introduction to this class of request-smuggling attacks, see https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn. We are not aware of these vulnerabilities being exploited in the wild, and do not believe that they are exploitable with current versions of any reverse proxies. Nevertheless, we recommend that all Synapse administrators ensure that they have the latest versions of the Twisted library to ensure that their installation remains secure. * Administrators using the [`matrix.org` Docker image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu packages from `matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages) should ensure that they have version 1.12.0 installed: these images include Twisted 20.3.0. * Administrators who have [installed Synapse from source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source) should upgrade Twisted within their virtualenv by running: ```sh <path_to_virtualenv>/bin/pip install 'Twisted>=20.3.0' ``` * Administrators who have installed Synapse from distribution packages should consult the information from their distributions. The `matrix.org` Synapse instance was not vulnerable to these vulnerabilities. Advance notice of change to the default `git` branch for Synapse ---------------------------------------------------------------- Currently, the default `git` branch for Synapse is `master`, which tracks the latest release. After the release of Synapse 1.13.0, we intend to change this default to `develop`, which is the development tip. This is more consistent with common practice and modern `git` usage. Although we try to keep `develop` in a stable state, there may be occasions where regressions creep in. Developers and distributors who have scripts which run builds using the default branch of `Synapse` should therefore consider pinning their scripts to `master`. Synapse 1.12.0rc1 (2020-03-19) ============================== Features -------- - Changes related to room alias management ([MSC2432](https://github.com/matrix-org/matrix-doc/pull/2432)): - Publishing/removing a room from the room directory now requires the user to have a power level capable of modifying the canonical alias, instead of the room aliases. ([\#6965](https://github.com/matrix-org/synapse/issues/6965)) - Validate the `alt_aliases` property of canonical alias events. ([\#6971](https://github.com/matrix-org/synapse/issues/6971)) - Users with a power level sufficient to modify the canonical alias of a room can now delete room aliases. ([\#6986](https://github.com/matrix-org/synapse/issues/6986)) - Implement updated authorization rules and redaction rules for aliases events, from [MSC2261](https://github.com/matrix-org/matrix-doc/pull/2261) and [MSC2432](https://github.com/matrix-org/matrix-doc/pull/2432). ([\#7037](https://github.com/matrix-org/synapse/issues/7037)) - Stop sending m.room.aliases events during room creation and upgrade. ([\#6941](https://github.com/matrix-org/synapse/issues/6941)) - Synapse no longer uses room alias events to calculate room names for push notifications. ([\#6966](https://github.com/matrix-org/synapse/issues/6966)) - The room list endpoint no longer returns a list of aliases. ([\#6970](https://github.com/matrix-org/synapse/issues/6970)) - Remove special handling of aliases events from [MSC2260](https://github.com/matrix-org/matrix-doc/pull/2260) added in v1.10.0rc1. ([\#7034](https://github.com/matrix-org/synapse/issues/7034)) - Expose the `synctl`, `hash_password` and `generate_config` commands in the snapcraft package. Contributed by @devec0. ([\#6315](https://github.com/matrix-org/synapse/issues/6315)) - Check that server_name is correctly set before running database updates. ([\#6982](https://github.com/matrix-org/synapse/issues/6982)) - Break down monthly active users by `appservice_id` and emit via Prometheus. ([\#7030](https://github.com/matrix-org/synapse/issues/7030)) - Render a configurable and comprehensible error page if something goes wrong during the SAML2 authentication process. ([\#7058](https://github.com/matrix-org/synapse/issues/7058), [\#7067](https://github.com/matrix-org/synapse/issues/7067)) - Add an optional parameter to control whether other sessions are logged out when a user's password is modified. ([\#7085](https://github.com/matrix-org/synapse/issues/7085)) - Add prometheus metrics for the number of active pushers. ([\#7103](https://github.com/matrix-org/synapse/issues/7103), [\#7106](https://github.com/matrix-org/synapse/issues/7106)) - Improve performance when making HTTPS requests to sygnal, sydent, etc, by sharing the SSL context object between connections. ([\#7094](https://github.com/matrix-org/synapse/issues/7094)) Bugfixes -------- - When a user's profile is updated via the admin API, also generate a displayname/avatar update for that user in each room. ([\#6572](https://github.com/matrix-org/synapse/issues/6572)) - Fix a couple of bugs in email configuration handling. ([\#6962](https://github.com/matrix-org/synapse/issues/6962)) - Fix an issue affecting worker-based deployments where replication would stop working, necessitating a full restart, after joining a large room. ([\#6967](https://github.com/matrix-org/synapse/issues/6967)) - Fix `duplicate key` error