Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Change the format of access tokens away from macaroons #5588

Merged
merged 15 commits into from
May 12, 2021

Conversation

richvdh
Copy link
Member

@richvdh richvdh commented Jul 2, 2019

Some history might be helpful here:

Access tokens were originally turned into macaroons back in 2015 (in #229 and #256); however, it has always been the case that as well as satisfying the caveats on the macaroons, the macaroon has to be stored in the database.

The fact that the access token has to be in the database meant that much of the power of macaroons was unusable (in particular, the ability to add third-party caveats), and much of the security they offer was redundant.

The spec, as far as I can recall, never required that access tokens be macaroons; matrix-org/matrix-spec-proposals#1204 discussed changing this but concluded that they should be left specified as opaque strings.

#4374 changed the behaviour of synapse again so that the macaroons were never validated (though the token still had to be in the database). The logic behind that change was somewhat tied up in CVE-2019-5885 (#4664).

Once #4374 landed, the macaroonness of the access tokens was completely redundant, and they could equally well be any cryptographically-secure random string. This PR therefore brings us back full circle.

The reasons for switching away from macaroons include:

  • they are over 300 bytes long, which is a significant overhead when they have
    to be attached to every single request.
  • generating macaroons (in particular, signing them) costs valuable CPU cycles.
  • it's generally confusing.

The format used in this PR changed a bit as we worked on it. We ended up with:

syt_<base64_localpart>_<20 random characters>_<base62 crc>

... mostly inspired by https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.

Whereas access tokens were around 260 bytes before (depending on the length of your localpart and domain), they will now be around 45 bytes (depending on the length of your localpart).

@richvdh richvdh requested a review from a team July 2, 2019 10:09
@richvdh
Copy link
Member Author

richvdh commented Jul 3, 2019

I'm going to shelve this for now. It turns out we have some lua in our haproxy config which relies on access tokens looking like macaroons. I'm not sure the advantages of this change are worth the work.

@richvdh richvdh closed this Jul 3, 2019
@richvdh richvdh deleted the rav/soft_logout/kill_macaroons branch December 1, 2020 12:38
@richvdh richvdh restored the rav/soft_logout/kill_macaroons branch December 1, 2020 12:39
@richvdh
Copy link
Member Author

richvdh commented Mar 9, 2021

It turns out we have some lua in our haproxy config which relies on access tokens looking like macaroons.

this is no longer true, so we could revisit this I think.

@richvdh richvdh reopened this May 4, 2021
@richvdh richvdh force-pushed the rav/soft_logout/kill_macaroons branch from 8a2b6b2 to 25d9aa8 Compare May 4, 2021 17:36
@erikjohnston
Copy link
Member

It turns out we have some lua in our haproxy config which relies on access tokens looking like macaroons.

this is no longer true, so we could revisit this I think.

I wonder if we should still encode the user ID in the tokens somehow, in a way that haproxy can efficiently read? A couple of options here are:

  • Base64 encode the user ID (or localpart) then prepend the random string (after a deliminator). Then in haproxy we can use the field extractor to get something we can load balance on, and b64dec to get the actual user ID.
  • Hash the user ID, base64, truncate to ten bytes, then add the random string after. In haproxy we can then simply load balance on the first ten bytes (though we wouldn't be able to get the user ID).

@richvdh
Copy link
Member Author

richvdh commented May 7, 2021

yeah, that would probably make some sense.

Another thought is that we should probably take the opportunity to do something like https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/.

@erikjohnston erikjohnston removed the request for review from a team May 10, 2021 12:32
@erikjohnston
Copy link
Member

(I've taken this out of the review queue as Rich is planning on changing the format to incorporate some of the ideas above).

For a concrete suggestion: I think something like: syt_<base64 local part>_<random string> would work, it a) has a prefix to make it easily detectable and b) encodes the user local part in a way that can be extracted by haproxy (and anything else that can split by fields).

@richvdh richvdh force-pushed the rav/soft_logout/kill_macaroons branch from 3356497 to 55265e8 Compare May 11, 2021 10:38
@richvdh richvdh requested a review from a team May 11, 2021 13:12
@callahad
Copy link
Contributor

has a prefix to make it easily detectable

There's an RFC for this... let me dig it up

Copy link
Member

@erikjohnston erikjohnston left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this LGTM, modulo anything that Dan's RFC throws up.

