| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
build up of forward extremities. (#5884)
|
|\ |
|
| |\
| | |
| | | |
Fix a bug with saml attribute maps.
|
| | | |
|
| | |\ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fixes a bug where the default attribute maps were prioritised over
user-specified ones, resulting in incorrect mappings.
The problem is that if you call SPConfig.load() multiple times, it adds new
attribute mappers to a list. So by calling it with the default config first,
and then the user-specified config, we would always get the default mappers
before the user-specified mappers.
To solve this, let's merge the config dicts first, and then pass them to
SPConfig.
|
|\| | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Second part of solving #6076
Fixes #6076
We return a submit_url parameter on calls to POST */msisdn/requestToken so that clients know where to submit token information to.
|
| |\ \ \
| | | | |
| | | | | |
Make the sample saml config closer to our standards
|
| | |\ \ \
| | | | |/
| | | |/| |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Uses a SimpleHttpClient instance equipped with the federation_ip_range_blacklist list for requests to identity servers provided by user input. Does not use a blacklist when contacting identity servers specified by account_threepid_delegates. The homeserver trusts the latter and we don't want to prevent homeserver admins from specifying delegates that are on internal IP addresses.
Fixes #5935
|
| | | | | |
|
| | | | | |
|
| | |/ /
| |/| | |
|
|\| | | |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Converting some of the rst documentation to markdown. Attempted to
preserve whitespace and line breaks to minimize cosmetic change.
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | | |
This PR adds the optional `report_stats_endpoint` to configure where stats are reported to, if enabled.
|
| | | |
| | | |
| | | |
| | | | |
* Blow up config if opentracing is missing
|
| |\ \ \
| | | | |
| | | | | |
Allow use of different ratelimits for admin redactions.
|
| | | | |
| | | | |
| | | | | |
Co-Authored-By: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This is useful to allow room admins to quickly deal with a large number
of abusive messages.
|
| |/ / / |
|
| |\ \ \
| | | | |
| | | | | |
Censor redactions in DB after a month
|
| | | | | |
|
| | | | | |
|
| | |\ \ \
| | | | | |
| | | | | |
| | | | | | |
erikj/censor_redactions
|
| | | | | | |
|
| | | | | | |
|
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
server to handle 3pid validation (#5987)
This is a combination of a few different PRs, finally all being merged into `develop`:
* #5875
* #5876
* #5868 (This one added the `/versions` flag but the flag itself was actually [backed out](https://github.com/matrix-org/synapse/commit/891afb57cbdf9867f2848341b29c75d6f35eef5a#diff-e591d42d30690ffb79f63bb726200891) in #5969. What's left is just giving /versions access to the config file, which could be useful in the future)
* #5835
* #5969
* #5940
Clients should not actually use the new registration functionality until https://github.com/matrix-org/synapse/pull/5972 is merged.
UPGRADE.rst, changelog entries and config file changes should all be reviewed closely before this PR is merged.
|
| |/ / /
| | | |
| | | | |
Previously the stats were not being correctly populated.
|
| | | | |
|
| | | |
| | | |
| | | | |
* Let synctl use a config directory.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Template config files
* Imagine a system composed entirely of x, y, z etc and the basic operations..
Wait George, why XOR? Why not just neq?
George: Eh, I didn't think of that..
Co-Authored-By: Erik Johnston <erik@matrix.org>
|
| | | | |
|
| |\ \ \
| | | | |
| | | | | |
Add config option to sign remote key query responses with a separate key.
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This allows servers to separate keys that are used to sign remote keys
when acting as a notary server.
|
| |/ / /
| | | |
| | | |
| | | | |
Signed-off-by: Aaron Raimist <aaron@raim.ist>
|
| | |/
| |/|
| | |
| | |
| | | |
Fixes #5833
The emailconfig code was attempting to pull incorrect config file names. This corrects that, while also marking a difference between a config file variable that's a filepath versus a str containing HTML.
|
| |/
|/|
| |
| |
| |
| | |
We want to assign unique mxids to saml users based on an incrementing
suffix. For that to work, we need to record the allocated mxid in a separate
table.
|
|/
|
|
| |
It' still not great, thanks to the nested dictionaries, but it's better.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
The `expire_access_token` didn't do what it sounded like it should do. What it
actually did was make Synapse enforce the 'time' caveat on macaroons used as
access tokens, but since our access token macaroons never contained such a
caveat, it was always a no-op.