which was logged when rejoining a room over federation. ([\#6968](https://github.com/matrix-org/synapse/issues/6968)) - Prevent user from setting 'deactivated' to anything other than a bool on the v2 PUT /users Admin API. ([\#6990](https://github.com/matrix-org/synapse/issues/6990)) - Fix py35-old CI by using native tox package. ([\#7018](https://github.com/matrix-org/synapse/issues/7018)) - Fix a bug causing `org.matrix.dummy_event` to be included in responses from `/sync`. ([\#7035](https://github.com/matrix-org/synapse/issues/7035)) - Fix a bug that renders UTF-8 text files incorrectly when loaded from media. Contributed by @TheStranjer. ([\#7044](https://github.com/matrix-org/synapse/issues/7044)) - Fix a bug that would cause Synapse to respond with an error about event visibility if a client tried to request the state of a room at a given token. ([\#7066](https://github.com/matrix-org/synapse/issues/7066)) - Repair a data-corruption issue which was introduced in Synapse 1.10, and fixed in Synapse 1.11, and which could cause `/sync` to return with 404 errors about missing events and unknown rooms. ([\#7070](https://github.com/matrix-org/synapse/issues/7070)) - Fix a bug causing account validity renewal emails to be sent even if the feature is turned off in some cases. ([\#7074](https://github.com/matrix-org/synapse/issues/7074)) Improved Documentation ---------------------- - Updated CentOS8 install instructions. Contributed by Richard Kellner. ([\#6925](https://github.com/matrix-org/synapse/issues/6925)) - Fix `POSTGRES_INITDB_ARGS` in the `contrib/docker/docker-compose.yml` example docker-compose configuration. ([\#6984](https://github.com/matrix-org/synapse/issues/6984)) - Change date in [INSTALL.md](./INSTALL.md#tls-certificates) for last date of getting TLS certificates to November 2019. ([\#7015](https://github.com/matrix-org/synapse/issues/7015)) - Document that the fallback auth endpoints must be routed to the same worker node as the register endpoints. ([\#7048](https://github.com/matrix-org/synapse/issues/7048)) Deprecations and Removals ------------------------- - Remove the unused query_auth federation endpoint per [MSC2451](https://github.com/matrix-org/matrix-doc/pull/2451). ([\#7026](https://github.com/matrix-org/synapse/issues/7026)) Internal Changes ---------------- - Add type hints to `logging/context.py`. ([\#6309](https://github.com/matrix-org/synapse/issues/6309)) - Add some clarifications to `README.md` in the database schema directory. ([\#6615](https://github.com/matrix-org/synapse/issues/6615)) - Refactoring work in preparation for changing the event redaction algorithm. ([\#6874](https://github.com/matrix-org/synapse/issues/6874), [\#6875](https://github.com/matrix-org/synapse/issues/6875), [\#6983](https://github.com/matrix-org/synapse/issues/6983), [\#7003](https://github.com/matrix-org/synapse/issues/7003)) - Improve performance of v2 state resolution for large rooms. ([\#6952](https://github.com/matrix-org/synapse/issues/6952), [\#7095](https://github.com/matrix-org/synapse/issues/7095)) - Reduce time spent doing GC, by freezing objects on startup. ([\#6953](https://github.com/matrix-org/synapse/issues/6953)) - Minor perfermance fixes to `get_auth_chain_ids`. ([\#6954](https://github.com/matrix-org/synapse/issues/6954)) - Don't record remote cross-signing keys in the `devices` table. ([\#6956](https://github.com/matrix-org/synapse/issues/6956)) - Use flake8-comprehensions to enforce good hygiene of list/set/dict comprehensions. ([\#6957](https://github.com/matrix-org/synapse/issues/6957)) - Merge worker apps together. ([\#6964](https://github.com/matrix-org/synapse/issues/6964), [\#7002](https://github.com/matrix-org/synapse/issues/7002), [\#7055](https://github.com/matrix-org/synapse/issues/7055), [\#7104](https://github.com/matrix-org/synapse/issues/7104)) - Remove redundant `store_room` call from `FederationHandler._process_received_pdu`. ([\#6979](https://github.com/matrix-org/synapse/issues/6979)) - Update warning for incorrect database collation/ctype to include link to documentation. ([\#6985](https://github.com/matrix-org/synapse/issues/6985)) - Add some type annotations to the database storage classes. ([\#6987](https://github.com/matrix-org/synapse/issues/6987)) - Port `synapse.handlers.presence` to async/await. ([\#6991](https://github.com/matrix-org/synapse/issues/6991), [\#7019](https://github.com/matrix-org/synapse/issues/7019)) - Add some type annotations to the federation base & client classes. ([\#6995](https://github.com/matrix-org/synapse/issues/6995)) - Port `synapse.rest.keys` to async/await. ([\#7020](https://github.com/matrix-org/synapse/issues/7020)) - Add a type check to `is_verified` when processing room keys. ([\#7045](https://github.com/matrix-org/synapse/issues/7045)) - Add type annotations and comments to the auth handler. ([\#7063](https://github.com/matrix-org/synapse/issues/7063))
| * | Update postgres.mdRichard van der Hoff2020-03-171-2/+1
| | | | | | | | | fix broken link
* | | Improve database configuration docs (#6988)Richard van der Hoff2020-03-202-15/+70
| |/ |/| | | | | | | Attempts to clarify the sample config for databases, and add some stuff about tcp keepalives to `postgres.md`.