Do we want to run this past the ops team to make sure we're not missing anything they'd like? (While we're here)

random_string = stringutils.random_string(20)
base = f"syt_{b64local}_{random_string}"

crc = base62_encode(crc32(base.encode("ascii")), minwidth=6)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we using base62 for the crc? Is that just how its typically done?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wfm

# we use the following format for access tokens:
# syt_<base64 local part>_<random string>_<base62 crc check>

b64local = unpaddedbase64.encode_base64(for_user.localpart.encode("utf-8"))
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a thought occurs. The use of base64 here means that access tokens will have to be correctly url-encoded when used in a query param.

maybe we should use a url-safe base64 encoding.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, hmm. Good point.

I had a quick look at haproxy support and it looks like b64dec only handles standard padded base64 (2.4 will have support for padded url safe base64 decoding). Don't that is a huge concern though, since I think conversion is relatively easy with simple string replacement?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

of course, we could just say that only people with spec-compliant mxids are allowed to use matrix, so it doesn't need encoding at all 😈

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love it :D

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this needs to particularly influence us; we should be deprecating and removing GET based access token use, as it's just a bad idea for http access logs outside of synapse, perhaps the effort of ensuring your access tokens are urlencoded correctly will push developers towards doing the right thing.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that's fair. it's really not that hard to do it right, even from a shell command.

@richvdh richvdh changed the title Switch to using opaque strings as access tokens Change the format of access tokens away from macaroons May 11, 2021
@callahad
Copy link
Contributor

Okay, I was thinking of RFC8959 which defines secret-token:... where the path is alphanumeric plus -._~!$&'()*+,;=:@, and arbitrary percent-encoded bytes.

I thought GH / Stripe / Slack were switching to that, but they're not. They're just doing their own thing.

@callahad
Copy link
Contributor

The GitHub / Slack / Stripe consensus seems to be:

  • Prefixes which encode company + token type (e.g., ghp vs gho for GitHub Personal access tokens vs GitHub OAuth access token)
  • Separating the prefix with a _ to avoid accidental collisions with randomly generated strings (SHAs, etc.)

GitHub also uses the last 6 characters of their tokens to embed a base62-encoded CRC32 checksum of the token

Their tokens are 40 characters long: prefix (3) + _ + token (30) + checksum (6). The token itself is case-sensitive alphanumeric. 30 characters of that yields 178 bits of entropy.

@richvdh
Copy link
Member Author

richvdh commented May 11, 2021

30 characters of that yields 178 bits of entropy.

for comparison: our 20 characters from a 52-character range gives 6.5*20 = 130 bits of entropy, though the attacker also has to match it up with the right localpart.

@richvdh richvdh enabled auto-merge (squash) May 12, 2021 13:42
@richvdh richvdh merged commit 7562d88 into develop May 12, 2021
@richvdh richvdh deleted the rav/soft_logout/kill_macaroons branch May 12, 2021 14:04
@callahad
Copy link
Contributor

I didn't actually see an approving review happen here? Did I miss it?

@babolivier
Copy link
Contributor

@erikjohnston said:

I think this LGTM, modulo anything that Dan's RFC throws up.

Though he didn't actually tick "approve".

@richvdh
Copy link
Member Author

richvdh commented May 12, 2021

what @babolivier said. I didn't consider it worth disturbing people again since everyone seemed to be in agreement. Sorry if that was presumptuous.

@callahad
Copy link
Contributor

callahad commented May 12, 2021

Had this gone back into the review queue, I think I would've raised the following queries:

  • The inclusion of b64local makes our tokens variable length, are we OK with that?
  • The base62 vocabulary we're using is in a different order than just base64 without the final two characters, are we OK with that? (b64 uses A-Za-z0-9+/, our b62 uses 0-9A-Za-z)
  • We're using unpadded base64, but haproxy's b64dec expects proper padding, are we OK with that?
  • Are we sure we're comfortable baking user identifiers into the token itself?
    • Is that a privacy risk? (e.g., inadvertently logging identifiable information)
    • Is that a DoS risk? (since similar local parts will encode similarly, and we'd presumably use these to direct traffic to workers per Erik's comment?)

