Add registration token UIA type (#3616)

* Add registration token UIA type

MSC: https://github.com/matrix-org/matrix-doc/pull/3231

**Note**: This introduces the endpoint as v1 rather than r0 given the global versioning changes landed between the acceptance of the MSC and now.

* Fix swagger

* Changelogs

* Update data/api/client-server/registration_tokens.yaml

Co-authored-by: Hubert Chathi <hubert@uhoreg.ca>

Co-authored-by: Hubert Chathi <hubert@uhoreg.ca>
pull/977/head
Travis Ralston 3 years ago committed by GitHub
parent 20bd445602
commit e4057072bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1 @@
Add token-authenticated registration support as per [MSC3231](https://github.com/matrix-org/matrix-doc/pull/3231).

@ -0,0 +1 @@
Add `/register/m.login.registration_token/validity` as per [MSC3231](https://github.com/matrix-org/matrix-doc/pull/3231).

@ -618,6 +618,7 @@ This specification defines the following auth types:
- `m.login.email.identity`
- `m.login.msisdn`
- `m.login.dummy`
- `m.login.registration_token`
##### Password-based
@ -789,6 +790,49 @@ just the type and session, if provided:
}
```
##### Token-authenticated registration
{{% added-in v="1.2" %}}
| Type | Description |
|-------------------------------|-------------------------------------------------------------------|
| `m.login.registration_token` | Registers an account with a pre-shared token for authentication |
{{% boxes/note %}}
The `m.login.registration_token` authentication type is only valid on the
[`/register`](#post_matrixclientv3register) endpoint.
{{% /boxes/note %}}
This authentication type provides homeservers the ability to allow registrations
to a limited set of people instead of either offering completely open registrations
or completely closed registration (where the homeserver administrators create
and distribute accounts).
The token required for this authentication type is shared out of band from
Matrix and is an opaque string with maximum length of 64 characters in the
range `[A-Za-z0-9._~-]`. The server can keep any number of tokens for any
length of time/validity. Such cases might be a token limited to 100 uses or
for the next 2 hours - after the tokens expire, they can no longer be used
to create accounts.
To use this authentication type, clients should submit an auth dict with just
the type, token, and session:
```json
{
"type": "m.login.registration_token",
"token": "fBVFdqVE",
"session": "<session ID>"
}
```
To determine if a token is valid before attempting to use it, the client can
use the `/validity` API defined below. The API doesn't guarantee that a token
will be valid when used, but does avoid cases where the user finds out late
in the registration process that their token has expired.
{{% http-api spec="client-server" api="registration_tokens" %}}
#### Fallback
Clients cannot be expected to be able to know how to process every

@ -0,0 +1,80 @@
# Copyright 2022 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
swagger: '2.0'
info:
title: "Matrix Client-Server Registration Token API"
version: "1.0.0"
host: localhost:8008
schemes:
- https
- http
basePath: /_matrix/client/v1
consumes:
- application/json
produces:
- application/json
paths:
"/register/m.login.registration_token/validity":
get:
x-addedInMatrixVersion: "1.2"
summary: Query if a given registration token is still valid.
description: |-
Queries the server to determine if a given registration token is still
valid at the time of request. This is a point-in-time check where the
token might still expire by the time it is used.
Servers should be sure to rate limit this endpoint to avoid brute force
attacks.
operationId: registrationTokenValidity
parameters:
- in: query
name: token
type: string
x-example: "fBVFdqVE"
required: true
description: The token to check validity of.
responses:
200:
description: The check has a result.
examples:
application/json: {
"valid": true
}
schema:
type: object
properties:
valid:
type: boolean
description: |-
True if the token is still valid, false otherwise. This should
additionally be false if the token is not a recognised token by
the server.
required: ['valid']
403:
description: |-
The homeserver does not permit registration and thus all tokens are
considered invalid.
examples:
application/json: {
"errcode": "M_FORBIDDEN",
"error": "Registration is not enabled on this homeserver."
}
schema:
"$ref": "definitions/errors/error.yaml"
429:
description: This request was rate-limited.
schema:
"$ref": "definitions/errors/rate_limited.yaml"
tags:
- Account management
Loading…
Cancel
Save