Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Stop accepting 'user' parameter for application service registration. #15928

Merged
merged 1 commit into from
Jul 13, 2023
Merged

Stop accepting 'user' parameter for application service registration. #15928

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/15928.removal
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Remove support for calling the `/register` endpoint with an unspecced `user` property for application services.
10 changes: 10 additions & 0 deletions docs/upgrade.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,16 @@ process, for example:
dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
```

# Upgrading to v1.89.0

## Removal of unspecced `user` property for `/register`

Application services can no longer call `/register` with a `user` property to create new users.
The standard `username` property should be used instead. See the
[Application Service specification](https://spec.matrix.org/v1.7/application-service-api/#server-admin-style-permissions)
for more information.


# Upgrading to v1.88.0

## Minimum supported Python version
Expand Down
12 changes: 4 additions & 8 deletions synapse/rest/client/register.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -462,9 +462,9 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
# the auth layer will store these in sessions.
desired_username = None
if "username" in body:
if not isinstance(body["username"], str) or len(body["username"]) > 512:
raise SynapseError(400, "Invalid username")
desired_username = body["username"]
if not isinstance(desired_username, str) or len(desired_username) > 512:
raise SynapseError(400, "Invalid username")
Comment on lines 465 to +467
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a no-op change; I just found it easier to fetch the property once and re-use it instead of doing it after validation.


# fork off as soon as possible for ASes which have completely
# different registration flows to normal users
Expand All @@ -477,19 +477,15 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
"Appservice token must be provided when using a type of m.login.application_service",
)

# Set the desired user according to the AS API (which uses the
# 'user' key not 'username'). Since this is a new addition, we'll
# fallback to 'username' if they gave one.
desired_username = body.get("user", desired_username)

# XXX we should check that desired_username is valid. Currently
# we give appservices carte blanche for any insanity in mxids,
# because the IRC bridges rely on being able to register stupid
# IDs.

access_token = self.auth.get_access_token_from_request(request)

if not isinstance(desired_username, str):
# Desired username is either a string or None.
if desired_username is None:
raise SynapseError(400, "Desired Username is missing or not a string")
Comment on lines +487 to 489
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I originally assumed we could remove this validation, but we can't -- for application services it is invalid to not give the username property.


result = await self._do_appservice_registration(
Expand Down