v0.10.0

Breaking changes

• Due to complexity in the build process and low demand, pre-built macOS binaries are not distributed anymore in releases. macOS is still supported when building from the sources
• Open password-based registration is disabled by default
• The basic password policy has been replaced
• Password-based logins and other actions are now rate-limited by default
• The GraphQL API is now internal-only by default, replaced by the new Admin API

Changes since 0.10.0-rc.0

• frontend: remove double separator when password auth is disabled in #3105
• Small documentation fixes in #3123

New features

CAPTCHA protection on the registration form

Password-based registration can now be protected with a CAPTCHA challenge. MAS supports Google’s reCAPTCHA, hCAPTCHA, as well as Cloudflare Turnstile

Email-based password recovery

When enabled, this feature allows users to recover their account, by sending a link to their confirmed email addresses.

Self-service password change

In addition to password recovery, users can change​ their password themselves through the new password-change interface

Admin API

Need to build administrative or automation tools for MAS? Check out the new admin API!
This replaces the GraphQL API, which is now restricted for internal use by default. If you rely on the GraphQL API through an OAuth 2.0 token, you need to set the undocumented_oauth2_access setting on the graphql listener.

Proper password complexity calculation

To make sure your users have strong-enough passwords, MAS now calculates password complexity using the popular zxcvbn algorithm. This algorithm gives a score from 0 to 4, with suggestions on how to improve the password. By default, MAS will require new passwords to have at least 3, which has a good balance between security and convenience.
This means that the parameters to set a minimum password length and require some symbols are now removed.

Rate-limiting

Some operations are more sensitive than others. You wouldn’t want someone to be able to brute force your password, would you? MAS will now rate-limit such operations, both per-IP and per account to avoid that. See the configuration documentation to learn more.

Other improvements

• Upstream OAuth 2.0 providers removed from the configuration are now automatically disabled when the server starts up. This means that you no longer need to run mas-cli config sync --prune to apply the change. They will still be kept in the database, to avoid losing existing links.
• The account management UI is generally faster, with a smaller initial loading time and prefetching of other pages
• Optional configuration sections are now truly optional. In 0.9.0 we made most configuration sections optional, but the upstream_oauth2 and clients sections were still required to start up. If you kept those to work around the bug in 0.9.0, you can now remove them if you don’t use them.
• The syn2mas migration tool will now supports TLS certificates when connecting to the Synapse and the MAS PostgreSQL databases
• Administrators can choose whether their users are allowed to perform certain actions or not. In particular, self-service registration and email-based password recovery are disabled by default, and must be enabled in the account configuration section
• Administrators can also choose to disable the self-service password change functionality and prevent users from changing their display name or email address through the same configuration section
• Whenever a user logs in or logs out, the list of sessions is now fully synced with the homeserver, making it less likely for it to get out of sync
• A new CLI tool to help registering users:
  

Docker image

Regular image:

• Digest:

  ghcr.io/matrix-org/matrix-authentication-service@sha256:cdf3c4e39afa88297bfa72e317bbde929777bbb5ad1e01082ba74303c170333d
  

• Tags:

  ghcr.io/matrix-org/matrix-authentication-service:0.10.0
  ghcr.io/matrix-org/matrix-authentication-service:0.10
  ghcr.io/matrix-org/matrix-authentication-service:0
  ghcr.io/matrix-org/matrix-authentication-service:sha-d3eb5be
  ghcr.io/matrix-org/matrix-authentication-service:latest
  

Debug variant:

• Digest:

  ghcr.io/matrix-org/matrix-authentication-service@sha256:468fec0860182ec7e7f4282a766ba134794356701636384d9363ef8d0c9e5a07
  

• Tags:

  ghcr.io/matrix-org/matrix-authentication-service:0.10.0-debug
  ghcr.io/matrix-org/matrix-authentication-service:0.10-debug
  ghcr.io/matrix-org/matrix-authentication-service:0-debug
  ghcr.io/matrix-org/matrix-authentication-service:sha-d3eb5be-debug
  ghcr.io/matrix-org/matrix-authentication-service:latest-debug
  

syn2mas migration tool:

• Digest:

  ghcr.io/matrix-org/matrix-authentication-service/syn2mas@sha256:3c16bf6ea862152259294ab2317dbc296a8841688ecfce8688ae1f95c8485534
  

• Tags:

  ghcr.io/matrix-org/matrix-authentication-service/syn2mas:0.10.0
  ghcr.io/matrix-org/matrix-authentication-service/syn2mas:0.10
  ghcr.io/matrix-org/matrix-authentication-service/syn2mas:0
  ghcr.io/matrix-org/matrix-authentication-service/syn2mas:sha-d3eb5be
  ghcr.io/matrix-org/matrix-authentication-service/syn2mas:latest
  

Full list of changes (excluding dependency upgrades)