Also, isn't the entropy 114 bits, not 130? math.log2(52**20)

@callahad
Copy link
Contributor

If I'm reading the code correctly, the regex to match a Synapse Access Token is:

syt_[a-zA-Z0-9+/]+_[a-zA-Z]{20}_[a-zA-Z0-9]{6}

The regex to match a GitHub Personal Access Token is

ghp_[a-zA-Z0-9]{36,}

...is the complexity in our format warranted?

@richvdh
Copy link
Member Author

richvdh commented May 12, 2021

Had this gone back into the review queue, I think I would've raised the following queries:

Most of these came up in online discussion as well. Thanks for raising them again, not least as a reminder to me to record the conclusions.

  • The inclusion of b64local makes our tokens variable length, are we OK with that?

They were variable length before and it was never a problem...

  • The base62 vocabulary we're using is in a different order than just base64 without the final two characters, are we OK with that? (b64 uses A-Za-z0-9+/, our b62 uses 0-9A-Za-z)

I couldn't find any sort of convention for b62 alphabets, but most implementations I found with googling used that alphabet. I don't think it matters too much.

  • We're using unpadded base64, but haproxy's b64dec expects proper padding, are we OK with that?

hrrrm, good question. I'd forgotten to address that. I think you can go from unpadded to padded base64 with a couple of string manipulations. Erik said "Don't that is a huge concern though, since I think conversion is relatively easy with simple string replacement?", though I'm not sure how you would actually do so,

  • Are we sure we're comfortable baking user identifiers into the token itself?
    • Is that a privacy risk? (e.g., inadvertently logging identifiable information)

Again, we've always done it before. I think if you're logging access tokens, you have bigger problems than the identifiable information.

  • Is that a DoS risk? (since similar local parts will encode similarly, and we'd presumably use these to direct traffic to workers per Erik's comment?)

I'm not quite sure what sort of attack you're envisaging here. Similar local parts will encode similarly, but likely we would use that as a hash key for a sticky routing table, rather than forcing particular local parts to route to particular backends.

Also, isn't the entropy 114 bits, not 130? math.log2(52**20)

errrr yes. log2(52**20) = 20 * log2(52) =~ 20 * 5.7 = 114. I don't know where I got 6.5 from before.

If I'm reading the code correctly, the regex to match a Synapse Access Token is:

syt_[a-zA-Z0-9+/]+_[a-zA-Z]{20}_[a-zA-Z0-9]{6}

Or possibly syt_[a-zA-Z0-9+/_]+. What's your objective here?

@callahad
Copy link
Contributor

callahad commented May 12, 2021

  • We're using unpadded base64, but haproxy's b64dec expects proper padding, are we OK with that?

hrrrm, good question. I'd forgotten to address that. I think you can go from unpadded to padded base64 with a couple of string manipulations. Erik said "Don't that is a huge concern though, since I think conversion is relatively easy with simple string replacement?", though I'm not sure how you would actually do so,

I understood Erik's comment to mean translating between urlsafe and normal base64 "with a couple of string manipulations", in the context of haproxy <2.4 not supporting the urlsafe variant

If I'm reading the code correctly, the regex to match a Synapse Access Token is:

syt_[a-zA-Z0-9+/]+_[a-zA-Z]{20}_[a-zA-Z0-9]{6}

Or possibly syt_[a-zA-Z0-9+/_]+. What's your objective here?

To unambiguously identify access tokens, e.g., to participate in programs like GitHub's Secret Scanning or to implement our own audits

@erikjohnston
Copy link
Member

  • We're using unpadded base64, but haproxy's b64dec expects proper padding, are we OK with that?

hrrrm, good question. I'd forgotten to address that. I think you can go from unpadded to padded base64 with a couple of string manipulations. Erik said "Don't that is a huge concern though, since I think conversion is relatively easy with simple string replacement?", though I'm not sure how you would actually do so,

I understood Erik's comment to mean translating between urlsafe and normal base64 "with a couple of string manipulations", in the context of haproxy <2.4 not supporting the urlsafe variant

FWIW the main use case is to route requests, where you don't need to decode the user ID and can just route based on the second field of the access token.

