Admin API for creating new users #3415
Conversation
There was a problem hiding this comment.
Hum. Given this is making an API which is incompatible to both the existing APIs, I think we should take the opportunity to move this to a completely separate endpoint.
It fits badly under /r0/register, since (a) it skips user-interactive auth, and (b) it's synapse specific.
In short, I'm afraid I would prefer making (and documenting) yet a third version, and deprecating the existing APIs, with a view to deleting them in short order.
hawkowl
changed the title
hawkowl
changed the title
|
This moves the disparate and theoretically-insecure APIs from v1 and r0 into an admin path, including nonce use to prevent replay attacks. This has an accompanying sytest change: matrix-org/sytest#453 |
synapse/rest/client/v1/register.py
Outdated
| @@ -128,12 +128,10 @@ def on_POST(self, request): | |||
| login_type = register_json["type"] | |||
|
|
|||
| is_application_server = login_type == LoginType.APPLICATION_SERVICE | |||
| is_using_shared_secret = login_type == LoginType.SHARED_SECRET | |||
There was a problem hiding this comment.
can we deprecate this for now, rather than remove it, please?
| @@ -259,16 +258,6 @@ def on_POST(self, request): | |||
| if desired_username is not None: | |||
| desired_username = desired_username.lower() | |||
|
|
|||
| # == Shared Secret Registration == (e.g. create new user scripts) | |||
| if 'mac' in body: | |||
| guest_access_token = params.get("guest_access_token", None) | ||
|
|
||
| if desired_username is not None: | ||
| desired_username = desired_username.lower() | ||
|
|
||
| (registered_user_id, _) = yield self.registration_handler.register( | ||
| localpart=desired_username, | ||
| password=new_password, |
| @@ -71,6 +71,8 @@ def setup_test_homeserver(name="test", datastore=None, config=None, reactor=None | |||
| config.user_directory_search_all_users = False | |||
| config.user_consent_server_notice_content = None | |||
| config.block_events_without_consent_error = None | |||
| config.media_storage_providers = [] | |||
There was a problem hiding this comment.
I'm a bit confused as to what's going on here?
There was a problem hiding this comment.
Importing the admin APIs loads the media storage providers code, which tries to iterate over this (and you can't iterate over a mock)
synapse/rest/client/v1/admin.py
Outdated
| @@ -63,6 +65,116 @@ def on_GET(self, request, user_id): | |||
| defer.returnValue((200, ret)) | |||
|
|
|||
|
|
|||
| class UserRegisterServlet(ClientV1RestServlet): | |||
| PATTERNS = client_path_patterns("/admin/register") | |||
| SALT_TIMEOUT = 60 | |||
There was a problem hiding this comment.
can we have a comment to explain what this does?
synapse/rest/client/v1/admin.py
Outdated
|
|
||
| if nonce not in self.nonces: | ||
| raise SynapseError( | ||
| 400, "nonce cannot be reused", |
There was a problem hiding this comment.
how do we know it's being reused?
There was a problem hiding this comment.
Changed the comment to be a bit more accurate
| super(UserRegisterServlet, self).__init__(hs) | ||
| self.handlers = hs.get_handlers() | ||
| self.reactor = hs.get_reactor() | ||
| self.nonces = {} |
There was a problem hiding this comment.
can we have a comment for this, please? what does it map to and from?
synapse/secrets.py
Outdated
| # limitations under the License. | ||
|
|
||
| """ | ||
| Secrets generation -- shh! |
There was a problem hiding this comment.
ok, but can we define what it does?
hawkowl
force-pushed
the
hawkowl/register-user-improv
branch
from
3334d48 to
31f89bb
Compare
docs/admin_api/register_api.rst
Outdated
| Shared-Secret Registration | ||
| ========================== | ||
|
|
||
| This API allows for the creation of users in an administrative and non-interactive way. This is generally used for bootstrapping a Synapse instance with administrator accounts. |
There was a problem hiding this comment.
can we wrap at 80 chars please?
docs/admin_api/register_api.rst
Outdated
| "device_id": "device_id_here" | ||
| } | ||
|
|
||
| The MAC is the hex digest output of the HMAC-SHA1 algorithm, with the key being the shared secret and the content being the nonce, user, password, and either the string "admin" or "notadmin", each separated by NULLs. For an example of generation in Python:: |
synapse/rest/client/v1/admin.py
Outdated
| """ | ||
| Attributes: | ||
| NONCE_TIMEOUT (int): Seconds until a generated nonce won't be accepted | ||
| nonces (dict): The nonces that we will accept. A dict of nonce to the |
| @@ -71,6 +71,8 @@ def setup_test_homeserver(name="test", datastore=None, config=None, reactor=None | |||
| config.user_directory_search_all_users = False | |||
| config.user_consent_server_notice_content = None | |||
| config.block_events_without_consent_error = None | |||
| config.media_storage_providers = [] | |||
This has an accompanying sytest change: matrix-org/sytest#453