dandri/matrix-authentication-service
1
0
Fork 0
mirror of https://github.com/element-hq/matrix-authentication-service.git synced 2026-05-15 14:36:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
6,987 Commits 93 Branches 87 Tags
cc37168b2ae54aa908a09b052d2e3a963de0c678
Commit Graph

6987 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Eric Eastwood cc37168b2a Fix styles 2026-05-06 21:33:20 -05:00
Eric Eastwood 50a6b88ca5 Automatic updates 2026-05-06 21:31:02 -05:00
Eric Eastwood 9b64b69bb4 Fix template not rendering and document reasoning 2026-05-06 21:29:57 -05:00
Eric Eastwood 373dcfb5ee Remove debug log 2026-05-06 11:20:35 -05:00
Eric Eastwood 6d1b91dd4f Fix client linking to none on policy violation screen 2026-05-06 11:19:54 -05:00
Eric Eastwood 771d818f6f Improve policy violation screen when client has no avatar (placeholder) (#5641) 
Spawning from testing https://github.com/element-hq/matrix-authentication-service/pull/5639 and seeing this visual bug/oddity.
 2026-04-28 14:27:48 -05:00
Eric Eastwood 4bf93cb160 Merge branch 'main' into madlittlemods/better-consent-when-idp-has-no-avatar 2026-04-28 14:00:44 -05:00
Eric Eastwood e1fa82f4dc Session hard limit automatic eviction in non-interactive contexts (dangerous_hard_limit_eviction) (#5607) 
Part of https://github.com/element-hq/matrix-authentication-service/issues/4339 / https://github.com/element-hq/backend-internal/issues/199 tracking work to limit number of devices.
 2026-04-28 13:04:19 -05:00
matrixbot 76c784e65e Automatic merge back to main (#5657) 2026-04-28 15:19:56 +02:00
github-actions[bot] d57ce87294 1.16.0 v1.16.0 2026-04-28 13:09:58 +00:00
Olivier 'reivilibre 447d1ea3cc rustls-webpki: 0.103.10 -> 0.103.13 
Addresses: https://rustsec.org/advisories/RUSTSEC-2026-0098
Addresses: https://rustsec.org/advisories/RUSTSEC-2026-0099
Addresses: https://rustsec.org/advisories/RUSTSEC-2026-0104
 2026-04-28 13:51:25 +01:00
Olivier 'reivilibre 6a8013d356 Translations updates for v1.16 (#5656) 2026-04-28 11:23:56 +00:00
github-actions[bot] b16e427f9f Translations updates 2026-04-28 11:13:14 +00:00
Eric Eastwood e9165887a1 Reference actual const in comment 2026-04-27 17:53:56 -05:00
Eric Eastwood 2c80015fc9 Remove MINIMUM_SESSIONS_TO_FETCH complexity 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3150594429
 2026-04-27 17:53:32 -05:00
Eric Eastwood caf3d97f5e Fix lints 2026-04-27 17:46:28 -05:00
Eric Eastwood b2d7ef9583 Better clarify MINIMUM_SESSIONS_TO_FETCH asserts 2026-04-27 17:44:40 -05:00
Eric Eastwood a06429a840 Merge branch 'main' into madlittlemods/hard_limit_eviction 2026-04-27 17:09:41 -05:00
Eric Eastwood dacbf90224 Also const assert how big MINIMUM_SESSIONS_TO_FETCH can be 2026-04-27 17:00:37 -05:00
Eric Eastwood 701da035f2 MINIMUM_SESSIONS_TO_FETCH as 2160 to accomodate script that runs each hour for the 90 day inactive threshold 2026-04-27 16:45:03 -05:00
Eric Eastwood 2c716b638a Explain minimum_sessions_to_fetch logic 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473846
 2026-04-27 15:59:00 -05:00
Eric Eastwood f17d9233a9 Add spec reference for 'device identity key' (cryptographic state/devices) 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473844
 2026-04-27 15:38:56 -05:00
Eric Eastwood 9506832343 Extract logic to find_lru_compat_sessions_flawed(...) to make the usage more clear 2026-04-27 15:35:26 -05:00
Eric Eastwood 4f660bd9ea Remove too-tight assertion around session_limit config when encountering violation 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473839
 2026-04-27 15:13:54 -05:00
Olivier 'reivilibre 6a99e56c8b Overwrite the URL fragment when redirecting to clients using query callback mode. (#5653) 
Without this fix, it's possible for the fragment part of the URI coming from the upstream OAuth provider to be forwarded on to the downstream client's redirect URI.

Facebook sets `#_=_` for security (they essentially clear the fragment in the same way this PR does, except they use this dummy value instead of emptying it) and when Element Web (prior to https://github.com/element-hq/element-web/pull/33100) receives this, it would sit with an infini-spinner (https://github.com/element-hq/element-web/issues/33096).

Although Element Web is now fixed, it's not unreasonable for us to strip this (there is potentially a light security angle to it, although mostly it's just not good form to forward junk on to the downstream client).

This PR:
- sets the fragment to `#` (i.e. empty string after the hash) in an effort to erase the current fragment
- unless the `redirect_uri` already includes a fragment, in which case we preserve it (as that will also overwrite the browser's current fragment)

The PR also introduces a characterisation test to show the before and after behaviour.
In a commit-by-commit review, the characterisation test passes before the actual change this PR introduces.