If I'm reading the code correctly, the regex to match a Synapse Access Token is:

syt_[a-zA-Z0-9+/]+_[a-zA-Z]{20}_[a-zA-Z0-9]{6}

Or possibly syt_[a-zA-Z0-9+/_]+. What's your objective here?

To unambiguously identify access tokens, e.g., to participate in programs like GitHub's Secret Scanning or to implement our own audits

If the goal is to provide a regex that is going to have the least false positives then having a more complicated regex will help that? It's going to be very rare for anyone to want to parse one of these tokens, so I don't think the complexity of the regex (in terms of number of characters) is a huge concern here.

@callahad
Copy link
Contributor

Works for me 👍

@erikjohnston
Copy link
Member

(Those were all good Qs though)

@richvdh
Copy link
Member Author

richvdh commented May 13, 2021

FWIW the main use case is to route requests, where you don't need to decode the user ID and can just route based on the second field of the access token.

in which case maybe we should just have used a hash and saved ourselves the bother of worrying about whether it is ok to encode the localpart in the access token 😇

However, I'm very much inclined to stick with what we have rather than agonise about it too much. (Though yes, all good questions worth discussing)

aaronraimist added a commit to aaronraimist/synapse that referenced this pull request May 19, 2021
Synapse 1.34.0 (2021-05-17)
===========================

This release deprecates the `room_invite_state_types` configuration setting. See the [upgrade notes](https://github.com/matrix-org/synapse/blob/release-v1.34.0/UPGRADE.rst#upgrading-to-v1340) for instructions on updating your configuration file to use the new `room_prejoin_state` setting.

This release also deprecates the `POST /_synapse/admin/v1/rooms/<room_id>/delete` admin API route. Server administrators are encouraged to update their scripts to use the new `DELETE /_synapse/admin/v1/rooms/<room_id>` route instead.

No significant changes since v1.34.0rc1.

Synapse 1.34.0rc1 (2021-05-12)
==============================

Features
--------

- Add experimental option to track memory usage of the caches. ([\matrix-org#9881](matrix-org#9881))
- Add support for `DELETE /_synapse/admin/v1/rooms/<room_id>`. ([\matrix-org#9889](matrix-org#9889))
- Add limits to how often Synapse will GC, ensuring that large servers do not end up GC thrashing if `gc_thresholds` has not been correctly set. ([\matrix-org#9902](matrix-org#9902))
- Improve performance of sending events for worker-based deployments using Redis. ([\matrix-org#9905](matrix-org#9905), [\matrix-org#9950](matrix-org#9950), [\matrix-org#9951](matrix-org#9951))
- Improve performance after joining a large room when presence is enabled. ([\matrix-org#9910](matrix-org#9910), [\matrix-org#9916](matrix-org#9916))
- Support stable identifiers for [MSC1772](matrix-org/matrix-spec-proposals#1772) Spaces. `m.space.child` events will now be taken into account when populating the experimental spaces summary response. Please see [the upgrade notes](https://github.com/matrix-org/synapse/blob/release-v1.34.0/UPGRADE.rst#upgrading-to-v1340) if you have customised `room_invite_state_types` in your configuration. ([\matrix-org#9915](matrix-org#9915), [\matrix-org#9966](matrix-org#9966))
- Improve performance of backfilling in large rooms. ([\matrix-org#9935](matrix-org#9935))
- Add a config option to allow you to prevent device display names from being shared over federation. Contributed by @aaronraimist. ([\matrix-org#9945](matrix-org#9945))
- Update support for [MSC2946](matrix-org/matrix-spec-proposals#2946): Spaces Summary. ([\matrix-org#9947](matrix-org#9947), [\matrix-org#9954](matrix-org#9954))