* | Add an option to the set password API to choose whether to logout other ↵Patrick Cloke2020-03-181-1/+5
| | | | | | | | devices. (#7085)
* | Revert "Add options to disable setting profile info for prevent changes. ↵Richard van der Hoff2020-03-171-13/+0
| | | | | | | | | | | | | | (#7053)" This reverts commit 54dd28621b070ca67de9f773fe9a89e1f4dc19da, reversing changes made to 6640460d054e8f4444046a34bdf638921b31c01e.
* | Put the file in the templates directoryBrendan Abolivier2020-03-111-7/+16
| |
* | Update wording and configBrendan Abolivier2020-03-111-0/+3
| |
* | Add options to disable setting profile info for prevent changes. (#7053)Brendan Abolivier2020-03-101-0/+13
|\ \
| * | Update sample_config.yamlDirk Klimpel2020-03-101-1/+1
| | |
| * | updates after reviewdklimpel2020-03-091-5/+5
| | |
| * | add disable_3pid_changesdklimpel2020-03-081-0/+5
| | |
| * | lint2dklimpel2020-03-081-2/+2
| | |
| * | changelogdklimpel2020-03-081-0/+8
| | |
* | | Update sample configBrendan Abolivier2020-03-101-0/+7
| | |
* | | Update routing of fallback auth in the worker docs. (#7048)Patrick Cloke2020-03-091-0/+1
| | |
* | | Merge branch 'master' into developBrendan Abolivier2020-03-031-0/+50
|\ \ \ | |/ / |/| / | |/
| * Add a whitelist for the SSO confirmation step.Richard van der Hoff2020-03-021-3/+19
| |
| * Add a confirmation step to the SSO login flowBrendan Abolivier2020-03-021-0/+34
| |
* | Fix minor issues with email config (#6962)Richard van der Hoff2020-02-241-4/+5
| | | | | | | | | | | | * Give `notif_template_html`, `notif_template_text` default values (fixes #6960) * Don't complain if `smtp_host` and `smtp_port` are unset, since they have sensible defaults (fixes #6961) * Set the example for `enable_notifs` to `True`, for consistency and because it's more useful * Raise errors as ConfigError rather than RuntimeError for nicer formatting
* | Clarify list/set/dict/tuple comprehensions and enforce via flake8 (#6957)Patrick Cloke2020-02-211-1/+1
|/ | | | Ensure good comprehension hygiene using flake8-comprehensions.
* Merge pull request #6940 from matrix-org/babolivier/federate.mdBrendan Abolivier2020-02-193-153/+126
|\ | | | | Clean up and update federation docs
| * Incorporate reviewBrendan Abolivier2020-02-192-12/+13
| |
| * Incorporate reviewBrendan Abolivier2020-02-182-21/+17
| |
| * PhrasingBrendan Abolivier2020-02-181-1/+1
| |
| * Add mention of SRV records as an advanced topicBrendan Abolivier2020-02-181-0/+10
| |
| * Argh trailing spacesBrendan Abolivier2020-02-181-2/+2
| |
| * Fix links in the reverse proxy docBrendan Abolivier2020-02-181-3/+4
| |
| * Make federate.md more of a sumary of the steps to follow to set up replicationBrendan Abolivier2020-02-181-17/+28
| |
| * Split the delegating documentation out of federate.md and trim it downBrendan Abolivier2020-02-182-133/+87
| |
* | Merge pull request #6907 from matrix-org/babolivier/acme-configBrendan Abolivier2020-02-181-0/+5
|\ \ | | | | | | Add mention and warning about ACME v1 deprecation to the TLS config
| * | Add mention and warning about ACME v1 deprecation to the Synapse configBrendan Abolivier2020-02-131-0/+5
| | |
* | | Fix worker docs to point `/publicised_groups` API correctly. (#6938)Erik Johnston2020-02-181-3/+4
| | |
* | | Add a warning about indentation to generated config (#6920)Richard van der Hoff2020-02-142-2/+14
| | | | | | | | | Fixes #6916.
* | | Filter the results of user directory searching via the spam checker (#6888)Patrick Cloke2020-02-141-0/+3
| |/ |/| | | Add a method to the spam checker to filter the user directory results.
* | Add documentation for the spam checker module (#6906)Patrick Cloke2020-02-131-0/+85
| | | | | | Add documentation for the spam checker.
* | Update docs/ACME.mdBrendan Abolivier2020-02-131-1/+1
| |
* | Mention that using Synapse to serve certificates requires restartsBrendan Abolivier2020-02-121-1/+3
| |
* | Remove duplicated info about certbot et alBrendan Abolivier2020-02-121-5/+0
| |