magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

improvement: registration token now only works when registration is enabled

Browse source 
Co-authored-by: Timo Kösters <timo@koesters.xyz>
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-01-24 22:29:30 -05:00 committed by June
parent ab0b52ef1e
commit 4ac568769b
3 changed files with 53 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

23
conduwuit-example.toml
View file

@ -26,7 +26,7 @@
# Generally, copying this exactly should be enough. (Currently, conduwuit doesn't # Generally, copying this exactly should be enough. (Currently, conduwuit doesn't
# support batched key requests, so this list should only contain Synapse # support batched key requests, so this list should only contain Synapse
# servers.) Defaults to `matrix.org` # servers.) Defaults to `matrix.org`
#trusted_servers = ["matrix.org"] # trusted_servers = ["matrix.org"]
@ -111,16 +111,17 @@ ip_range_denylist = [
# For private homeservers, this is best at false. # For private homeservers, this is best at false.
allow_guest_registration = false allow_guest_registration = false
# Vector list of servers that conduwuit will refuse to download remote media from # Vector list of servers that conduwuit will refuse to download remote media from.
#prevent_media_downloads_from = ["example.com", "example.local"] # No default.
# prevent_media_downloads_from = ["example.com", "example.local"]
# Enables open registration. If set to false, no users can register on this # Enables open registration. If set to false, no users can register on this
# server (unless a token is configured). # server.
# If set to true, users can register with no form of 2nd step only if you set # If set to true without a token configured, users can register with no form of 2nd-
# step only if you set
# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` to # `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` to
# in your config. If you would like # true in your config. If you would like
# registration only via token reg, please set this to *false* and configure the # registration only via token reg, please configure the `registration_token` key.
# `registration_token` key.
allow_registration = false allow_registration = false
# Please note that an open registration homeserver with no second-step verification # Please note that an open registration homeserver with no second-step verification
# is highly prone to abuse and potential defederation by homeservers, including # is highly prone to abuse and potential defederation by homeservers, including
@ -132,8 +133,14 @@ allow_registration = false
registration_token = "change this token for something specific to your server" registration_token = "change this token for something specific to your server"
# controls whether federation is allowed or not # controls whether federation is allowed or not
# defaults to false
allow_federation = true allow_federation = true
# controls whether users are allowed to create rooms.
# appservices and admins are always allowed to create rooms
# defaults to true
# allow_room_creation = true
# Set this to true to allow your server's public room directory to be federated. # Set this to true to allow your server's public room directory to be federated.
# Set this to false to protect against /publicRooms spiders, but will forbid external users # Set this to false to protect against /publicRooms spiders, but will forbid external users
# from viewing your server's public room directory. If federation is disabled entirely # from viewing your server's public room directory. If federation is disabled entirely

53
src/api/client_server/account.rs
View file

@ -74,11 +74,8 @@ pub async fn get_register_available_route(
/// - Creates a new account and populates it with default account data /// - Creates a new account and populates it with default account data
/// - If `inhibit_login` is false: Creates a device and returns device id and access_token /// - If `inhibit_login` is false: Creates a device and returns device id and access_token
pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<register::v3::Response> { pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<register::v3::Response> {
if !services().globals.allow_registration() if !services().globals.allow_registration() && !body.from_appservice {
&& !body.from_appservice info!("Registration disabled and request not from known appservice, rejecting registration attempt for username {:?}", body.username);
&& services().globals.config.registration_token.is_none()
{
info!("Registration disabled, no reg token configured, rejecting registration attempt for username {:?}", body.username);
return Err(Error::BadRequest( return Err(Error::BadRequest(
ErrorKind::Forbidden, ErrorKind::Forbidden,
"Registration has been disabled.", "Registration has been disabled.",
@ -89,10 +86,10 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
if is_guest if is_guest
&& (!services().globals.allow_guest_registration() && (!services().globals.allow_guest_registration()
|| (!services().globals.allow_registration() || (services().globals.allow_registration()
&& services().globals.config.registration_token.is_some())) && services().globals.config.registration_token.is_some()))
{ {
info!("Guest registration disabled / registration disabled with token configured, rejecting guest registration, initial device name: {:?}", body.initial_device_display_name); info!("Guest registration disabled / registration enabled with token configured, rejecting guest registration, initial device name: {:?}", body.initial_device_display_name);
return Err(Error::BadRequest( return Err(Error::BadRequest(
ErrorKind::GuestAccessForbidden, ErrorKind::GuestAccessForbidden,
"Guest registration is disabled.", "Guest registration is disabled.",
@ -144,21 +141,35 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
}; };
// UIAA // UIAA
let mut uiaainfo = UiaaInfo { let mut uiaainfo;
flows: vec![AuthFlow { let skip_auth;
stages: if services().globals.config.registration_token.is_some() { if services().globals.config.registration_token.is_some() {
vec![AuthType::RegistrationToken] // Registration token required
} else { uiaainfo = UiaaInfo {
vec![AuthType::Dummy] flows: vec![AuthFlow {
}, stages: vec![AuthType::RegistrationToken],
}], }],
completed: Vec::new(), completed: Vec::new(),
params: Default::default(), params: Default::default(),
session: None, session: None,
auth_error: None, auth_error: None,
}; };
skip_auth = body.from_appservice;
} else {
// No registration token necessary, but clients must still go through the flow
uiaainfo = UiaaInfo {
flows: vec![AuthFlow {
stages: vec![AuthType::Dummy],
}],
completed: Vec::new(),
params: Default::default(),
session: None,
auth_error: None,
};
skip_auth = body.from_appservice || is_guest;
}
if !body.from_appservice && !is_guest { if !skip_auth {
if let Some(auth) = &body.auth { if let Some(auth) = &body.auth {
let (worked, uiaainfo) = services().uiaa.try_auth( let (worked, uiaainfo) = services().uiaa.try_auth(
&UserId::parse_with_server_name("", services().globals.server_name()) &UserId::parse_with_server_name("", services().globals.server_name())

10
src/main.rs
View file

@ -155,9 +155,10 @@ async fn main() {
if config.allow_registration if config.allow_registration
&& !config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse && !config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
&& config.registration_token.is_none()
{ {
error!("!! You have `allow_registration` enabled in your config which means you are allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token).\n error!("!! You have `allow_registration` enabled without a token configured in your config which means you are allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token).\n
If this is not the intended behaviour, please disable `allow_registration` and set a registration token.\n If this is not the intended behaviour, please set a registration token with the `registration_token` config option.\n
For security and safety reasons, conduwuit will shut down. If you are extra sure this is the desired behaviour you want, please set the following config option to true: For security and safety reasons, conduwuit will shut down. If you are extra sure this is the desired behaviour you want, please set the following config option to true:
`yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`"); `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`");
return; return;
@ -165,9 +166,10 @@ async fn main() {
if config.allow_registration if config.allow_registration
&& config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse && config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
&& config.registration_token.is_none()
{ {
warn!("Open registration is enabled via setting `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` and `allow_registration` to true. You are expected to be aware of the risks now.\n warn!("Open registration is enabled via setting `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` and `allow_registration` to true without a registration token configured. You are expected to be aware of the risks now.\n
If this is not the desired behaviour, please disable `allow_registration` and set a registration token."); If this is not the desired behaviour, please set a registration token.");
} }
if config.allow_outgoing_presence { if config.allow_outgoing_presence {