(The code to add 'time' caveats was removed back in v0.18.5, in #1656)
|
| |
|
|
|
|
|
|
| |
* Allow Jaeger to be configured
* Update sample config
|
|
|
| |
This also adds a worker blacklist.
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Opentracing survival guide
* Update decorator names in doc
* Doc cleanup
These are all alterations as a result of comments in #5703, it
includes mostly typos and clarifications. The most interesting
changes are:
- Split developer and user docs into two sections
- Add a high level description of OpenTracing
* newsfile
* Move contributer specific info to docstring.
* Sample config.
* Trailing whitespace.
* Update 5703.misc
* Apply suggestions from code review
Mostly just rewording parts of the docs for clarity.
Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
|
|/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up config settings and dead code.
This is mostly about cleaning up the config format, to bring it into line with our conventions. In particular:
* There should be a blank line after `## Section ##' headings
* There should be a blank line between each config setting
* There should be a `#`-only line between a comment and the setting it describes
* We don't really do the `# #` style commenting-out of whole sections if we can help it
* rename `tracer_enabled` to `enabled`
While we're here, do more config parsing upfront, which makes it easier to use
later on.
Also removes redundant code from LogContextScopeManager.
Also changes the changelog fragment to a `feature` - it's exciting!
|
| |
|
| |
|
|\ |
|
| |
| |
| |
| | |
Record how long an access token is valid for, and raise a soft-logout once it
expires.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Configure and initialise tracer
Includes config options for the tracer and sets up JaegerClient.
* Scope manager using LogContexts
We piggy-back our tracer scopes by using log context.
The current log context gives us the current scope. If new scope is
created we create a stack of scopes in the context.
* jaeger is a dependency now
* Carrier inject and extraction for Twisted Headers
* Trace federation requests on the way in and out.
The span is created in _started_processing and closed in
_finished_processing because we need a meaningful log context.
* Create logcontext for new scope.
Instead of having a stack of scopes in a logcontext we create a new
context for a new scope if the current logcontext already has a scope.
* Remove scope from logcontext if logcontext is top level
* Disable tracer if not configured
* typo
* Remove dependence on jaeger internals
* bools
* Set service name
* :Explicitely state that the tracer is disabled
* Black is the new black
* Newsfile
* Code style
* Use the new config setup.
* Generate config.
* Copyright
* Rename config to opentracing
* Remove user whitelisting
* Empty whitelist by default
* User ConfigError instead of RuntimeError
* Use isinstance
* Use tag constants for opentracing.
* Remove debug comment and no need to explicitely record error
* Two errors a "s(c)entry"
* Docstrings!
* Remove debugging brainslip
* Homeserver Whitlisting
* Better opentracing config comment
* linting
* Inclue worker name in service_name
* Make opentracing an optional dependency
* Neater config retreival
* Clean up dummy tags
* Instantiate tracing as object instead of global class
* Inlcude opentracing as a homeserver member.
* Thread opentracing to the request level
* Reference opetnracing through hs
* Instantiate dummy opentracin g for tests.
* About to revert, just keeping the unfinished changes just in case
* Revert back to global state, commit number:
9ce4a3d9067bf9889b86c360c05ac88618b85c4f
* Use class level methods in tracerutils
* Start and stop requests spans in a place where we
have access to the authenticated entity
* Seen it, isort it
* Make sure to close the active span.
* I'm getting black and blue from this.
* Logger formatting
Co-Authored-By: Erik Johnston <erik@matrix.org>
* Outdated comment
* Import opentracing at the top
* Return a contextmanager
* Start tracing client requests from the servlet
* Return noop context manager if not tracing
* Explicitely say that these are federation requests
* Include servlet name in client requests
* Use context manager
* Move opentracing to logging/
* Seen it, isort it again!
* Ignore twisted return exceptions on context exit
* Escape the scope
* Scopes should be entered to make them useful.
