a01c0af73e
fix up test that relied on it being broken
2025-10-23 16:02:19 +01:00
f020cce619
Fix UNIQUE constraint on active personal access tokens per session
2025-10-23 15:01:39 +01:00
0d28304c11
Revoke personal sessions when users are deactivated ( #5181 )
...
Revoke both personal sessions that are owned by, and acting as, the deactivated user.
Owned by because: it doesn't make sense for a deactivated user to be able to control themselves or other users, so them having active personal sessions is just confusing.
Acting as because: current precedent is that deactivated users are not controllable, even by admins.
To uphold this, the admin API is also fixed to stop allowing the creation of personal sessions for deactivated users.
2025-10-22 14:53:56 +01:00
3d80097bae
Merge branch 'main' into rei/pat_devicesync
2025-10-22 14:27:40 +01:00
409f35476a
Remove stale comment
2025-10-22 14:23:18 +01:00
80feaffe16
Add comments for the filters
2025-10-22 14:22:10 +01:00
54c025f333
Use is_valid_actor
2025-10-22 14:20:55 +01:00
e648c8ecc3
Merge branch 'main' into rei/pat_revoke_on_deactivate
2025-10-22 14:18:17 +01:00
95bc20e440
When adding personal session, upsert devices synchronously
2025-10-22 14:03:21 +01:00
e5a54f2d68
Restructure user validity check
2025-10-22 13:29:53 +01:00
84450a7bfb
remove redundant #[source]
2025-10-22 13:29:45 +01:00
c8ed12512e
Relax the validity check of the token actor
2025-10-22 13:15:12 +01:00
f51747a666
Check validity of token owner
2025-10-22 13:04:39 +01:00
a7d83540c2
Pass through the TokenFormatError
2025-10-22 12:59:49 +01:00
42f6664396
When adding or revoking personal sessions, schedule needed device syncs
2025-10-22 11:50:27 +01:00
c74150f8df
Accept PATs on the Admin API
2025-10-22 11:37:04 +01:00
b23a35a214
Rename record_personal_session function
2025-10-22 11:37:04 +01:00
c5756d4d7f
Don't allow creating personal sessions for deactivated users
2025-10-22 11:31:17 +01:00
7d5e9b863d
Revoke personal sessions on user deactivation
2025-10-22 11:27:10 +01:00
be40e1bed7
Add revoke_bulk for personal sessions storage
2025-10-22 11:27:10 +01:00
eeba7e192c
Personal Sessions: add create, list, get, revoke, regenerate Admin APIs ( #5141 )
...
Introduces some admin API endpoints for Personal Sessions.
- add: Creates a personal session along with its first personal access token, returning both. This is currently the only way to get a personal access token.
- get: Shows the information about a personal session
- list: Shows many personal sessions
- revoke: Revokes a personal session, so it can't be used anymore
- regenerate: Revoke the active personal access token for a session and issue a new one to replace it.
2025-10-22 11:20:02 +01:00
8fb0caf06a
fixup! Add expires filter to personal sessions list
2025-10-21 11:30:11 +01:00
db3dcce753
use axum_extract's version of Query everywhere
2025-10-21 11:30:11 +01:00
a0c55835df
fixup! Make expires_in u32 and (on regenerate) not default to the same as last time
2025-10-21 11:21:00 +01:00
d516b3dee3
Add scope filter to personal sessions list
2025-10-21 11:03:04 +01:00
6102a4b672
Use Option<Ulid> in schemars
2025-10-21 10:16:36 +01:00
ba9fc3513c
Make expires_in u32 and (on regenerate) not default to the same as last time
2025-10-21 10:13:32 +01:00
52c04c173f
Add expires filter to personal sessions list
2025-10-21 10:10:14 +01:00
78b010d3f6
find_active_by_session: take &PersonalSession
2025-10-21 09:43:46 +01:00
0d27c34f10
Support introspection of personal access tokens ( #5171 )
...
You can now present a personal access token (mpt_ prefix) at introspection and have it accepted.
This means personal access tokens can be presented to Synapse and used on the client-server API.
2025-10-20 18:25:38 +01:00
66f8814058
note: device_id only used for compat access & refresh tokens
2025-10-20 17:23:31 +01:00
9d80ecc513
Add personal access token introspection test
2025-10-20 17:23:31 +01:00
893e4265c3
Implement activity tracking for personal sessions
2025-10-20 17:23:31 +01:00
11a852e109
introspection: Support personal access tokens
2025-10-20 17:23:31 +01:00
30abb7c90d
drive-by formatting fixes
2025-10-20 16:42:01 +01:00
1fc8145e01
drive-by clippy fixes
2025-10-20 16:42:01 +01:00
4e70f83f41
Add Admin API to regenerate a personal session (getting a new PAT)
2025-10-20 16:42:01 +01:00
1030ec9ea9
Add personal sessions admin API
2025-10-20 14:51:40 +01:00
2e5b386e2f
Add personal session data models to admin API
2025-10-20 14:33:30 +01:00
01c89cd122
Delete owned PATs & personal sessions when pruning OAuth2 clients
2025-10-20 14:33:30 +01:00
353d23474c
When revoking a personal session, also revoke its PAT
2025-10-20 14:33:30 +01:00
98c765cf6b
storage: include PATs alongside personal sessions
2025-10-20 14:33:30 +01:00
34b3462a47
storage: introduce find_active_for_session for PATs
2025-10-20 13:06:41 +01:00
1bd1b00524
Automatic merge back to main ( #5156 )
2025-10-16 16:31:52 +02:00
e221a378be
Add regression tests
2025-10-16 14:03:52 +01:00
c88cb9cb8e
Better feedback when changing passwords
2025-10-15 19:26:34 +02:00
d30e7c8718
Automatic merge back to main ( #5130 )
2025-10-10 11:35:11 +02:00
4005d53163
introspection: introduce errors for personal sessions
2025-10-09 17:00:44 +01:00
f0ac252fd3
Always initialize OpenTelemetry even if no exporter is configured
2025-10-09 16:28:35 +02:00
477385fd9f
Add storage for Personal Access Tokens ( #5106 )
...
Defines a token format for PATs and implements the base storage functionality for PATs and 'Personal Sessions' which are conceptually the parent containers of PATs.
Personal Sessions survive across regenerations of PATs and are the entities associated with the device ID. In virtually every way they are functionally the same as Compat or OAuth2 Sessions.
2025-10-09 13:07:41 +01:00
Olivier 'reivilibre