• Allow disabling registrations by @sandhose in #2553
• Soft-delete upstream providers by @sandhose in #2581
• Don't format within eslint, use prettier standalone instead by @sandhose in #2589
• User registration CLI tool by @sandhose in #2634
• Allow restricting some self-service capabilities by @sandhose in #2562
• Fix navigation links in the frontend by using absolute URLs by @sandhose in #2715
• Relax alphabet restrictions on device IDs by @sandhose in #2718
• Skip the device code form when using the full verification URI by @sandhose in #2738
• Make the consent screens (almost completely) translatable by @sandhose in #2740
• Better organise the documentation, document the policy engine, the authorisation process and the scopes by @sandhose in #2637
• Always show the primary email first by @sandhose in #2767
• CAPTCHA verification during registration by @sandhose in #2759
• Don't panic when the repository fails on the introspection endpoint by @sandhose in #2774
• Minor drive-by tweaks by @reivilibre in #2779
• Merge the mas_graphql crate into the mas_handlers crate by @reivilibre in #2783
• Allow parameters in UserInfo endpoint's response's content-type by @zecakeh in #2808
• Add a setPassword GraphQL mutation for setting a user's password by @reivilibre in #2820
• Improve errors when MAS contacts the Synapse homeserver by @reivilibre in #2794
• Inject custom Jinja2 environment when rendering the subject template by @sandhose in #2847
• Fix param name in error messages on the compatibility SSO login errors by @sandhose in #2846
• GraphQL API: Add password_change_allowed to SiteConfig by @reivilibre in #2857
• Add Self-service Password Change by @reivilibre in #2863
• Remove the old password change page by @reivilibre in #2874
• Forgot password flow by @sandhose in #2866
• Make the b64decode filter try multiple base64 encoding variants by @sandhose in #2885
• Use a released version of opa-wasm by @sandhose in #2931
• Better support for secure database connections by @sandhose in #2945
• Hyper 1.x by @sandhose in #2944
• fix class-b RFC1918 network by @ctr49 in #2908
• GraphQL API to list users with a few filters by @sandhose in #2955
• Backend work to support minimum password complexity by @reivilibre in #2965
• Fully sync the devices with the homeserver by @sandhose in #2971
• Allow reactivating users on the homeserver by @sandhose in #2970
• Mark sessions as finished in bulk by @sandhose in #2977
• Remove OPA-based password policy enforcement by @reivilibre in #2875
• Deduplicate the query bulding logic for all dynamic filters by @sandhose in #2979
• frontend: Display and enforce password complexity on the change password screen by @reivilibre in #2972
• Code-split the password change route by @sandhose in #2981
• Add a filter for inactive sessions by @sandhose in #2983
• graphql: Add a SetPasswordByRecovery mutation to perform account recovery by @reivilibre in #2986
• frontend: refactor password change form to extract double-input password creation inputs as new component by @reivilibre in #2994
• update contributing docs with DCO by @joshsimmons in #2996
• OTEL: remove custom Header{Injector,Extractor} implementations by @sandhose in #3007
• Rework assets loading to fix splitting CSS chunks by @sandhose in #2985
• Account Recovery: replace the server-side rendered form with an interactive React-based form by @reivilibre in #3016
• Bootstrap a new REST-like admin API by @sandhose in #2993
• Rate-limit password-based login attempts by @sandhose in #3013
• graphql: Expose CAPTCHA config and whether password registration is enabled by @reivilibre in #3017
• Lazy load all routes in the frontend by @sandhose in #3033
• Stabilise and document the new account management options by @sandhose in #3034
• Make the optional configuration sections really optional by @sandhose in #3035
• Host a Swagger UI both in the static documentation and by the server by @sandhose in #3018
• Add admin API to create users by @sandhose in #3019
• Remove macOS binaries build in CI and remove cargo-zigbuild from Docker image by @sandhose in #2966
• Deactivate user admin API by @sandhose in #3030
• Unlock user admin API by @sandhose in #3023
• Lock user admin API by @sandhose in #3022
• Set password admin API by @sandhose in #3021
• syn2mas: only set the SSL options if we set any of them by @sandhose in #3089
• Localazy Download by @sandhose in #3091
• OAuth 2.0 sessions list and get admin APIs by @sandhose in #3031
• Document the admin API by @sandhose in #3038
• Disallow OAuth 2.0 use of the GraphQL API by default by @sandhose in #3092
• Add configuration for rate-limiting of logins, replacing hardcoded limits by @reivilibre in #3090
• Add rate-limiting for account recovery and registration by @reivilibre in #3093
• Set can_request_admin API by @sandhose in #3082
• frontend: remove double separator when password auth is disabled by @sandhose in #3105
• Small documentation fixes by @sandhose in #3123

Full Changelog: v0.9.0...v0.10.0