dandri/matrix-authentication-service
1
0
Fork 0
mirror of https://github.com/element-hq/matrix-authentication-service.git synced 2026-03-29 11:00:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
6,823 Commits 75 Branches 82 Tags
4915c1894f3adb3701b6b8ff7a8d7db395666750
Commit Graph

82 Commits

Author SHA1 Message Date
Jean-Benoît Grimaldi
56a37fc7ae Fix wrong username regex 2026-02-07 11:44:22 +01:00
Quentin Gliech
207c526f00 Upgrade Rust, opa, regal, cargo-auditable and Node 2026-02-04 18:35:43 +01:00
Olivier 'reivilibre
673cfa004c (delint: Is this a less messy rule?) 2025-12-01 11:51:51 +00:00
Olivier 'reivilibre
9c7c157744 Remove is_interactive and carry on with login types 2025-12-01 11:47:59 +00:00
Olivier 'reivilibre
959e383fc4 fixup! Introduce compat login policy 2025-11-26 13:48:01 +00:00
Olivier 'reivilibre
1ce2c39dd6 Make policy depend on whether the login is interactive or not 2025-11-25 18:41:14 +00:00
Olivier 'reivilibre
04951d983e Don't apply a session limit when genuinely replacing a session 2025-11-25 18:41:14 +00:00
Olivier 'reivilibre
9f36cfd8b9 Introduce compat login policy 2025-11-25 18:41:14 +00:00
Olivier 'reivilibre
1690570015 (update files after merge) 2025-11-13 15:55:25 +00:00
Olivier 'reivilibre
16f443eba0 Merge branch 'main' into rei/policy_driven_session_limit 2025-11-13 15:54:48 +00:00
Quentin Gliech
db2288b4f3 Remove the nullable transform from the policies schemas 2025-11-07 11:11:41 +01:00
Quentin Gliech
e2490688a5 Merge remote-tracking branch 'origin/main' into quenting/schemars-0.9 2025-11-06 17:34:43 +01:00
Olivier 'reivilibre
26d76db6d9 Add policy violation for too many devices 2025-11-06 10:12:14 +00:00
Olivier 'reivilibre
21fa107584 Add session counts to policy input 2025-11-06 10:12:14 +00:00
Olivier 'reivilibre
e2a08d2365 Only allow C-S device scopes when the C-S API scope has been requested 
It'd be weird for a client to request a device on the client-server API but yet not request any client-server API scopes to use it with.

By adding this restriction, we can then create a partial index on the oauth2_sessions table to quickly identify sessions that have C-S API scopes and use this as a proxy metric for how many sessions may have device scopes.
This in turn makes it feasible to efficiently limit the number of 'devices' a user has, or more precisely: the number of sessions with client-server API access.

We can't do the same for device scopes themselves because, other than nastiness like parsing the JSON stringification of the scope list, it's not feasible to identify device scopes within a Postgres index predicate.

Part of: #4339
 2025-10-31 15:17:39 +00:00
Olivier 'reivilibre
532e4a4794 Update tests to prepare for needing C-S API scope 2025-10-31 15:12:45 +00:00
Olivier 'reivilibre
560ebc2202 Drive-by podman Makefile fix 2025-10-31 15:07:29 +00:00
Quentin Gliech
e4844968d3 Add a configuration option to make email optional for password registration 2025-10-07 17:28:01 +02:00
Quentin Gliech
4bccafa69f Allow more characters in redirect URI paths (#4975) 2025-09-12 14:51:36 +02:00
Quentin Gliech
80825d28ce Fix reference to the regal image 2025-09-12 10:58:55 +02:00
Quentin Gliech
a5e75541ef Upgrade OPA and regal to latest versions 2025-09-12 10:52:39 +02:00
Andrew Ferrazzutti
d49ff70640 Don't mistakenly invoke a regex range expression 2025-09-03 12:56:21 -04:00
Andrew Ferrazzutti
cf9d7052c7 Allow more characters in redirect URI paths 
Allow all unreserved characters permitted in URI paths according to
https://www.rfc-editor.org/rfc/rfc3986#section-3.3
 2025-09-03 11:29:49 -04:00
Quentin Gliech
7e018a06aa Merge remote-tracking branch 'origin/main' into quenting/stable-api 2025-08-04 16:38:49 +02:00
Quentin Gliech
64f5bba26d Allow the stable scope in the policy 2025-06-13 15:55:22 +02:00
Quentin Gliech
a35db23b31 Upgrade schemars to 0.9 2025-06-12 15:48:24 +02:00
Quentin Gliech
c3707c13ae Add license headers in most files that missed them 2025-06-12 11:01:07 +02:00
Michael Telatynski
6ecc150def delint 2025-05-28 14:57:51 +01:00
Michael Telatynski
2685133410 Add tests 2025-05-28 14:53:19 +01:00
Michael Telatynski
e64cd84081 Fix client_registration URI regex not accepting full query string grammar 2025-05-13 11:28:56 +01:00
Michael Telatynski
ba986d36f9 Move the test 2025-05-08 08:41:26 +01:00
Michael Telatynski
e5a2debd4c Allow non-default https port 2025-05-08 08:39:37 +01:00
Michael Telatynski
ccdbf69e5f opa fmt 2025-05-07 18:52:01 +01:00
Michael Telatynski
5ec9bfc7fa Fix MSC2966 compliance around redirect_uri validity 
Fixes https://github.com/element-hq/matrix-authentication-service/issues/4528
 2025-05-07 18:49:52 +01:00
Quentin Gliech
d40fdbd995 Allow banning/alllowing usernames patterns during registration 2025-03-03 10:31:14 +01:00
Quentin Gliech
7c09b4510b Update OPA and Regal to their latest versions 2025-02-18 11:48:44 +01:00
Quentin Gliech
0ab0f13c7c Match suffixes and prefixes in string constraints 2025-02-17 16:40:10 +01:00
Quentin Gliech
af569d9642 Built-in support for banning IPs, user agents and email patterns 2025-02-17 15:34:46 +01:00
Quentin Gliech
0eb6638e41 Expose the user agent string to the policy execution context 2025-02-17 11:51:26 +01:00
Quentin Gliech
aa6436aa1a Allow banning registrations by IP address 2025-02-17 10:18:11 +01:00
Quentin Gliech
67468ca0bc Remove the unused password input schema 2025-02-17 10:17:30 +01:00
Quentin Gliech
d16049524b Propagate more specific error messages from the policy on registration 
This makes some policy errors translatable
 2025-01-06 10:15:08 +01:00
Quentin Gliech
2820794c8d Allow longer & shorter usernames, complying with the MXID length spec 2025-01-06 10:15:08 +01:00
Quentin Gliech
881c6df5cc Setup Regal to lint policies and clean them up 2024-12-19 11:08:57 +01:00
Quentin Gliech
4ccce4de46 Remove the contacts requirement from the client registration policy 2024-09-20 20:39:04 +02:00
reivilibre
1afd2a2906 Remove OPA-based password policy enforcement (#2875) 
Co-authored-by: Quentin Gliech <quenting@element.io>
 2024-07-16 14:33:04 +01:00
Quentin Gliech
fbb8044dbd Bump OPA 2024-05-07 07:32:02 +02:00
Quentin Gliech
3ea24dc8e5 Remove the invalid characters OPA policy tests 2024-05-03 16:56:56 +02:00
Quentin Gliech
6db50f098d Allow more characters in device IDs 2024-05-03 16:56:56 +02:00
Alex Babel
5d85d0fb65 Increase allowed username length to 64 in the default policy (#2471) 2024-03-18 10:58:21 +00:00