Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement registering with an email support #1837

Closed
wants to merge 13 commits into from
Closed

Implement registering with an email support #1837

wants to merge 13 commits into from

Conversation

PiotrKozimor
Copy link
Contributor

@PiotrKozimor PiotrKozimor commented Apr 19, 2021
edited

Support for registration via email sent by identity server. Resolves #1298, but there is a catch.
Test case Can register using an email address validates registration when dendrite itself sends verification email. In this PR dendrite sends /_matrix/identity/v2/validate/email/requestToken request to identity server (which will trigger sending email). New test case must be implemented in sytest. Proposed name: Can register using an email address via identity server

Allowable authentication flows must be passed via config file. This PR setups following convention (at the same time putting step towards removing Derived):

client_api:
  registration:
    flows:
      - stages:
        - m.login.email.identity
  login:
    flows:
      - stages:
        - m.login.password

What's left to do?

  • Authenticate requests to identity server - I leave it with no authentication using V1 Identity API
  • Verify identity server certificates - there is configuration to add custom CA to system certificate pool.
  • Implement test case in sytest - PR

Pull Request Checklist

  • I have added any new tests that need to pass to sytest-whitelist as specified in docs/sytest.md
  • Pull request includes a sign off

Signed-off-by: Piotr Kozimor <p1996k@gmail.com>

@PiotrKozimor
Handle m.login.email.identity auth type in /register endpoint
e8161a9
@PiotrKozimor
Configure login and registration flows by client_api section not Derived
02efc3e
@PiotrKozimor
WIP: Handle /register/email/requestToken
f645646
@PiotrKozimor
Pass request to identity server with context from passed request
be656cf
@PiotrKozimor
Remove unnecessary config parameter in validateEmailIdentity
1c5fea6
@PiotrKozimor
Fix completed session stage for LoginTypeEmailIdentity
15e6056
@PiotrKozimor
Switch to deprecated Identity API v1 - no authentication required
7d9304e
@PiotrKozimor
Delete duplicated /register/email/requestToken endpoint
01ce9ab
@PiotrKozimor
Pass custom certificates via config file to be added to system pool, …
d975de3 
…fix CreateSession to be conformant to V1 api
@PiotrKozimor
Fix tag for Flow struct field
c852dc4
@PiotrKozimor
Remove unsused structs
c585403
@PiotrKozimor
Make changes backward compatible - when user provides no flows, defau…
7ebb9c6 
…lt are provided
@PiotrKozimor PiotrKozimor mentioned this pull request Apr 21, 2021
Closed
@PiotrKozimor
Copy link
Contributor Author

Regarding failing CodeQL checks - for both Uncontrolled data used in network request issue is reported while in fact identity server URI is checked against list of trusted ones.

@PiotrKozimor PiotrKozimor marked this pull request as ready for review April 22, 2021 10:40
@neilalexander neilalexander requested review from kegsay and neilalexander and removed request for kegsay April 22, 2021 10:42
richvdh
richvdh reviewed Apr 30, 2021
View reviewed changes
clientapi/routing/register.go
}
util.GetLogger(ctx).Infof("conecting to identity server: %s", cred.IDServer)
url := fmt.Sprintf(
"https://%s/_matrix/identity/api/v1/3pid/getValidated3pid",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dendrite isn't my project, but:

this endpoint is deprecated by MSC2713 and it's likely that sydent will soon drop support for it.

In general, homeservers should not be delegating responsibility for email address validation to identity servers, since it allows a compromised ID server to be used to take over homeserver accounts.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for comment. I think I have misunderstood concept of ID server. It makes sense that homeserver sends email on its own. So ID server would be user after registration to publish association, so that other may find user by email, right? I suppose also that auth stage for login should be also done without ID server. I am right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, that's right.

@PiotrKozimor
Copy link
Contributor Author

Closing this as long as we want HS to send validation emails - see this issue.

@PiotrKozimor PiotrKozimor deleted the piotrkozimor/registering-with-an-email-support branch November 17, 2021 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richvdh richvdh richvdh left review comments

@neilalexander neilalexander Awaiting requested review from neilalexander

@kegsay kegsay Awaiting requested review from kegsay

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement registering with an email support
2 participants
@PiotrKozimor @richvdh