Skip to content

Commit

Permalink
Add registration token UIA type (#3616)
Browse files Browse the repository at this point in the history
* Add registration token UIA type

MSC: #3231

**Note**: This introduces the endpoint as v1 rather than r0 given the global versioning changes landed between the acceptance of the MSC and now.

* Fix swagger

* Changelogs

* Update data/api/client-server/registration_tokens.yaml

Co-authored-by: Hubert Chathi <[email protected]>

Co-authored-by: Hubert Chathi <[email protected]>
  • Loading branch information
turt2live and uhoreg authored Jan 5, 2022
1 parent 20bd445 commit e405707
Show file tree
Hide file tree
Showing 4 changed files with 126 additions and 0 deletions.
1 change: 1 addition & 0 deletions changelogs/client_server/newsfragments/3616.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add token-authenticated registration support as per [MSC3231](https://github.com/matrix-org/matrix-doc/pull/3231).
1 change: 1 addition & 0 deletions changelogs/client_server/newsfragments/3616.new
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add `/register/m.login.registration_token/validity` as per [MSC3231](https://github.com/matrix-org/matrix-doc/pull/3231).
44 changes: 44 additions & 0 deletions content/client-server-api/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -618,6 +618,7 @@ This specification defines the following auth types:
- `m.login.email.identity`
- `m.login.msisdn`
- `m.login.dummy`
- `m.login.registration_token`

##### Password-based

Expand Down Expand Up @@ -789,6 +790,49 @@ just the type and session, if provided:
}
```

##### Token-authenticated registration

{{% added-in v="1.2" %}}

| Type | Description |
|-------------------------------|-------------------------------------------------------------------|
| `m.login.registration_token` | Registers an account with a pre-shared token for authentication |

{{% boxes/note %}}
The `m.login.registration_token` authentication type is only valid on the
[`/register`](#post_matrixclientv3register) endpoint.
{{% /boxes/note %}}

This authentication type provides homeservers the ability to allow registrations
to a limited set of people instead of either offering completely open registrations
or completely closed registration (where the homeserver administrators create
and distribute accounts).

The token required for this authentication type is shared out of band from
Matrix and is an opaque string with maximum length of 64 characters in the
range `[A-Za-z0-9._~-]`. The server can keep any number of tokens for any
length of time/validity. Such cases might be a token limited to 100 uses or
for the next 2 hours - after the tokens expire, they can no longer be used
to create accounts.

To use this authentication type, clients should submit an auth dict with just
the type, token, and session:

```json
{
"type": "m.login.registration_token",
"token": "fBVFdqVE",
"session": "<session ID>"
}
```

To determine if a token is valid before attempting to use it, the client can
use the `/validity` API defined below. The API doesn't guarantee that a token
will be valid when used, but does avoid cases where the user finds out late
in the registration process that their token has expired.

{{% http-api spec="client-server" api="registration_tokens" %}}

#### Fallback

Clients cannot be expected to be able to know how to process every
Expand Down
80 changes: 80 additions & 0 deletions data/api/client-server/registration_tokens.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Copyright 2022 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
swagger: '2.0'
info:
title: "Matrix Client-Server Registration Token API"
version: "1.0.0"
host: localhost:8008
schemes:
- https
- http
basePath: /_matrix/client/v1
consumes:
- application/json
produces:
- application/json
paths:
"/register/m.login.registration_token/validity":
get:
x-addedInMatrixVersion: "1.2"
summary: Query if a given registration token is still valid.
description: |-
Queries the server to determine if a given registration token is still
valid at the time of request. This is a point-in-time check where the
token might still expire by the time it is used.
Servers should be sure to rate limit this endpoint to avoid brute force
attacks.
operationId: registrationTokenValidity
parameters:
- in: query
name: token
type: string
x-example: "fBVFdqVE"
required: true
description: The token to check validity of.
responses:
200:
description: The check has a result.
examples:
application/json: {
"valid": true
}
schema:
type: object
properties:
valid:
type: boolean
description: |-
True if the token is still valid, false otherwise. This should
additionally be false if the token is not a recognised token by
the server.
required: ['valid']
403:
description: |-
The homeserver does not permit registration and thus all tokens are
considered invalid.
examples:
application/json: {
"errcode": "M_FORBIDDEN",
"error": "Registration is not enabled on this homeserver."
}
schema:
"$ref": "definitions/errors/error.yaml"
429:
description: This request was rate-limited.
schema:
"$ref": "definitions/errors/rate_limited.yaml"
tags:
- Account management

0 comments on commit e405707

Please sign in to comment.