Bugfixes
--------

- Fix a bug introduced in v1.32.0 where the associated connection was improperly logged for SQL logging statements. ([\matrix-org#9895](matrix-org#9895))
- Correct the type hint for the `user_may_create_room_alias` method of spam checkers. It is provided a `RoomAlias`, not a `str`. ([\matrix-org#9896](matrix-org#9896))
- Fix bug where user directory could get out of sync if room visibility and membership changed in quick succession. ([\matrix-org#9910](matrix-org#9910))
- Include the `origin_server_ts` property in the experimental [MSC2946](matrix-org/matrix-spec-proposals#2946) support to allow clients to properly sort rooms. ([\matrix-org#9928](matrix-org#9928))
- Fix bugs introduced in v1.23.0 which made the PostgreSQL port script fail when run with a newly-created SQLite database. ([\matrix-org#9930](matrix-org#9930))
- Fix a bug introduced in Synapse 1.29.0 which caused `m.room_key_request` to-device messages sent from one user to another to be dropped. ([\matrix-org#9961](matrix-org#9961), [\matrix-org#9965](matrix-org#9965))
- Fix a bug introduced in v1.27.0 preventing users and appservices exempt from ratelimiting from creating rooms with many invitees. ([\matrix-org#9968](matrix-org#9968))

Updates to the Docker image
---------------------------

- Add `startup_delay` to docker healthcheck to reduce waiting time for coming online and update the documentation with extra options. Contributed by @maquis196. ([\matrix-org#9913](matrix-org#9913))

Improved Documentation
----------------------

- Add `port` argument to the Postgres database sample config section. ([\matrix-org#9911](matrix-org#9911))

Deprecations and Removals
-------------------------

- Mark as deprecated `POST /_synapse/admin/v1/rooms/<room_id>/delete`. ([\matrix-org#9889](matrix-org#9889))

Internal Changes
----------------

- Reduce the length of Synapse's access tokens. ([\matrix-org#5588](matrix-org#5588))
- Export jemalloc stats to Prometheus if it is being used. ([\matrix-org#9882](matrix-org#9882))
- Add type hints to presence handler. ([\matrix-org#9885](matrix-org#9885))
- Reduce memory usage of the LRU caches. ([\matrix-org#9886](matrix-org#9886))
- Add type hints to the `synapse.handlers` module. ([\matrix-org#9896](matrix-org#9896))
- Time response time for external cache requests. ([\matrix-org#9904](matrix-org#9904))
- Minor fixes to the `make_full_schema.sh` script. ([\matrix-org#9931](matrix-org#9931))
- Move database schema files into a common directory. ([\matrix-org#9932](matrix-org#9932))
- Add debug logging for lost/delayed to-device messages. ([\matrix-org#9959](matrix-org#9959))
vy-let added a commit to vy-let/synapse that referenced this pull request May 31, 2021
Synapse 1.34.0 (2021-05-17)
===========================

This release deprecates the `room_invite_state_types` configuration setting. See the [upgrade notes](https://github.com/matrix-org/synapse/blob/release-v1.34.0/UPGRADE.rst#upgrading-to-v1340) for instructions on updating your configuration file to use the new `room_prejoin_state` setting.

This release also deprecates the `POST /_synapse/admin/v1/rooms/<room_id>/delete` admin API route. Server administrators are encouraged to update their scripts to use the new `DELETE /_synapse/admin/v1/rooms/<room_id>` route instead.

No significant changes since v1.34.0rc1.

Synapse 1.34.0rc1 (2021-05-12)
==============================

Features
--------

- Add experimental option to track memory usage of the caches. ([\matrix-org#9881](matrix-org#9881))
- Add support for `DELETE /_synapse/admin/v1/rooms/<room_id>`. ([\matrix-org#9889](matrix-org#9889))
- Add limits to how often Synapse will GC, ensuring that large servers do not end up GC thrashing if `gc_thresholds` has not been correctly set. ([\matrix-org#9902](matrix-org#9902))
- Improve performance of sending events for worker-based deployments using Redis. ([\matrix-org#9905](matrix-org#9905), [\matrix-org#9950](matrix-org#9950), [\matrix-org#9951](matrix-org#9951))
- Improve performance after joining a large room when presence is enabled. ([\matrix-org#9910](matrix-org#9910), [\matrix-org#9916](matrix-org#9916))
- Support stable identifiers for [MSC1772](matrix-org/matrix-spec-proposals#1772) Spaces. `m.space.child` events will now be taken into account when populating the experimental spaces summary response. Please see [the upgrade notes](https://github.com/matrix-org/synapse/blob/release-v1.34.0/UPGRADE.rst#upgrading-to-v1340) if you have customised `room_invite_state_types` in your configuration. ([\matrix-org#9915](matrix-org#9915), [\matrix-org#9966](matrix-org#9966))
- Improve performance of backfilling in large rooms. ([\matrix-org#9935](matrix-org#9935))
- Add a config option to allow you to prevent device display names from being shared over federation. Contributed by @aaronraimist. ([\matrix-org#9945](matrix-org#9945))
- Update support for [MSC2946](matrix-org/matrix-spec-proposals#2946): Spaces Summary. ([\matrix-org#9947](matrix-org#9947), [\matrix-org#9954](matrix-org#9954))

