PublicMirrors/conduwuit-mirror
0
0
Fork 0
mirror of https://github.com/girlbossceo/conduwuit.git synced 2025-04-22 01:17:33 +00:00
Code Issues Projects Releases Packages Wiki Activity

improvement: registration token now only works when registration is enabled

Browse source 
Co-authored-by: Timo Kösters <timo@koesters.xyz>
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-01-24 22:29:30 -05:00 committed by June
parent ab0b52ef1e
commit 4ac568769b
3 changed files with 53 additions and 33 deletions

23
conduwuit-example.toml
View file

@ -26,7 +26,7 @@
# Generally, copying this exactly should be enough. (Currently, conduwuit doesn't
# support batched key requests, so this list should only contain Synapse
# servers.) Defaults to `matrix.org`
#trusted_servers = ["matrix.org"]
# trusted_servers = ["matrix.org"]
@ -111,16 +111,17 @@ ip_range_denylist = [
# For private homeservers, this is best at false.
allow_guest_registration = false
# Vector list of servers that conduwuit will refuse to download remote media from
#prevent_media_downloads_from = ["example.com", "example.local"]
# Vector list of servers that conduwuit will refuse to download remote media from.
# No default.
# prevent_media_downloads_from = ["example.com", "example.local"]
# Enables open registration. If set to false, no users can register on this
# server (unless a token is configured).
# If set to true, users can register with no form of 2nd step only if you set
# server.
# If set to true without a token configured, users can register with no form of 2nd-
# step only if you set
# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` to
# in your config. If you would like
# registration only via token reg, please set this to *false* and configure the
# `registration_token` key.
# true in your config. If you would like
# registration only via token reg, please configure the `registration_token` key.
allow_registration = false
# Please note that an open registration homeserver with no second-step verification
# is highly prone to abuse and potential defederation by homeservers, including
@ -132,8 +133,14 @@ allow_registration = false
registration_token = "change this token for something specific to your server"
# controls whether federation is allowed or not
# defaults to false
allow_federation = true
# controls whether users are allowed to create rooms.
# appservices and admins are always allowed to create rooms
# defaults to true
# allow_room_creation = true
# Set this to true to allow your server's public room directory to be federated.
# Set this to false to protect against /publicRooms spiders, but will forbid external users
# from viewing your server's public room directory. If federation is disabled entirely

53
src/api/client_server/account.rs
View file

@ -74,11 +74,8 @@ pub async fn get_register_available_route(
/// - Creates a new account and populates it with default account data
/// - If `inhibit_login` is false: Creates a device and returns device id and access_token
pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<register::v3::Response> {
if !services().globals.allow_registration()
&& !body.from_appservice
&& services().globals.config.registration_token.is_none()
{
info!("Registration disabled, no reg token configured, rejecting registration attempt for username {:?}", body.username);
if !services().globals.allow_registration() && !body.from_appservice {
info!("Registration disabled and request not from known appservice, rejecting registration attempt for username {:?}", body.username);
return Err(Error::BadRequest(
ErrorKind::Forbidden,
"Registration has been disabled.",
@ -89,10 +86,10 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
if is_guest
&& (!services().globals.allow_guest_registration()
|| (!services().globals.allow_registration()
|| (services().globals.allow_registration()
&& services().globals.config.registration_token.is_some()))
{
info!("Guest registration disabled / registration disabled with token configured, rejecting guest registration, initial device name: {:?}", body.initial_device_display_name);
info!("Guest registration disabled / registration enabled with token configured, rejecting guest registration, initial device name: {:?}", body.initial_device_display_name);
return Err(Error::BadRequest(
ErrorKind::GuestAccessForbidden,
"Guest registration is disabled.",
@ -144,21 +141,35 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
};
// UIAA
let mut uiaainfo = UiaaInfo {
flows: vec![AuthFlow {
stages: if services().globals.config.registration_token.is_some() {
vec![AuthType::RegistrationToken]
} else {
vec![AuthType::Dummy]
},
}],
completed: Vec::new(),
params: Default::default(),
session: None,
auth_error: None,
};
let mut uiaainfo;
let skip_auth;
if services().globals.config.registration_token.is_some() {
// Registration token required
uiaainfo = UiaaInfo {
flows: vec![AuthFlow {
stages: vec![AuthType::RegistrationToken],
}],
completed: Vec::new(),
params: Default::default(),
session: None,
auth_error: None,
};
skip_auth = body.from_appservice;
} else {
// No registration token necessary, but clients must still go through the flow
uiaainfo = UiaaInfo {
flows: vec![AuthFlow {
stages: vec![AuthType::Dummy],
}],
completed: Vec::new(),
params: Default::default(),
session: None,
auth_error: None,
};
skip_auth = body.from_appservice || is_guest;
}
if !body.from_appservice && !is_guest {
if !skip_auth {
if let Some(auth) = &body.auth {
let (worked, uiaainfo) = services().uiaa.try_auth(
&UserId::parse_with_server_name("", services().globals.server_name())

10
src/main.rs
View file

@ -155,9 +155,10 @@ async fn main() {
if config.allow_registration
&& !config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
&& config.registration_token.is_none()
{
error!("!! You have `allow_registration` enabled in your config which means you are allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token).\n
If this is not the intended behaviour, please disable `allow_registration` and set a registration token.\n
error!("!! You have `allow_registration` enabled without a token configured in your config which means you are allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token).\n
If this is not the intended behaviour, please set a registration token with the `registration_token` config option.\n
For security and safety reasons, conduwuit will shut down. If you are extra sure this is the desired behaviour you want, please set the following config option to true:
`yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`");
return;
@ -165,9 +166,10 @@ async fn main() {
if config.allow_registration
&& config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
&& config.registration_token.is_none()
{
warn!("Open registration is enabled via setting `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` and `allow_registration` to true. You are expected to be aware of the risks now.\n
If this is not the desired behaviour, please disable `allow_registration` and set a registration token.");
warn!("Open registration is enabled via setting `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` and `allow_registration` to true without a registration token configured. You are expected to be aware of the risks now.\n
If this is not the desired behaviour, please set a registration token.");
}
if config.allow_outgoing_presence {