Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clarify federation Authorization header an add destination property #1067

Merged
merged 6 commits into from
May 30, 2022
Merged

clarify federation Authorization header an add destination property #1067

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
30b7be8
clarify federation Authorization header an add destination property
uhoreg May 17, 2022
484e4ad
add changelogs
uhoreg May 17, 2022
d68d209
some clarifications
uhoreg May 18, 2022
ebb55de
more clarifications, fixes
uhoreg May 18, 2022
972ccbd
use HTML in the added-in/changed-in shortcodes
uhoreg May 27, 2022
88e81a5
Apply suggestions from code review
turt2live May 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelogs/server_server/newsfragments/1067.clarification
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Clarify the format for the Authorization header.
1 change: 1 addition & 0 deletions changelogs/server_server/newsfragments/1067.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add a destination property to the Authorization header.
46 changes: 42 additions & 4 deletions content/server-server-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,7 +255,7 @@ condition applies throughout the request signing process.
Step 2 add Authorization header:

GET /target HTTP/1.1
Authorization: X-Matrix origin=origin.hs.example.com,key="ed25519:key1",sig="ABCDEF..."
Authorization: X-Matrix origin="origin.hs.example.com",destination="destination.hs.example.com",key="ed25519:key1",sig="ABCDEF..."
Content-Type: application/json

<JSON-encoded request body>
Expand Down Expand Up @@ -283,14 +283,52 @@ def authorization_headers(origin_name, origin_signing_key,

for key, sig in signed_json["signatures"][origin_name].items():
authorization_headers.append(bytes(
"X-Matrix origin=%s,key=\"%s\",sig=\"%s\"" % (
origin_name, key, sig,
"X-Matrix origin=\"%s\",destination=\"%s\",key=\"%s\",sig=\"%s\"" % (
origin_name, destination_name, key, sig,
)
))

return ("Authorization", authorization_headers)
return ("Authorization", authorization_headers[0])
```

The format of the Authorization header is given in
[RFC 7235](https://datatracker.ietf.org/doc/html/rfc7235#section-2.1). In
summary, the header begins with authorization scheme `X-Matrix`, followed by
one or more spaces, followed by a comma-separated list of parameters written as
name=value pairs. The names are case insensitive and order does not matter. The
values must be enclosed in quotes if they contain characters that are not
allowed in `token`s, as defined in
[RFC 7230](https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6); if a
value is a valid `token`, it may or may not be enclosed in quotes. Quoted
values may include backslash-escaped characters. When parsing the header, the
recipient must unescape the characters. That is, a backslash-character pair is
replaced by the character that follows the backslash.

For compatibility with older servers, the sender should
- only include one space after `X-Matrix`,
- only use lower-case names, and
- avoid using backslashes in parameter values.

For compatibility with older servers, the recipient should allow colons to be
included in values without requiring the value to be enclosed in quotes.

The authorization parameters to include are:

- `origin`: the server name of the sending server. This is the same as the
`origin` field from JSON described in step 1.
- `destination`: {{< added-in v="1.3" >}} the server name of the receiving
sender. This is the same as the `destination` field from the JSON described
in step 1. For compatibility with older servers, recipients should accept
requests without this parameter, but MUST always send it. If this property
is included, but the value does not match the receiving server's name, the
receiving server must deny the request with an HTTP status code 401
Unauthorized.
- `key`: the ID, including the algorithm name, of the sending server's key used
to sign the request.
- `signature`: the signature of the JSON as calculated in step 1.

Unknown parameters are ignored.

### Response Authentication

Responses are authenticated by the TLS server certificate. A homeserver
Expand Down
6 changes: 3 additions & 3 deletions layouts/shortcodes/added-in.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
{{ $this := .Params.this }}

{{ if $this }}
<span>**[New in this version]**</span>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes are needed, otherwise it displays the markdown in the federation docs, rather than the HTML

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm.. that's surprising. What version of hugo?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It happened with whatever version of hugo CI was using. It worked fine in the CS bits. I assume it's because it got substituted in, and then the file got included in the main file, and then reprocessed. But it didn't work for the federation doc.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, yea. {{< shortcode >}} is a literal while {{% shortcode %}} is interpreted - we need to use angle brackets to get the inline stuff to work, annoyingly.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is fun though (and not worth fixing in this PR, I think):

s2s spec:
image

c2s spec:
image

The code blocks are different. I think it's because of the table structure, but not really sure.

<span><strong>[New in this version]</strong></span>
{{ else }}
<span>**[Added in `v{{ $ver }}`]**</span>
{{ end }} {{/* Do not leave an empty line at the end of this file otherwise the inline behaviour breaks. */}}
<span><strong>[Added in <code>v{{ $ver }}</code>]</strong></span>
{{ end }} {{/* Do not leave an empty line at the end of this file otherwise the inline behaviour breaks. */}}
6 changes: 3 additions & 3 deletions layouts/shortcodes/changed-in.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
{{ $this := .Params.this }}

{{ if $this }}
<span>**[Changed in this version]**</span>
<span><strong>[Changed in this version]</strong></span>
{{ else }}
<span>**[Changed in `v{{ $ver }}`]**</span>
{{ end }} {{/* Do not leave an empty line at the end of this file otherwise the inline behaviour breaks. */}}
<span><strong>[Changed in <code>v{{ $ver }}</code>]</strong></span>
{{ end }} {{/* Do not leave an empty line at the end of this file otherwise the inline behaviour breaks. */}}