Bugfixes
--------

- Fix a bug introduced in v1.32.0 where the associated connection was improperly logged for SQL logging statements. ([\matrix-org#9895](matrix-org#9895))
- Correct the type hint for the `user_may_create_room_alias` method of spam checkers. It is provided a `RoomAlias`, not a `str`. ([\matrix-org#9896](matrix-org#9896))
- Fix bug where user directory could get out of sync if room visibility and membership changed in quick succession. ([\matrix-org#9910](matrix-org#9910))
- Include the `origin_server_ts` property in the experimental [MSC2946](matrix-org/matrix-spec-proposals#2946) support to allow clients to properly sort rooms. ([\matrix-org#9928](matrix-org#9928))
- Fix bugs introduced in v1.23.0 which made the PostgreSQL port script fail when run with a newly-created SQLite database. ([\matrix-org#9930](matrix-org#9930))
- Fix a bug introduced in Synapse 1.29.0 which caused `m.room_key_request` to-device messages sent from one user to another to be dropped. ([\matrix-org#9961](matrix-org#9961), [\matrix-org#9965](matrix-org#9965))
- Fix a bug introduced in v1.27.0 preventing users and appservices exempt from ratelimiting from creating rooms with many invitees. ([\matrix-org#9968](matrix-org#9968))

Updates to the Docker image
---------------------------

- Add `startup_delay` to docker healthcheck to reduce waiting time for coming online and update the documentation with extra options. Contributed by @maquis196. ([\matrix-org#9913](matrix-org#9913))

Improved Documentation
----------------------

- Add `port` argument to the Postgres database sample config section. ([\matrix-org#9911](matrix-org#9911))

Deprecations and Removals
-------------------------

- Mark as deprecated `POST /_synapse/admin/v1/rooms/<room_id>/delete`. ([\matrix-org#9889](matrix-org#9889))

Internal Changes
----------------

- Reduce the length of Synapse's access tokens. ([\matrix-org#5588](matrix-org#5588))
- Export jemalloc stats to Prometheus if it is being used. ([\matrix-org#9882](matrix-org#9882))
- Add type hints to presence handler. ([\matrix-org#9885](matrix-org#9885))
- Reduce memory usage of the LRU caches. ([\matrix-org#9886](matrix-org#9886))
- Add type hints to the `synapse.handlers` module. ([\matrix-org#9896](matrix-org#9896))
- Time response time for external cache requests. ([\matrix-org#9904](matrix-org#9904))
- Minor fixes to the `make_full_schema.sh` script. ([\matrix-org#9931](matrix-org#9931))
- Move database schema files into a common directory. ([\matrix-org#9932](matrix-org#9932))
- Add debug logging for lost/delayed to-device messages. ([\matrix-org#9959](matrix-org#9959))
babolivier added a commit to matrix-org/synapse-dinsic that referenced this pull request Sep 1, 2021
Synapse 1.34.0 (2021-05-17)
===========================

This release deprecates the `room_invite_state_types` configuration setting. See the [upgrade notes](https://github.com/matrix-org/synapse/blob/release-v1.34.0/UPGRADE.rst#upgrading-to-v1340) for instructions on updating your configuration file to use the new `room_prejoin_state` setting.

This release also deprecates the `POST /_synapse/admin/v1/rooms/<room_id>/delete` admin API route. Server administrators are encouraged to update their scripts to use the new `DELETE /_synapse/admin/v1/rooms/<room_id>` route instead.

No significant changes since v1.34.0rc1.

