Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Drop support for calling /_matrix/client/v3/rooms/{roomId}/invite without an id_access_token #13206

Closed
richvdh opened this issue Jul 6, 2022 · 3 comments · Fixed by #13241
Closed

Drop support for calling /_matrix/client/v3/rooms/{roomId}/invite without an id_access_token #13206

richvdh opened this issue Jul 6, 2022 · 3 comments · Fixed by #13241
Labels
A-Spec-Compliance places where synapse does not conform to the spec T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.

Comments

@richvdh
Copy link
Member

richvdh commented Jul 6, 2022

The 3pid-invite version of POST /_matrix/client/v3/rooms/{roomId}/invite (spec) has id_access_token as a required parameter.

We currently accept requests without an id_access_token, and then call /_matrix/identity/api/v1/lookup, which was removed from the spec over a year ago (matrix-org/matrix-spec-proposals#2713).

Instead, we should simply reject any requests that do not pass an id_access_token.
@richvdh
Copy link
Member Author

richvdh commented Jul 6, 2022

We should also give sending 3pid invites via /createRoom the same treatment for the same reasons.

@richvdh richvdh added A-Spec-Compliance places where synapse does not conform to the spec T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. labels Jul 6, 2022
This was referenced Jul 6, 2022
Closed
Closed
@richvdh
Copy link
Member Author

richvdh commented Jul 6, 2022

Judging from the matrix.org access logs, it seems that both element-web (element-hq/element-web#22757) and element-ios (element-hq/element-ios#6385) currently make such requests, so we'll need to get this fixed there first.

@richvdh
Copy link
Member Author

richvdh commented Jul 6, 2022

Using these endpoints without an id_access_token means that:

  • we call /_matrix/identity/api/v1/lookup instead of /_matrix/identity/api/v2/lookup to look up the threepid
  • we call /_matrix/identity/api/v1/store_invite instead of /_matrix/identity/api/v2/store_invite to store the invite
  • we use /_matrix/identity/api/v1/pubkey/isvalid instead of /_matrix/identity/api/v2/pubkey/isvalid as the key validity url in the generated invite event.

This was referenced Jul 6, 2022
Open
Open
@Vetchu Vetchu mentioned this issue Jul 11, 2022
Merged
4 tasks
richvdh pushed a commit that referenced this issue Aug 31, 2022
@Vetchu
Drop support for calling /_matrix/client/v3/rooms/{roomId}/invite w…
84ddcd7 
…ithout an `id_access_token` (#13241)

Fixes #13206

Signed-off-by: Jacek Kusnierz jacek.kusnierz@tum.de
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-Spec-Compliance places where synapse does not conform to the spec T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Projects
None yet
Milestone
No milestone
1 participant
@richvdh