improvement: registration token now only works when registration is enabled

Co-authored-by: Timo Kösters <timo@koesters.xyz> Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-01-24 22:29:30 -05:00 · 2024-01-24 22:29:30 -05:00 · 4ac568769b
commit 4ac568769b
parent ab0b52ef1e
3 changed files with 53 additions and 33 deletions
--- a/src/api/client_server/account.rs
+++ b/src/api/client_server/account.rs
@ -74,11 +74,8 @@ pub async fn get_register_available_route(
 /// - Creates a new account and populates it with default account data
 /// - If `inhibit_login` is false: Creates a device and returns device id and access_token
 pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<register::v3::Response> {
-    if !services().globals.allow_registration()
-        && !body.from_appservice
-        && services().globals.config.registration_token.is_none()
-    {
-        info!("Registration disabled, no reg token configured, rejecting registration attempt for username {:?}", body.username);
+    if !services().globals.allow_registration() && !body.from_appservice {
+        info!("Registration disabled and request not from known appservice, rejecting registration attempt for username {:?}", body.username);
        return Err(Error::BadRequest(
            ErrorKind::Forbidden,
            "Registration has been disabled.",
@ -89,10 +86,10 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe

    if is_guest
        && (!services().globals.allow_guest_registration()
-            || (!services().globals.allow_registration()
+            || (services().globals.allow_registration()
                && services().globals.config.registration_token.is_some()))
    {
-        info!("Guest registration disabled / registration disabled with token configured, rejecting guest registration, initial device name: {:?}", body.initial_device_display_name);
+        info!("Guest registration disabled / registration enabled with token configured, rejecting guest registration, initial device name: {:?}", body.initial_device_display_name);
        return Err(Error::BadRequest(
            ErrorKind::GuestAccessForbidden,
            "Guest registration is disabled.",
@ -144,21 +141,35 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
    };

    // UIAA
-    let mut uiaainfo = UiaaInfo {
-        flows: vec![AuthFlow {
-            stages: if services().globals.config.registration_token.is_some() {
-                vec![AuthType::RegistrationToken]
-            } else {
-                vec![AuthType::Dummy]
-            },
-        }],
-        completed: Vec::new(),
-        params: Default::default(),
-        session: None,
-        auth_error: None,
-    };
+    let mut uiaainfo;
+    let skip_auth;
+    if services().globals.config.registration_token.is_some() {
+        // Registration token required
+        uiaainfo = UiaaInfo {
+            flows: vec![AuthFlow {
+                stages: vec![AuthType::RegistrationToken],
+            }],
+            completed: Vec::new(),
+            params: Default::default(),
+            session: None,
+            auth_error: None,
+        };
+        skip_auth = body.from_appservice;
+    } else {
+        // No registration token necessary, but clients must still go through the flow
+        uiaainfo = UiaaInfo {
+            flows: vec![AuthFlow {
+                stages: vec![AuthType::Dummy],
+            }],
+            completed: Vec::new(),
+            params: Default::default(),
+            session: None,
+            auth_error: None,
+        };
+        skip_auth = body.from_appservice || is_guest;
+    }

-    if !body.from_appservice && !is_guest {
+    if !skip_auth {
        if let Some(auth) = &body.auth {
            let (worked, uiaainfo) = services().uiaa.try_auth(
                &UserId::parse_with_server_name("", services().globals.server_name())
--- a/src/main.rs
+++ b/src/main.rs
@ -155,9 +155,10 @@ async fn main() {

    if config.allow_registration
        && !config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
+        && config.registration_token.is_none()
    {
-        error!("!! You have `allow_registration` enabled in your config which means you are allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token).\n
-        If this is not the intended behaviour, please disable `allow_registration` and set a registration token.\n
+        error!("!! You have `allow_registration` enabled without a token configured in your config which means you are allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token).\n
+        If this is not the intended behaviour, please set a registration token with the `registration_token` config option.\n
        For security and safety reasons, conduwuit will shut down. If you are extra sure this is the desired behaviour you want, please set the following config option to true:
        `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`");
        return;
@ -165,9 +166,10 @@ async fn main() {

    if config.allow_registration
        && config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
+        && config.registration_token.is_none()
    {
-        warn!("Open registration is enabled via setting `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` and `allow_registration` to true. You are expected to be aware of the risks now.\n
-        If this is not the desired behaviour, please disable `allow_registration` and set a registration token.");
+        warn!("Open registration is enabled via setting `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` and `allow_registration` to true without a registration token configured. You are expected to be aware of the risks now.\n
+        If this is not the desired behaviour, please set a registration token.");
    }

    if config.allow_outgoing_presence {