Skip to content
This repository has been archived by the owner on Sep 10, 2024. It is now read-only.

v0.10.0-rc.0

Pre-release
Pre-release
Compare
Choose a tag to compare
@github-actions github-actions released this 07 Aug 18:52
· 44 commits to main since this release
v0.10.0-rc.0
0d81cfd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Breaking changes

  • Due to complexity in the build process and low demand, pre-built macOS binaries are not distributed anymore in releases. macOS is still supported when building from the sources
  • Open password-based registration is disabled by default
  • The basic password policy has been replaced
  • Password-based logins and other actions are now rate-limited by default
  • The GraphQL API is now internal-only by default, replaced by the new Admin API

New features

CAPTCHA protection on the registration form

Password-based registration can now be protected with a CAPTCHA challenge. MAS supports Google’s reCAPTCHA, hCAPTCHA, as well as Cloudflare Turnstile

image

Email-based password recovery

When enabled, this feature allows users to recover their account, by sending a link to their confirmed email addresses.

image

Self-service password change

In addition to password recovery, users can change​ their password themselves through the new password-change interface

image

Admin API

Need to build administrative or automation tools for MAS? Check out the new admin API!
This replaces the GraphQL API, which is now restricted for internal use by default. If you rely on the GraphQL API through an OAuth 2.0 token, you need to set the undocumented_oauth2_access setting on the graphql listener.

image

Proper password complexity calculation

To make sure your users have strong-enough passwords, MAS now calculates password complexity using the popular zxcvbn algorithm. This algorithm gives a score from 0 to 4, with suggestions on how to improve the password. By default, MAS will require new passwords to have at least 3, which has a good balance between security and convenience.
This means that the parameters to set a minimum password length and require some symbols are now removed.

image

Rate-limiting

Some operations are more sensitive than others. You wouldn’t want someone to be able to brute force your password, would you? MAS will now rate-limit such operations, both per-IP and per account to avoid that. See the configuration documentation to learn more.

Other improvements

  • Upstream OAuth 2.0 providers removed from the configuration are now automatically disabled when the server starts up. This means that you no longer need to run mas-cli config sync --prune to apply the change. They will still be kept in the database, to avoid losing existing links.
  • The account management UI is generally faster, with a smaller initial loading time and prefetching of other pages
  • Optional configuration sections are now truly optional. In 0.9.0 we made most configuration sections optional, but the upstream_oauth2 and clients sections were still required to start up. If you kept those to work around the bug in 0.9.0, you can now remove them if you don’t use them.
  • The syn2mas migration tool will now supports TLS certificates when connecting to the Synapse and the MAS PostgreSQL databases
  • Administrators can choose whether their users are allowed to perform certain actions or not. In particular, self-service registration and email-based password recovery are disabled by default, and must be enabled in the account configuration section
  • Administrators can also choose to disable the self-service password change functionality and prevent users from changing their display name or email address through the same configuration section
  • Whenever a user logs in or logs out, the list of sessions is now fully synced with the homeserver, making it less likely for it to get out of sync
  • A new CLI tool to help registering users: asciicast

Docker image

Regular image:

  • Digest: 
    ghcr.io/matrix-org/matrix-authentication-service@sha256:07d50fc40b0ad9fb3a6b4965fccd5129c2380718794d0ee17d0e9f17da46fa61
  • Tags: 
    ghcr.io/matrix-org/matrix-authentication-service:0.10.0-rc.0
ghcr.io/matrix-org/matrix-authentication-service:sha-0d81cfd

Debug variant:

  • Digest: 
    ghcr.io/matrix-org/matrix-authentication-service@sha256:735c0e9daaf9fe781648130d98a7375bfefb315b897ecbac1b1c8c2785a15196
  • Tags: 
    ghcr.io/matrix-org/matrix-authentication-service:0.10.0-rc.0-debug
ghcr.io/matrix-org/matrix-authentication-service:sha-0d81cfd-debug

syn2mas migration tool:

  • Digest: 
    ghcr.io/matrix-org/matrix-authentication-service/syn2mas@sha256:b3686ccfead9af26e5970d5010845c977b00eadce96ec80c2f19aee838e656e6
  • Tags: 
    ghcr.io/matrix-org/matrix-authentication-service/syn2mas:0.10.0-rc.0
ghcr.io/matrix-org/matrix-authentication-service/syn2mas:sha-0d81cfd
Assets 4
Loading