add support for reading a registration token from a file
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry
parent
ee1580e480
commit
7a59add8f1
10 changed files with 78 additions and 21 deletions
|
|
@ -111,7 +111,7 @@ pub(crate) async fn register_route(
|
|||
|
||||
if is_guest
|
||||
&& (!services.globals.allow_guest_registration()
|
||||
|| (services.globals.allow_registration() && services.globals.config.registration_token.is_some()))
|
||||
|| (services.globals.allow_registration() && services.globals.registration_token.is_some()))
|
||||
{
|
||||
info!(
|
||||
"Guest registration disabled / registration enabled with token configured, rejecting guest registration \
|
||||
|
|
@ -183,7 +183,7 @@ pub(crate) async fn register_route(
|
|||
|
||||
// UIAA
|
||||
let mut uiaainfo;
|
||||
let skip_auth = if services.globals.config.registration_token.is_some() {
|
||||
let skip_auth = if services.globals.registration_token.is_some() {
|
||||
// Registration token required
|
||||
uiaainfo = UiaaInfo {
|
||||
flows: vec![AuthFlow {
|
||||
|
|
@ -685,7 +685,7 @@ pub(crate) async fn request_3pid_management_token_via_msisdn_route(
|
|||
pub(crate) async fn check_registration_token_validity(
|
||||
State(services): State<crate::State>, body: Ruma<check_registration_token_validity::v1::Request>,
|
||||
) -> Result<check_registration_token_validity::v1::Response> {
|
||||
let Some(reg_token) = services.globals.config.registration_token.clone() else {
|
||||
let Some(reg_token) = services.globals.registration_token.clone() else {
|
||||
return Err(Error::BadRequest(
|
||||
ErrorKind::forbidden(),
|
||||
"Server does not allow token registration.",
|
||||
|
|
|
|||
|
|
@ -94,6 +94,22 @@ pub fn check(config: &Config) -> Result<()> {
|
|||
));
|
||||
}
|
||||
|
||||
// check if we can read the token file path, and check if the file is empty
|
||||
if config.registration_token_file.as_ref().is_some_and(|path| {
|
||||
let Ok(token) = std::fs::read_to_string(path).inspect_err(|e| {
|
||||
error!("Failed to read the registration token file: {e}");
|
||||
}) else {
|
||||
return true;
|
||||
};
|
||||
|
||||
token == String::new()
|
||||
}) {
|
||||
return Err!(Config(
|
||||
"registration_token_file",
|
||||
"Registration token file was specified but is empty or failed to be read"
|
||||
));
|
||||
}
|
||||
|
||||
if config.max_request_size < 5_120_000 {
|
||||
return Err!(Config(
|
||||
"max_request_size",
|
||||
|
|
@ -111,12 +127,13 @@ pub fn check(config: &Config) -> Result<()> {
|
|||
if config.allow_registration
|
||||
&& !config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
|
||||
&& config.registration_token.is_none()
|
||||
&& config.registration_token_file.is_none()
|
||||
{
|
||||
return Err!(Config(
|
||||
"registration_token",
|
||||
"!! You have `allow_registration` enabled without a token configured in your config which means you are \
|
||||
allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token).\n
|
||||
If this is not the intended behaviour, please set a registration token with the `registration_token` config option.\n
|
||||
If this is not the intended behaviour, please set a registration token.\n
|
||||
For security and safety reasons, conduwuit will shut down. If you are extra sure this is the desired behaviour you \
|
||||
want, please set the following config option to true:
|
||||
`yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`"
|
||||
|
|
@ -126,6 +143,7 @@ For security and safety reasons, conduwuit will shut down. If you are extra sure
|
|||
if config.allow_registration
|
||||
&& config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
|
||||
&& config.registration_token.is_none()
|
||||
&& config.registration_token_file.is_none()
|
||||
{
|
||||
warn!(
|
||||
"Open registration is enabled via setting \
|
||||
|
|
|
|||
|
|
@ -139,6 +139,7 @@ pub struct Config {
|
|||
#[serde(default)]
|
||||
pub yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: bool,
|
||||
pub registration_token: Option<String>,
|
||||
pub registration_token_file: Option<PathBuf>,
|
||||
#[serde(default = "true_fn")]
|
||||
pub allow_encryption: bool,
|
||||
#[serde(default = "true_fn")]
|
||||
|
|
@ -572,12 +573,20 @@ impl fmt::Display for Config {
|
|||
line("Allow registration", &self.allow_registration.to_string());
|
||||
line(
|
||||
"Registration token",
|
||||
if self.registration_token.is_some() {
|
||||
"set"
|
||||
if self.registration_token.is_none() && self.registration_token_file.is_none() && self.allow_registration {
|
||||
"not set (⚠️ open registration!)"
