improvement: registration token now only works when registration is enabled

This commit is contained in:
Timo Kösters 2024-01-24 18:44:00 +01:00
parent 34e0e710cb
commit 1fb5bcf98f
No known key found for this signature in database
GPG key ID: 0B25E636FBA7E4CB
5 changed files with 45 additions and 21 deletions

View file

@ -41,7 +41,7 @@ allow_registration = true
# A static registration token that new users will have to provide when creating # A static registration token that new users will have to provide when creating
# an account. YOU NEED TO EDIT THIS. # an account. YOU NEED TO EDIT THIS.
# - Insert a password that users will have to enter on registration # - Insert a password that users will have to enter on registration
# - Comment out the line to remove the condition # - Start the line with '#' to remove the condition
registration_token = "" registration_token = ""
allow_federation = true allow_federation = true

13
debian/postinst vendored
View file

@ -72,9 +72,22 @@ max_request_size = 20_000_000 # in bytes
# Enables registration. If set to false, no users can register on this server. # Enables registration. If set to false, no users can register on this server.
allow_registration = true allow_registration = true
# A static registration token that new users will have to provide when creating
# an account.
# - Insert a password that users will have to enter on registration
# - Start the line with '#' to remove the condition
#registration_token = ""
allow_federation = true allow_federation = true
allow_check_for_updates = true allow_check_for_updates = true
# Enable the display name lightning bolt on registration.
enable_lightning_bolt = true
# Servers listed here will be used to gather public keys of other servers.
# Generally, copying this exactly should be enough. (Currently, Conduit doesn't
# support batched key requests, so this list should only contain Synapse
# servers.)
trusted_servers = ["matrix.org"] trusted_servers = ["matrix.org"]
#max_concurrent_requests = 100 # How many requests Conduit sends to other servers at the same time #max_concurrent_requests = 100 # How many requests Conduit sends to other servers at the same time

View file

@ -28,6 +28,7 @@ services:
CONDUIT_PORT: 6167 CONDUIT_PORT: 6167
CONDUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB CONDUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB
CONDUIT_ALLOW_REGISTRATION: 'true' CONDUIT_ALLOW_REGISTRATION: 'true'
#CONDUIT_REGISTRATION_TOKEN: '' # require password for registration
CONDUIT_ALLOW_FEDERATION: 'true' CONDUIT_ALLOW_FEDERATION: 'true'
CONDUIT_ALLOW_CHECK_FOR_UPDATES: 'true' CONDUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
CONDUIT_TRUSTED_SERVERS: '["matrix.org"]' CONDUIT_TRUSTED_SERVERS: '["matrix.org"]'

View file

@ -31,14 +31,13 @@ services:
### Uncomment and change values as desired ### Uncomment and change values as desired
# CONDUIT_ADDRESS: 0.0.0.0 # CONDUIT_ADDRESS: 0.0.0.0
# CONDUIT_PORT: 6167 # CONDUIT_PORT: 6167
# CONDUIT_REGISTRATION_TOKEN: '' # require password for registration
# CONDUIT_CONFIG: '/srv/conduit/conduit.toml' # if you want to configure purely by env vars, set this to an empty string '' # CONDUIT_CONFIG: '/srv/conduit/conduit.toml' # if you want to configure purely by env vars, set this to an empty string ''
# Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
# CONDUIT_ALLOW_JAEGER: 'false'
# CONDUIT_ALLOW_ENCRYPTION: 'true' # CONDUIT_ALLOW_ENCRYPTION: 'true'
# CONDUIT_ALLOW_FEDERATION: 'true' # CONDUIT_ALLOW_FEDERATION: 'true'
# CONDUIT_ALLOW_CHECK_FOR_UPDATES: 'true' # CONDUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
# CONDUIT_DATABASE_PATH: /srv/conduit/.local/share/conduit # CONDUIT_DATABASE_PATH: /srv/conduit/.local/share/conduit
# CONDUIT_WORKERS: 10
# CONDUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB # CONDUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB
# We need some way to server the client and server .well-known json. The simplest way is to use a nginx container # We need some way to server the client and server .well-known json. The simplest way is to use a nginx container

View file

@ -74,10 +74,7 @@ pub async fn get_register_available_route(
/// - Creates a new account and populates it with default account data /// - Creates a new account and populates it with default account data
/// - If `inhibit_login` is false: Creates a device and returns device id and access_token /// - If `inhibit_login` is false: Creates a device and returns device id and access_token
pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<register::v3::Response> { pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<register::v3::Response> {
if !services().globals.allow_registration() if !services().globals.allow_registration() && !body.from_appservice {
&& !body.from_appservice
&& services().globals.config.registration_token.is_none()
{
return Err(Error::BadRequest( return Err(Error::BadRequest(
ErrorKind::Forbidden, ErrorKind::Forbidden,
"Registration has been disabled.", "Registration has been disabled.",
@ -122,21 +119,35 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
}; };
// UIAA // UIAA
let mut uiaainfo = UiaaInfo { let mut uiaainfo;
let skip_auth;
if services().globals.config.registration_token.is_some() {
// Registration token required
uiaainfo = UiaaInfo {
flows: vec![AuthFlow { flows: vec![AuthFlow {
stages: if services().globals.config.registration_token.is_some() { stages: vec![AuthType::RegistrationToken],
vec![AuthType::RegistrationToken]
} else {
vec![AuthType::Dummy]
},
}], }],
completed: Vec::new(), completed: Vec::new(),
params: Default::default(), params: Default::default(),
session: None, session: None,
auth_error: None, auth_error: None,
}; };
skip_auth = body.from_appservice;
} else {
// No registration token necessary, but clients must still go through the flow
uiaainfo = UiaaInfo {
flows: vec![AuthFlow {
stages: vec![AuthType::Dummy],
}],
completed: Vec::new(),
params: Default::default(),
session: None,
auth_error: None,
};
skip_auth = body.from_appservice || is_guest;
}
if !body.from_appservice && !is_guest { if !skip_auth {
if let Some(auth) = &body.auth { if let Some(auth) = &body.auth {
let (worked, uiaainfo) = services().uiaa.try_auth( let (worked, uiaainfo) = services().uiaa.try_auth(
&UserId::parse_with_server_name("", services().globals.server_name()) &UserId::parse_with_server_name("", services().globals.server_name())