Synapse 1.34.0rc1 (2021-05-12)
==============================

Features
--------

- Add experimental option to track memory usage of the caches. ([\#9881](matrix-org/synapse#9881))
- Add support for `DELETE /_synapse/admin/v1/rooms/<room_id>`. ([\#9889](matrix-org/synapse#9889))
- Add limits to how often Synapse will GC, ensuring that large servers do not end up GC thrashing if `gc_thresholds` has not been correctly set. ([\#9902](matrix-org/synapse#9902))
- Improve performance of sending events for worker-based deployments using Redis. ([\#9905](matrix-org/synapse#9905), [\#9950](matrix-org/synapse#9950), [\#9951](matrix-org/synapse#9951))
- Improve performance after joining a large room when presence is enabled. ([\#9910](matrix-org/synapse#9910), [\#9916](matrix-org/synapse#9916))
- Support stable identifiers for [MSC1772](matrix-org/matrix-spec-proposals#1772) Spaces. `m.space.child` events will now be taken into account when populating the experimental spaces summary response. Please see [the upgrade notes](https://github.com/matrix-org/synapse/blob/release-v1.34.0/UPGRADE.rst#upgrading-to-v1340) if you have customised `room_invite_state_types` in your configuration. ([\#9915](matrix-org/synapse#9915), [\#9966](matrix-org/synapse#9966))
- Improve performance of backfilling in large rooms. ([\#9935](matrix-org/synapse#9935))
- Add a config option to allow you to prevent device display names from being shared over federation. Contributed by @aaronraimist. ([\#9945](matrix-org/synapse#9945))
- Update support for [MSC2946](matrix-org/matrix-spec-proposals#2946): Spaces Summary. ([\#9947](matrix-org/synapse#9947), [\#9954](matrix-org/synapse#9954))

Bugfixes
--------

- Fix a bug introduced in v1.32.0 where the associated connection was improperly logged for SQL logging statements. ([\#9895](matrix-org/synapse#9895))
- Correct the type hint for the `user_may_create_room_alias` method of spam checkers. It is provided a `RoomAlias`, not a `str`. ([\#9896](matrix-org/synapse#9896))
- Fix bug where user directory could get out of sync if room visibility and membership changed in quick succession. ([\#9910](matrix-org/synapse#9910))
- Include the `origin_server_ts` property in the experimental [MSC2946](matrix-org/matrix-spec-proposals#2946) support to allow clients to properly sort rooms. ([\#9928](matrix-org/synapse#9928))
- Fix bugs introduced in v1.23.0 which made the PostgreSQL port script fail when run with a newly-created SQLite database. ([\#9930](matrix-org/synapse#9930))
- Fix a bug introduced in Synapse 1.29.0 which caused `m.room_key_request` to-device messages sent from one user to another to be dropped. ([\#9961](matrix-org/synapse#9961), [\#9965](matrix-org/synapse#9965))
- Fix a bug introduced in v1.27.0 preventing users and appservices exempt from ratelimiting from creating rooms with many invitees. ([\#9968](matrix-org/synapse#9968))

Updates to the Docker image
---------------------------

- Add `startup_delay` to docker healthcheck to reduce waiting time for coming online and update the documentation with extra options. Contributed by @maquis196. ([\#9913](matrix-org/synapse#9913))

Improved Documentation
----------------------

- Add `port` argument to the Postgres database sample config section. ([\#9911](matrix-org/synapse#9911))

Deprecations and Removals
-------------------------

- Mark as deprecated `POST /_synapse/admin/v1/rooms/<room_id>/delete`. ([\#9889](matrix-org/synapse#9889))

Internal Changes
----------------

- Reduce the length of Synapse's access tokens. ([\#5588](matrix-org/synapse#5588))
- Export jemalloc stats to Prometheus if it is being used. ([\#9882](matrix-org/synapse#9882))
- Add type hints to presence handler. ([\#9885](matrix-org/synapse#9885))
- Reduce memory usage of the LRU caches. ([\#9886](matrix-org/synapse#9886))
- Add type hints to the `synapse.handlers` module. ([\#9896](matrix-org/synapse#9896))
- Time response time for external cache requests. ([\#9904](matrix-org/synapse#9904))
- Minor fixes to the `make_full_schema.sh` script. ([\#9931](matrix-org/synapse#9931))
- Move database schema files into a common directory. ([\#9932](matrix-org/synapse#9932))
- Add debug logging for lost/delayed to-device messages. ([\#9959](matrix-org/synapse#9959))
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants