Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Synapse requires auth for GET /_matrix/client/.../publicRooms, contrary to spec #15049

Closed
Ah3n0 opened this issue Feb 10, 2023 · 8 comments
Closed

Synapse requires auth for GET /_matrix/client/.../publicRooms, contrary to spec #15049

Ah3n0 opened this issue Feb 10, 2023 · 8 comments
Labels
A-Room-Directory A-Spec-Compliance places where synapse does not conform to the spec O-Occasional Affects or can be seen by some users regularly or most users rarely S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.

Comments

@Ah3n0
Copy link

Ah3n0 commented Feb 10, 2023
edited by MadLittleMods
Loading

Description

GET /_matrix/client/v1/register/m.login.registration_token/validity

Bildschirm­foto 2023-02-10 um 11 09 49

Steps to reproduce

GET Request : url=http://localhost:8008/_matrix/client/v1/register/m.login.registration_token/validity 
 path_url=/_matrix/client/v1/register/m.login.registration_token/validity 
 headers={'User-Agent': 'python-requests/2.28.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'} 
 body=None

Homeserver

own

Synapse Version

1.73

Installation Method

Docker (matrixdotorg/synapse)

Database

PostgreSQL

Workers

Single process

Platform

K8s Cluster

Configuration

No response

Relevant log output

GET Response : url=http://localhost:8008/_matrix/client/v1/register/m.login.registration_token/validity 
 status=400, reason=Bad Request 
 headers={'Transfer-Encoding': 'chunked', 'Server': 'Synapse/1.73.0', 'Date': 'Fri, 10 Feb 2023 10:09:05 GMT', 'Content-Type': 'application/json', 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Methods': 'GET, HEAD, POST, PUT, DELETE, OPTIONS', 'Access-Control-Allow-Headers': 'X-Requested-With, Content-Type, Authorization, Date'} 
 body={"errcode":"M_MISSING_PARAM","error":"Missing string query parameter 'token'"}

Anything else that would be useful to know?

Bildschirm­foto 2023-02-10 um 11 10 25
@DMRobertson
Copy link
Contributor

Please link to the spec rather than post a screenshot of it.

https://spec.matrix.org/v1.5/client-server-api/#get_matrixclientv1registermloginregistration_tokenvalidity

The complaint in the response is that you haven't provided the required query parameter token, the registration token to check the validity of. You haven't demonstrated that this endpoint requires authentication.

@DMRobertson DMRobertson closed this as not planned Won't fix, can't repro, duplicate, stale Feb 10, 2023
@Ah3n0
Copy link
Author

Ah3n0 commented Feb 14, 2023
edited
Loading

@DMRobertson My bad, it was an other endpoint. Sorry for this confusion:

Bildschirm­foto 2023-02-14 um 13 07 38

Bildschirm­foto 2023-02-14 um 13 10 19

@DMRobertson
Copy link
Contributor

Confusingly, the link you have provided is to the GET .../forget endpoint, not /publicRooms.

/publicRooms is specced as requiring auth so Synapse is not spec-compliant. I am not clear if Synapse should be changed or if the spec should.

@DMRobertson DMRobertson reopened this Feb 14, 2023
@DMRobertson
Copy link
Contributor

synapse/synapse/rest/client/room.py

Lines 445 to 446 in 1182ae5

try:
await self.auth.get_user_by_req(request, allow_guest=True)
is presumably responsible.

@DMRobertson DMRobertson added A-Spec-Compliance places where synapse does not conform to the spec S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. O-Occasional Affects or can be seen by some users regularly or most users rarely labels Feb 14, 2023
@DMRobertson DMRobertson changed the title Requiement auth deviation with GET request Synapse requires auth for GET /_matrix/client/.../publicRooms, contrary to spec Feb 14, 2023
@Ah3n0
Copy link
Author

Ah3n0 commented Feb 14, 2023

Confusingly, the link you have provided is to the GET .../forget endpoint, not /publicRooms.

/publicRooms is specced as requiring auth so Synapse is not spec-compliant. I am not clear if Synapse should be changed or if the spec should.

Link updated to 'GET /_matrix/client/v3/publicRooms'

@DMRobertson
Copy link
Contributor

Note that the POST version of public rooms does require auth in the spec. (Though I don't understand why.)

@DMRobertson
Copy link
Contributor

Discussed among the team. We think the spec should mark this as requiring auth.

@DMRobertson
Copy link
Contributor

Related: #2421 matrix-org/matrix-spec#145

@DMRobertson DMRobertson closed this as not planned Won't fix, can't repro, duplicate, stale Feb 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-Room-Directory A-Spec-Compliance places where synapse does not conform to the spec O-Occasional Affects or can be seen by some users regularly or most users rarely S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MadLittleMods @DMRobertson @Ah3n0