Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement /login/get_token #664

Merged
merged 3 commits into from
Jan 17, 2025
Merged

Implement /login/get_token #664

merged 3 commits into from
Jan 17, 2025
+176 −96

Conversation

JadedBlueEyes
Copy link
Contributor

This is a component of QR login without OIDC. (the other one being the insecure rendezvous endpoint for encryption, also used for OIDC QR login)

It allows existing sessions to generate short-lived tokens which can be used to login a new session. Tokens are automatically deleted on use.
I've added two new config options, one allowing disabling the generation and usage of the tokens and the other setting the length the tokens are valid for (by default two minutes). For some reason, the example config isn't regenerating, though.

Calling the /login/get_token endpoint requires UIA. I've not been able to work out how to reject UIA sessions that have been used before (a security feature required by the spec). This might require storing additional state in the database.

I've also removed the undocumented jwt_secret option and related code - it seems this was a part of a SSO implementation. d49911c

@JadedBlueEyes
Copy link
Contributor Author

JadedBlueEyes commented Jan 11, 2025
edited
Loading

The entire flow can be verified to work like so:

let password = "<password>"
let identifier = {"type":"m.id.user","user":"@<user>:localhost" }
let first_login = http post "http://localhost:8008/_matrix/client/v3/login" { type: "m.login.password", password: $password, identifier: $identifier, "initial_device_display_name": "test (password)" }  -f -e --content-type application/json
let token_request = http post "http://localhost:8008/_matrix/client/v1/login/get_token" -H [Authorization $"Bearer ($first_login.body.access_token)"] {"auth":{"type":"m.login.password","password":$password, identifier: $identifier }} -f -e --content-type application/json
http post "http://localhost:8008/_matrix/client/v3/login" { type: "m.login.token", token: $token_request.body.login_token, "initial_device_display_name": "test (token)" }  -f -e --content-type application/json

@girlbossceo
Copy link
Owner

girlbossceo commented Jan 17, 2025
edited
Loading

Pushed a couple fixes, cleaned up code, and use database serialisations/deserialisations instead of the messy manual converting to/from byte slices and ad-hoc identifier parsing code. That stuff was only needed in Conduit where they don't have serialisation or deserialisation for keys/values like we do, hence the whole manual 0xFF byte slices, manually converting to/from Vec<u8>'s, manual parsing, etc.

If you can test and see if it all still works that'd be appreciated, though on the surface looks good now.

@JadedBlueEyes
Copy link
Contributor Author

Tested the new changes, everything works as expected (including token timeouts and non-reuse).

Good to know about the serde utilities, that's helpful.

@girlbossceo girlbossceo merged commit 5b84642 into girlbossceo:main Jan 17, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@girlbossceo girlbossceo girlbossceo left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JadedBlueEyes @girlbossceo