-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC2949: Proposal to clarify "Requires auth" and "Rate-limited" in the spec #2949
base: old_master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# Proposal to clarify "Requires auth" and "Rate-limited" in the spec | ||
All endpoints in the spec have values for "Requires auth" and "Rate-limited". | ||
The values are booleans, and the spec does not say how strictly they should be | ||
interpreted. There are already multiple endpoints, such as [GET /publicRooms], | ||
which don't require auth in the spec, but may require auth in [some server | ||
implementations]. | ||
|
||
[GET /publicRooms]: https://matrix.org/docs/spec/client_server/r0.6.1#get-matrix-client-r0-publicrooms | ||
[some server implementations]: https://github.com/matrix-org/synapse/blob/v1.24.0/docs/sample_config.yaml#L103-L107 | ||
|
||
This ambiguity and inconsistency causes problems when client developers read | ||
the values in the spec as requirements and don't pass authentication even when | ||
they have a valid access token (see [ruma/ruma#380]). | ||
|
||
[ruma/ruma#380]: https://github.com/ruma/ruma/issues/380 | ||
|
||
Inconsistencies in the "Rate-limited" value doesn't have consequences that are | ||
as obvious, but it is a similar problem nevertheless: Synapse has rate limits | ||
on multiple endpoints that are marked as not rate limited in the spec. | ||
Comment on lines
+17
to
+19
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this is a documentation bug, not something that needs an MSC |
||
|
||
## Proposal | ||
1. Make it clear that the rate-limited and requires auth values in the spec are | ||
merely recommendations and the actual rate limits and auth requirements may | ||
vary on different servers. | ||
2. Recommend that clients always include authorization in requests to the | ||
homeserver if they have an access token. | ||
Comment on lines
+25
to
+26
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What is the benefit of having a “maybe” if clients are supposed to send the token anyway? The “Change all the potentially-requires-auth endpoints to always require auth.” makes more sense to me. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The idea is that a client library could refuse to send a request without an access token to an endpoint that definitely requires auth. For 'maybe', you would disable that check and send the auth token if you have one, but still attempt the request if you don't. |
||
|
||
## Potential issues | ||
None that I can think of. | ||
|
||
## Security considerations | ||
None that I can think of. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There are some endpoints that redirect, possibly to external sites. Adding an There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Huh, interesting. I guess in those cases the spec should explicitly forbid adding the auth headers. Are there any current endpoints that will redirect to an external site and are used after logging in, or should it just be added as a note for potential future endpoints? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The only one in the client-server spec that explicitly mentions redirects is the one for SSO. Not sure about |
||
|
||
## Alternatives | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For rate limiting, we can instead recommend how much endpoints should be rate limited. |
||
* Add a "maybe" value for "Requires auth" and define that any yes/no value is a | ||
requirement instead of recommendation. | ||
* Change all the potentially-requires-auth endpoints to always require auth. | ||
This would mean viewing room directories always requires auth. | ||
* Remove the whole "Rate-limited" value. | ||
|
||
## Unstable prefix | ||
Not applicable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these sorts of auth differences should be their own MSCs, or point 2 of the proposal below should be expanded upon to clarify the benefits.