---

As noted on the issue, the 'fragment preserving' and 'fragment overwriting' behaviour is described in the WHATWG fetch spec:

> The location URL of a [response](https://fetch.spec.whatwg.org/#concept-response) response, given null or an [ASCII string](https://infra.spec.whatwg.org/#ascii-string) requestFragment, is the value returned by the following steps. They return null, failure, or a [URL](https://url.spec.whatwg.org/#concept-url).
> 
> 1.  If response’s [status](https://fetch.spec.whatwg.org/#concept-response-status) is not a [redirect status](https://fetch.spec.whatwg.org/#redirect-status), then return null.
> 2.  Let location be the result of [extracting header list values](https://fetch.spec.whatwg.org/#extract-header-list-values) given \``Location`\` and response’s [header list](https://fetch.spec.whatwg.org/#concept-response-header-list).
> 3.  If location is a [header value](https://fetch.spec.whatwg.org/#header-value), then set location to the result of [parsing](https://url.spec.whatwg.org/#concept-url-parser) location with response’s [URL](https://fetch.spec.whatwg.org/#concept-response-url).
>     
>     If response was constructed through the `[Response](https://fetch.spec.whatwg.org/#response)` constructor, response’s [URL](https://fetch.spec.whatwg.org/#concept-response-url) will be null, meaning that location will only parse successfully if it is an [absolute-URL-with-fragment string](https://url.spec.whatwg.org/#absolute-url-with-fragment-string).
>     
> 4.  **If location is a [URL](https://url.spec.whatwg.org/#concept-url) whose [fragment](https://url.spec.whatwg.org/#concept-url-fragment) is null, then set location’s [fragment](https://url.spec.whatwg.org/#concept-url-fragment) to requestFragment.**
>     
>     This ensures that synthetic (indeed, all) responses follow the processing model for redirects defined by HTTP. [\[HTTP\]](https://fetch.spec.whatwg.org/#biblio-http "HTTP Semantics")
>     
> 5.  Return location.
> 
> The [location URL](https://fetch.spec.whatwg.org/#concept-response-location-url) algorithm is exclusively used for redirect handling in this standard and in HTML’s navigate algorithm which handles redirects manually. [\[HTML\]](https://fetch.spec.whatwg.org/#biblio-html "HTML Standard")
> 
> — https://fetch.spec.whatwg.org/#concept-response-location-url [[snapshotted]](https://fetch.spec.whatwg.org/commit-snapshots/809904366f33a673a9489b81155ee9e3edd29c12/#concept-response-location-url)

I believe this is then invoked in https://html.spec.whatwg.org/#populating-a-session-history-entry (dig from the HTML navigate algorithm)
 2026-04-27 17:20:50 +00:00
Eric Eastwood 8ab60954cf Rename option dangerous_hard_limit_eviction 2026-04-24 19:12:58 -05:00
Eric Eastwood 3e871eb284 Time always goes forward 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473850
 2026-04-24 19:06:52 -05:00
Olivier 'reivilibre 76865b239a Simplify comment and test 2026-04-24 13:40:03 +01:00
Olivier 'reivilibre 1d428b0624 build(deps): bump rustls-webpki from 0.103.10 to 0.103.13 (#5650) 2026-04-23 16:32:09 +00:00
Olivier 'reivilibre f50d2e53cd Overwrite the fragment with # on query callback mode 2026-04-23 15:23:54 +01:00
Olivier 'reivilibre 29f7d986ee Add characterisation test 2026-04-23 15:21:35 +01:00
dependabot[bot] 8787fbb459 build(deps): bump rustls-webpki from 0.103.10 to 0.103.13 
Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.10 to 0.103.13.
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](https://github.com/rustls/webpki/compare/v/0.103.10...v/0.103.13)

---
updated-dependencies:
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-23 01:20:28 +00:00
Eric Eastwood dcf42a842f Fix policy lints 2026-04-21 18:17:26 -05:00
Eric Eastwood 6b59e35583 Automatic formatting/linting and more at least typos 2026-04-21 18:09:19 -05:00
Eric Eastwood 6209a9125b Merge branch 'main' into madlittlemods/hard_limit_eviction 2026-04-21 18:04:59 -05:00
Eric Eastwood f30bf47e82 Add need_to_remove policy tests for authorization grant 2026-04-21 17:47:01 -05:00
Eric Eastwood abe4c35194 Add tests for need_to_remove 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473825
 2026-04-21 17:38:57 -05:00
Eric Eastwood 1b96000ced Use correct limit 2026-04-21 17:38:49 -05:00
Eric Eastwood 3d5c3b01a4 Fix session replacement tests 2026-04-21 17:35:23 -05:00
Eric Eastwood 4073c41958 Fix havea -> have a typo 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473853
 2026-04-21 16:07:01 -05:00
Eric Eastwood a92f040da2 Log removed session ID's 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473830
 2026-04-21 15:51:18 -05:00
Eric Eastwood 5458ef9b82 Expand need_to_remove docstring to explain what for 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473819
 2026-04-21 15:37:12 -05:00
Eric Eastwood 82376b5c06 Placeholder syntax 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473813
 2026-04-21 15:36:23 -05:00
Eric Eastwood 8cd3b451be catastrophically typo 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473807
 2026-04-21 15:23:54 -05:00
Eric Eastwood 49dea7ee61 No hypen grammar 
See https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473792
 2026-04-21 15:23:12 -05:00
Eric Eastwood 777f74be5d Clarify 90d inactive threshold 
See:

 - https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473863
 - https://github.com/element-hq/matrix-authentication-service/pull/5607#discussion_r3119473783
 2026-04-21 15:21:24 -05:00
Eric Eastwood b64afc33d3 Run sh ./misc/update.sh 2026-04-16 16:28:44 -05:00
Eric Eastwood cc1e26256e Improve consent screen when idenity provider has no avatar 2026-04-16 16:07:01 -05:00
matrixbot 64f90e01da Automatic merge back to main (#5634) 2026-04-14 14:33:56 +02:00
github-actions[bot] ba306d4bcb 1.16.0-rc.0 v1.16.0-rc.0 2026-04-14 12:23:53 +00:00