Skip to content

Update MSC4190 support - allow appservices to reset cross-signing keys without without UIA #18946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 22, 2025
Merged

Update MSC4190 support - allow appservices to reset cross-signing keys without without UIA #18946

merged 7 commits into from
Sep 22, 2025

Conversation

@tulir
Copy link
Contributor

@tulir tulir commented Sep 21, 2025
edited by MadLittleMods
Loading

Update MSC4190 (Device management for application services) to return correct errors and allow appservices to reset cross-signing keys without user-interactive authentication

@tulir tulir requested a review from a team as a code owner September 21, 2025 11:54
@tulir tulir mentioned this pull request Sep 21, 2025
Merged
onestacked
onestacked reviewed Sep 21, 2025
View reviewed changes
synapse/storage/databases/main/appservice.py
hs.hostname, hs.config.appservice.app_service_config_files
)
self.exclusive_user_regex = _make_exclusive_regex(self.services_cache)
# When OAuth is enabled, force all appservices to enable MSC4190 too.
Copy link

@onestacked onestacked Sep 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't MSC4190 only required when using encryption?

So unencrypted App services wouldn't need it from how I understood it.

Copy link
Contributor Author

@tulir tulir Sep 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The primary use case is encryption, but that's not the reason MSC4190 exists. Existing endpoints for appservices return access tokens, which is not possible when using native OAuth2. MSC4190 was made to solve any such incompatibilities.

anoadragon453
anoadragon453 approved these changes Sep 22, 2025
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes LGTM! Thanks for fixing up - and adding - tests.

@anoadragon453 anoadragon453 merged commit d80f515 into element-hq:develop Sep 22, 2025
40 checks passed
@MadLittleMods MadLittleMods changed the title Update MSC4190 support Update MSC4190 support - allow appservices to reset cross-signing keys without without UIA Sep 22, 2025
@anoadragon453 anoadragon453 mentioned this pull request Sep 23, 2025
Closed
AndrewFerr added a commit to element-hq/matrix-bot-sdk that referenced this pull request Sep 30, 2025
@AndrewFerr
Support appservice user registration with MSC4190
bcab9e2 
See element-hq/synapse#18946
AndrewFerr added a commit to element-hq/matrix-bot-sdk that referenced this pull request Oct 3, 2025
@AndrewFerr
Support appservice user registration with MSC4190 (#70)
46b6dc8 
See element-hq/synapse#18946
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Oct 8, 2025
chat/matrix-synapse: Update to 1.139.0
762c0cd 
# Synapse 1.139.0 (2025-09-30)

## Features

- Add experimental support for [MSC4308: Thread Subscriptions extension to Sliding Sync](matrix-org/matrix-spec-proposals#4308) when [MSC4306: Thread Subscriptions](matrix-org/matrix-spec-proposals#4306) and [MSC4186: Simplified Sliding Sync](matrix-org/matrix-spec-proposals#4186) are enabled. ([\#18695](element-hq/synapse#18695))
- Update push rules for experimental [MSC4306: Thread Subscriptions](matrix-org/matrix-spec-proposals#4306) to follow a newer draft. ([\#18846](element-hq/synapse#18846))
- Add `get_media_upload_limits_for_user` and `on_media_upload_limit_exceeded` module API callbacks to the media repository. ([\#18848](element-hq/synapse#18848))
- Support [MSC4169](matrix-org/matrix-spec-proposals#4169) for backwards-compatible redaction sending using the `/send` endpoint. Contributed by @SpiritCroc @ Beeper. ([\#18898](element-hq/synapse#18898))
- Add an in-memory cache to `_get_e2e_cross_signing_signatures_for_devices` to reduce DB load. ([\#18899](element-hq/synapse#18899))
- Update [MSC4190](matrix-org/matrix-spec-proposals#4190) support to return correct errors and allow appservices to reset cross-signing keys without user-interactive authentication. Contributed by @tulir @ Beeper. ([\#18946](element-hq/synapse#18946))

## Deprecations and Removals

- Remove obsolete and experimental `/sync/e2ee` endpoint. ([\#18583](element-hq/synapse#18583))

# Synapse 1.138.0 (2025-09-09)

## Features

- Support for the stable endpoint and scopes of [MSC3861](matrix-org/matrix-spec-proposals#3861) & co. ([\#18549](element-hq/synapse#18549))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anoadragon453 anoadragon453 anoadragon453 approved these changes

+1 more reviewer

@onestacked onestacked onestacked left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

A-Application-Service

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tulir @anoadragon453 @onestacked @MadLittleMods