* Nicer decorator names
* Just one init, init?
* Don't need to close something that isn't open
* Docs make you smarter
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This has never been documented, and I'm not sure it's ever been used outside
sytest.
It's quite a lot of poorly-maintained code, so I'd like to get rid of it.
For now I haven't removed the database table; I suggest we leave that for a
future clearout.
|
| |
| |
| |
| |
| |
| |
| | |
- Put the default window_size back to 1000ms (broken by #5181)
- Make the `rc_federation` config actually do something
- fix an off-by-one error in the 'concurrent' limit
- Avoid creating an unused `_PerHostRatelimiter` object for every single
incoming request
|
| |
| |
| | |
The runtime errors that dealt with local email password resets talked about config options that users may not even have in their config file yet (if upgrading). Instead, the cryptic errors are now replaced with hopefully much more helpful ones.
|
| | |
|
| |\ |
|
| | | |
|
| | |
| | |
| | |
| | | |
This allows us to correctly handle `allow_unsolicited: False`.
|
| |\ \ |
|
| | | |
| | | |
| | | |
| | | | |
Also: share the saml client between redirect and response handlers.
|
| |\ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Alexander Trost <galexrt@googlemail.com>
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| |_|_|/
|/| | | |
|
| | | |
| | | |
| | | |
| | | | |
federation (#5550)
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Daniel Hoffend <dh@dotlan.net>
|
| |_|/
|/| |
| | | |
Helps address #5444
|
|\ \ \
| | | |
| | | | |
Add --data-dir and --open-private-ports options.
|
| | | |
| | | |
| | | |
| | | | |
This is helpful when generating a config file for running synapse under docker.
|
| | | |
| | | |
| | | |
| | | | |
We don't necessarily want to put the data in the cwd.
|
|\| | |
| | | |
| | | | |
Stop conflating generated config and default config
|
| | | |
| | | |
| | | |
| | | | |
It's too confusing.
|
| | | |
| | | |
| | | |
| | | |
| | | | |
This will enable us to skip the unintuitive behaviour where the generated
config and default config are the same thing.
|
|\ \ \ \
| |/ / /
|/| | | |
Split public rooms directory auth config in two
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
This is no longer used and only serves to confuse.
|
|/ / /
| | |
| | |
| | |
| | | |
Because sticking it in the same place as the config isn't necessarily the right
thing to do.
|
| | |
| | |
| | |
| | |
| | |
| | | |
* Pull config_dir_path and data_dir_path calculation out of read_config_files
* Pass config_dir_path and data_dir_path into read_config
|
| | |
| | |
| | | |
This has no useful purpose on python3, and is generally a source of confusion.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* group the arguments together into a group
* add new names "--generate-missing-config" and "--config-directory" for
existing cmdline options "--generate-keys" and "--keys-dir", which better
reflect their purposes.
|
| | |
| | |
| | |
| | | |
Add some comments, and simplify `read_config_files`.
|
| | |
| | |
| | | |
Make it a bit clearer what's going on.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Adds new config option `cleanup_extremities_with_dummy_events` which
periodically sends dummy events to rooms with more than 10 extremities.
THIS IS REALLY EXPERIMENTAL.
|
|\ \ \
| | | |
| | | | |
Allow server admins to define implementations of extra rules for allowing or denying incoming events
|
| | |/
| |/| |
|
|/ /
| |
| |
| |
| |
| |
| | |
Moves the warning about password resets being disabled to the point where a user actually tries to reset their password. Is this an appropriate place for it to happen?
Also removed the disabling of msisdn password resets when you don't have an email config, as that just doesn't make sense.
Also change the error a user receives upon disabled passwords to specify that only email-based password reset is disabled.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It's not really a problem to trust notary responses signed by the old key so
long as we are also doing TLS validation.
This commit adds a check to the config parsing code at startup to check that
we do not have the insecure matrix.org key without tls validation, and refuses
to start without it.
This allows us to remove the rather alarming-looking warning which happens at
runtime.
|
| |
| |
| |
| | |
Set default room version to v4.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
identity server (#5377)
Sends password reset emails from the homeserver instead of proxying to the identity server. This is now the default behaviour for security reasons. If you wish to continue proxying password reset requests to the identity server you must now enable the email.trust_identity_server_for_password_resets option.