|
||||
} else if self.registration_token.is_none() && self.registration_token_file.is_none() {
|
||||
"not set"
|
||||
} else {
|
||||
"not set (open registration!)"
|
||||
"set"
|
||||
},
|
||||
);
|
||||
line(
|
||||
"Registration token file path",
|
||||
self.registration_token_file
|
||||
.as_ref()
|
||||
.map_or("", |path| path.to_str().unwrap_or_default()),
|
||||
);
|
||||
line(
|
||||
"Allow guest registration (inherently false if allow registration is false)",
|
||||
&self.allow_guest_registration.to_string(),
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ pub struct Service {
|
|||
pub server_user: OwnedUserId,
|
||||
pub admin_alias: OwnedRoomAliasId,
|
||||
pub turn_secret: String,
|
||||
pub registration_token: Option<String>,
|
||||
}
|
||||
|
||||
type RateLimitState = (Instant, u32); // Time if last failed try, number of failed tries
|
||||
|
|
@ -96,6 +97,20 @@ impl crate::Service for Service {
|
|||
})
|
||||
});
|
||||
|
||||
let registration_token =
|
||||
config
|
||||
.registration_token_file
|
||||
.as_ref()
|
||||
.map_or(config.registration_token.clone(), |path| {
|
||||
let Ok(token) = std::fs::read_to_string(path).inspect_err(|e| {
|
||||
error!("Failed to read the registration token file: {e}");
|
||||
}) else {
|
||||
return config.registration_token.clone();
|
||||
};
|
||||
|
||||
Some(token)
|
||||
});
|
||||
|
||||
let mut s = Self {
|
||||
db,
|
||||
config: config.clone(),
|
||||
|
|
@ -112,6 +127,7 @@ impl crate::Service for Service {
|
|||
server_user: UserId::parse_with_server_name(String::from("conduit"), &config.server_name)
|
||||
.expect("@conduit:server_name is valid"),
|
||||
turn_secret,
|
||||
registration_token,
|
||||
};
|
||||
|
||||
if !s
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ use std::{
|
|||
use conduit::{
|
||||
err, error, implement, utils,
|
||||
utils::{hash, string::EMPTY},
|
||||
Error, Result, Server,
|
||||
Error, Result,
|
||||
};
|
||||
use database::{Deserialized, Map};
|
||||
use ruma::{
|
||||
|
|
@ -26,7 +26,6 @@ pub struct Service {
|
|||
}
|
||||
|
||||
struct Services {
|
||||
server: Arc<Server>,
|
||||
globals: Dep<globals::Service>,
|
||||
users: Dep<users::Service>,
|
||||
}
|
||||
|
|
@ -48,7 +47,6 @@ impl crate::Service for Service {
|
|||
userdevicesessionid_uiaainfo: args.db["userdevicesessionid_uiaainfo"].clone(),
|
||||
},
|
||||
services: Services {
|
||||
server: args.server.clone(),
|
||||
globals: args.depend::<globals::Service>("globals"),
|
||||
users: args.depend::<users::Service>("users"),
|
||||
},
|
||||
|
|
@ -135,7 +133,13 @@ pub async fn try_auth(
|
|||
uiaainfo.completed.push(AuthType::Password);
|
||||
},
|
||||
AuthData::RegistrationToken(t) => {
|
||||
if Some(t.token.trim()) == self.services.server.config.registration_token.as_deref() {
|
||||
if self
|
||||
.services
|
||||
.globals
|
||||
.registration_token
|
||||
.as_ref()
|
||||
.is_some_and(|reg_token| t.token.trim() == reg_token)
|
||||
{
|
||||
uiaainfo.completed.push(AuthType::RegistrationToken);
|
||||
} else {
|
||||
uiaainfo.auth_error = Some(ruma::api::client::error::StandardErrorBody {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue