Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

user_password_login (compatibility) does not support fully qualified Matrix user IDs #3439

Open
spantaleev opened this issue Oct 29, 2024 · 0 comments
Open

user_password_login (compatibility) does not support fully qualified Matrix user IDs #3439

spantaleev opened this issue Oct 29, 2024 · 0 comments
Labels
A-Compatibility-Layer Related to the legacy Matrix authentication compatibility layer A-Spec-Compliance Divergence from the Matrix or the OAuth 2.0/OIDC specifications

Comments

@spantaleev
Copy link

The issue appears to be with this code: https://github.com/element-hq/matrix-authentication-service/blob/main/crates/handlers/src/compat/login.rs#L378-L395

As described in the spec for m.id.user, the user identifier (in the username variable) can either be the fully qualified Matrix user ID, or just the localpart of the user ID.

The code passes username directly to the repository's find_by_username which does a lookup against the database. The database only contains the localpart of user IDs, so matching only works with that.

When the user_password_login function is invoked with a username which is a fully qualified Matrix user ID, it will fail to find the user and will report it as missing.

I'm hitting this bug with anoadragon453/matrix-reminder-bot (built on matrix-nio), which:

  • insists on dealing with fully-qualified user IDs (trying to configure matrix.user_id with a localpart user ID makes it raise this error: matrix_reminder_bot.errors.ConfigError: matrix.user_id must be in the form @name:domain)
  • passes the fully-qualified user ID to the /_matrix/client/v3/login endpoint

Here's an example curl request that would trigger this issue:

curl -X POST \
http://matrix-authentication-service:8080/_matrix/client/v3/login \
-H "Content-Type: application/json" \
-d '{"type": "m.login.password", "identifier": {"type": "m.id.user", "user": "@bot.matrix-reminder-bot:example.com"}, "password": "...", "device_id": "REMINDER", "initial_device_display_name": "Reminder Bot"}'

Matrix Authentication Service would respond to this request with a generic response:

{"errcode": "M_FORBIDDEN", "error": "Invalid username/password"}

.. while actually logging the real issue:

ERROR http.server.request{otel.kind="server" otel.name="POST /_matrix/client/:version/login" network.protocol.name="http" network.protocol.version="1.1" http.request.method="POST" url.path="/_matrix/client/v3/login" url.scheme="http" http.route="/auth/_matrix/client/:version/login" user_agent.original="Python/3.12 aiohttp/3.10.10"}:handlers.compat.login.post: mas_handlers::compat::login: crates/handlers/src/compat/login.rs:219: error=user not found

matrix-reminder-bot (or rather, matrix-nio) would then be extra unhelpful and choke on the HTTP response:

nio.responses [WARNING] Error validating response: 'user_id' is a required property

If identifier.user in the JSON payload is adjusted to be a localpart user ID, Matrix Authentication Service successfully authentications the user.
@sandhose sandhose added A-Compatibility-Layer Related to the legacy Matrix authentication compatibility layer A-Spec-Compliance Divergence from the Matrix or the OAuth 2.0/OIDC specifications labels Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Compatibility-Layer Related to the legacy Matrix authentication compatibility layer A-Spec-Compliance Divergence from the Matrix or the OAuth 2.0/OIDC specifications
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spantaleev @sandhose