This PR is a culmination of 3 smaller PRs which have each been separately reviewed:
* #5308
* #5345
* #5368
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There are a few changes going on here:
* We make checking the signature on a key server response optional: if no
verify_keys are specified, we trust to TLS to validate the connection.
* We change the default config so that it does not require responses to be
signed by the old key.
* We replace the old 'perspectives' config with 'trusted_key_servers', which
is also formatted slightly differently.
* We emit a warning to the logs every time we trust a key server response
signed by the old key.
|
|\ \ |
|
| | |
| | |
| | |
| | | |
Previously, setting this option would cause an exception at startup.
|
| | |
| | |
| | |
| | | |
Improve documentation of monthly active user blocking and mau_trial_days
|
|/ / |
|
|\ \
| |/
|/| |
Make account validity renewal emails work when email notifs are disabled
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Allow configuring a range for the account validity startup job
|
| | | |
|
| | | |
|
| | | |
|
| |/
| |
| |
| |
| | |
When enabling the account validity feature, Synapse will look at startup for registered account without an expiration date, and will set one equals to 'now + validity_period' for them. On large servers, it can mean that a large number of users will have the same expiration date, which means that they will all be sent a renewal email at the same time, which isn't ideal.
In order to mitigate this, this PR allows server admins to define a 'max_delta' so that the expiration date is a random value in the [now + validity_period ; now + validity_period + max_delta] range. This allows renewal emails to be progressively sent over a configured period instead of being sent all in one big batch.
|
| |
| |
| |
| | |
Signed-off-by: Aaron Raimist <aaron@raim.ist>
|
| | |
|
| |
| |
| |
| |
| | |
Replaces DEFAULT_ROOM_VERSION constant with a method that first checks the config, then returns a hardcoded value if the option is not present.
That hardcoded value is now located in the server.py config file.
|
| | |
|
|\|
| |
| |
| |
| | |
matrix-org/babolivier/account_validity_expiration_date
Add startup background job for account validity
|
| | |
|
|\ \
| |/
|/| |
Land basic reaction and edit support.
|
| | |
|
| | |
|
|/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CS API (#5083)
This commit adds two config options:
* `restrict_public_rooms_to_local_users`
Requires auth to fetch the public rooms directory through the CS API and disables fetching it through the federation API.
* `require_auth_for_profile_requests`
When set to `true`, requires that requests to `/profile` over the CS API are authenticated, and only returns the user's profile if the requester shares a room with the profile's owner, as per MSC1301.
MSC1301 also specifies a behaviour for federation (only returning the profile if the server asking for it shares a room with the profile's owner), but that's currently really non-trivial to do in a not too expensive way. Next step is writing down a MSC that allows a HS to specify which user sent the profile query. In this implementation, Synapse won't send a profile query over federation if it doesn't believe it already shares a room with the profile's owner, though.
Groups have been intentionally omitted from this commit.
|
|\ |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Add some limitations to alias creation
|
| | | |
|
|/ / |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Send out emails with links to extend an account's validity period
|
| | | |
|
| | | |
|
|\| |
| | |
| | | |
Add time-based account expiration
|
| |/ |
|
| |
| |
| |
| | |
add context to phonehome stats
|
| | |
|
|/
|
|
|
|
| |
As requested by @andrewshadura
|
| |
|
|\
| |
| | |
Add option to disable search room lists
|
| | |
|
| |
| |
| |
| | |
This disables both local and remote room list searching.
|
|\ \
| | |
| | | |
Add option to disable searching in the user dir
|
| | | |
|
| | |
| | |
| | | |
Co-Authored-By: erikjohnston <erikj@jki.re>
|
| |/
| |
| |
| | |
We still populate it, as it can still be accessed via the admin API.
|
| |
| |
| | |
Setting this to 50 or so makes a bunch of sytests fail in worker mode.
|
|/
|
|
| |
Rate-limit outgoing read-receipts as per #4730.
|
|
|
|
|
|
|
| |
Rather than using a Mock for the homeserver config, use a genuine
HomeServerConfig object. This makes for a more realistic test, and means that
we don't have to keep remembering to add things to the mock config every time
we add a new config setting.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make it so that most options in the config are optional, and commented out in
the generated config.
The reasons this is a good thing are as follows:
* If we decide that we should change the default for an option, we can do so,
and only those admins that have deliberately chosen to override that option
will be stuck on the old setting.
* It moves us towards a point where we can get rid of the super-surprising
feature of synapse where the default settings for the config come from the
generated yaml.
* It makes setting up a test config for unit testing an order of magnitude
easier (see forthcoming PR).
* It makes the generated config more consistent, and hopefully easier for users
to understand.
|
| |
|
|
|
| |
Add two ratelimiters on login (per-IP address and per-userID).
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Clarify what registration_shared_secret allows for (#2885)
Signed-off-by: Aaron Raimist <aaron@raim.ist>
* Add changelog
Signed-off-by: Aaron Raimist <aaron@raim.ist>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Rate-limiting for registration
* Add unit test for registration rate limiting
* Add config parameters for rate limiting on auth endpoints
* Doc
* Fix doc of rate limiting function
Co-Authored-By: babolivier <contact@brendanabolivier.com>
* Incorporate review
* Fix config parsing
* Fix linting errors
* Set default config for auth rate limiting
* Fix tests
* Add changelog
* Advance reactor instead of mocked clock
* Move parameters to registration specific config and give them more sensible default values
* Remove unused config options
* Don't mock the rate limiter un MAU tests
* Rename _register_with_store into register_with_store
* Make CI happy
* Remove unused import
* Update sample config
* Fix ratelimiting test for py2
* Add non-guest test
|
| |
|
|
|
| |
Fixes #4675.
|
|
|
|
|
|
|
|
| |
* add trivial clarification about jemalloc
* switch from google.com to recaptcha.net
because https://developers.google.com/recaptcha/docs/faq#can-i-use-recaptcha-globally
|
|\
| |
| | |
Fixup generated metrics config
|
| | |
|
|/
|
|
|
|
| |
The general idea here is that config examples should just have a hash and no
extraneous whitespace, both to make it easier for people who don't understand
yaml, and to make the examples stand out from the comments.
|
|\
| |
| | |
Support .well-known delegation when issuing certificates through ACME
|
| | |
|
| | |
|
|\ \
| |/
|/| |
Add basic optional sentry.io integration
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
The warning for missing macaroon_secret_key was "missing missing".
|
|\ \
| | |
| | | |
Add configurable room list publishing rules
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
This allows specifying who and what is allowed to be published onto the
public room list
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
* Better logging for errors on startup
* Fix "TypeError: '>' not supported" when starting without an existing
certificate
* Fix a bug where an existing certificate would be reprovisoned every day
|
|/
|
|
|
| |
turns out it doesn't really support ipv6, so let's hack around that by only
listening on ipv4 by default.
|
|\
| |
| | |
fix self-signed cert notice from generate-config
|
| |
| |
| |
| | |
fixes #4620
|
| | |
|
|/
|
|
|
|
| |
If TLS is disabled, it should not be an error if no cert is given.
Fixes #4554.
|
| |
|
|
|
|
|
| |
Rather than have to specify `no_tls` explicitly, infer whether we need to load
the TLS keys etc from whether we have any TLS-enabled listeners.
|
|\ |
|
| |
| |
| |
| |
| | |
Log which file we're reading keys and certs from, and refactor the code a bit
in preparation for other work
|
|/
|
|
| |
... otherwise we would fail with a mysterious KeyError or something later.
|
|
|
|
|
|
|
|
|
|
| |
Rearrange the comments to try to clarify them, and expand on what some of it
means.
Use a sensible default 'bind_addresses' setting.
For the insecure port, only bind to localhost, and enable x_forwarded, since
apparently it's for use behind a load-balancer.
|
| |
|
| |
|
|\
| |
| | |
New listener resource for the federation API "openid/userinfo" endpoint
|
| |
| |
| |
| | |
Signed-off-by: Jason Robinson <jasonr@matrix.org>
|
| |
| |
| |
| |
| |
| | |
Instead document it commented out.
Signed-off-by: Jason Robinson <jasonr@matrix.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows the OpenID userinfo endpoint to be active even if the
federation resource is not active. The OpenID userinfo endpoint
is called by integration managers to verify user actions using the
client API OpenID access token. Without this verification, the
integration manager cannot know that the access token is valid.
The OpenID userinfo endpoint will be loaded in the case that either
"federation" or "openid" resource is defined. The new "openid"
resource is defaulted to active in default configuration.
Signed-off-by: Jason Robinson <jasonr@matrix.org>
|
| | |
|
|\ \ |
|
| | |
| | |
| | | |
Fixes #4559
|
| | | |
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
* by default include m.room.encryption on invites
* fix constant
* changelog
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Handle listening for ACME requests on IPv6 addresses
the weird url-but-not-actually-a-url-string doesn't handle IPv6 addresses
without extra quoting. Building a string which you are about to parse again
seems like a weird choice. Let's just use listenTCP, which is consistent with
what we do elsewhere.
* Clean up the default ACME config
make it look a bit more consistent with everything else, and tweak the defaults
to listen on port 80.
* newsfile
|
| | |
|
|\ \
| | |
| | | |
Check consent dir path on startup
|
| | | |
|
|\ \ \
| |/ /
|/| | |
Don't recommend :8448 to people on public_baseurl
|
| | | |
|
|/ / |
|
| |
| |
| |
| |
| |
| |
| | |
If you use double-quotes here, you have to escape your backslashes. It's much
easier with single-quotes.
(Note that the existing double-backslashes are already interpreted by python's
""" parsing.)
|
|\ \
| | |
| | | |
Neilj/fix threepid auth check
|
| | | |
|
| |/ |
|
| |
| |
| |
| |
| |
| | |
This is leading to problems with people upgrading to clients that
support MSC1730 because people have this misconfigured, so try
to make the docs completely unambiguous.
|
|/ |
|
|\
| |
| | |
Config option to disable requesting MSISDN on registration
|
| | |
|
| | |
|
|/
|
| |
* remove dh_params and set better cipher string
|
| |
|
|\
| |
| |
| | |
Fixes #4371
|
| |
| |
| |
| |
| |
| | |
This is already fixed in 0.34.1, by 59f93bb
This reverts commit efc522c55e996e420271de2d9094835dda52ade4.
|
| |\ |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Raise a ConfigError if an invalid resource is specified
* Require Jinja 2.9 for the consent resource
* changelog
|
| | | |
|
| | |
| | |
| | | |
These settings are not supposed to be under 'listeners'.
|
|\| | |
|
| | |
| | |
| | |
| | | |
This is based on the work done by @krombel in #2601.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This implements both a SAML2 metadata endpoint (at
`/_matrix/saml2/metadata.xml`), and a SAML2 response receiver (at
`/_matrix/saml2/authn_response`). If the SAML2 response matches what's been
configured, we complete the SSO login flow by redirecting to the client url
(aka `RelayState` in SAML2 jargon) with a login token.
What we don't yet have is anything to build a SAML2 request and redirect the
user to the identity provider. That is left as an exercise for the reader.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Rip out half-implemented m.login.saml2 support
This was implemented in an odd way that left most of the work to the client, in
a way that I really didn't understand. It's going to be a pain to maintain, so
let's start by ripping it out.
* drop undocumented dependency on dateutil
It turns out we were relying on dateutil being pulled in transitively by
pysaml2. There's no need for that bloat.
|
|/ /
| |
| |
| | |
Sometimes it's useful for synapse to generate its own .well-known file.
|
| | |
|
| |
| |
| |
| |
| |
| | |
in it (#4230)
This is useful for homeservers not intended for users, such as bot-only homeservers or ones that only process IoT data.
|
| |
| |
| |
| | |
configuration (#4207)
|
| | |
|
| |
| |
| |
| | |
So people can still collect consent the old way if they want to.
|
| | |
|
|\ \
| | |
| | |
| | | |
erikj/alias_disallow_list
|