You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
329 lines
13 KiB
YAML
329 lines
13 KiB
YAML
# Copyright 2016 OpenMarket Ltd
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
swagger: '2.0'
|
|
info:
|
|
title: "Matrix Client-Server Registration API"
|
|
version: "1.0.0"
|
|
host: localhost:8008
|
|
schemes:
|
|
- https
|
|
- http
|
|
basePath: /_matrix/client/%CLIENT_MAJOR_VERSION%
|
|
consumes:
|
|
- application/json
|
|
produces:
|
|
- application/json
|
|
paths:
|
|
"/register":
|
|
post:
|
|
summary: Register for an account on this homeserver.
|
|
description: |-
|
|
This API endpoint uses the `User-Interactive Authentication API`_.
|
|
|
|
Register for an account on this homeserver.
|
|
|
|
There are two kinds of user account:
|
|
|
|
- `user` accounts. These accounts may use the full API described in this specification.
|
|
|
|
- `guest` accounts. These accounts may have limited permissions and may not be supported by all servers.
|
|
|
|
parameters:
|
|
- in: query
|
|
name: kind
|
|
type: string
|
|
x-example: guest
|
|
required: false
|
|
default: user
|
|
enum:
|
|
- guest
|
|
- user
|
|
description: The kind of account to register. Defaults to `user`.
|
|
- in: body
|
|
name: body
|
|
schema:
|
|
type: object
|
|
properties:
|
|
auth:
|
|
description: |-
|
|
Additional authentication information for the
|
|
user-interactive authentication API. Note that this
|
|
information is *not* used to define how the registered user
|
|
should be authenticated, but is instead used to
|
|
authenticate the ``register`` call itself. It should be
|
|
left empty, or omitted, unless an earlier call returned an
|
|
response with status code 401.
|
|
"$ref": "definitions/auth_data.yaml"
|
|
bind_email:
|
|
type: boolean
|
|
description: |-
|
|
If true, the server binds the email used for authentication to
|
|
the Matrix ID with the ID Server.
|
|
example: false
|
|
username:
|
|
type: string
|
|
description: |-
|
|
The local part of the desired Matrix ID. If omitted,
|
|
the homeserver MUST generate a Matrix ID local part.
|
|
example: cheeky_monkey
|
|
password:
|
|
type: string
|
|
description: The desired password for the account.
|
|
example: ilovebananas
|
|
required: ["password"]
|
|
responses:
|
|
200:
|
|
description: The account has been registered.
|
|
examples:
|
|
application/json: |-
|
|
{
|
|
"user_id": "@cheeky_monkey:matrix.org",
|
|
"access_token": "abc123",
|
|
"home_server": "matrix.org",
|
|
"refresh_token": "def456"
|
|
}
|
|
schema:
|
|
type: object
|
|
properties:
|
|
user_id:
|
|
type: string
|
|
description: The fully-qualified Matrix ID that has been registered.
|
|
access_token:
|
|
type: string
|
|
description: |-
|
|
An access token for the account.
|
|
This access token can then be used to authorize other requests.
|
|
The access token may expire at some point, and if so, it SHOULD come with a ``refresh_token``.
|
|
There is no specific error message to indicate that a request has failed because
|
|
an access token has expired; instead, if a client has reason to believe its
|
|
access token is valid, and it receives an auth error, they should attempt to
|
|
refresh for a new token on failure, and retry the request with the new token.
|
|
refresh_token:
|
|
type: string
|
|
# TODO: Work out how to linkify /tokenrefresh
|
|
description: |-
|
|
(optional) A ``refresh_token`` may be exchanged for a new ``access_token`` using the /tokenrefresh API endpoint.
|
|
home_server:
|
|
type: string
|
|
description: The hostname of the homeserver on which the account has been registered.
|
|
400:
|
|
description: |-
|
|
Part of the request was invalid. This may include one of the following error codes:
|
|
|
|
* ``M_USER_IN_USE`` : The desired user ID is already taken.
|
|
* ``M_INVALID_USERNAME`` : The desired user ID is not a valid user name.
|
|
* ``M_EXCLUSIVE`` : The desired user ID is in the exclusive namespace
|
|
claimed by an application service.
|
|
|
|
These errors may be returned at any stage of the registration process,
|
|
including after authentication if the requested user ID was registered
|
|
whilst the client was performing authentication.
|
|
|
|
Homeservers MUST perform the relevant checks and return these codes before
|
|
performing User-Interactive Authentication, although they may also return
|
|
them after authentication is completed if, for example, the requested user ID
|
|
was registered whilst the client was performing authentication.
|
|
examples:
|
|
application/json: |-
|
|
{
|
|
"errcode": "M_USER_IN_USE",
|
|
"error": "Desired user ID is already taken."
|
|
}
|
|
401:
|
|
description: |-
|
|
The homeserver requires additional authentication information.
|
|
schema:
|
|
"$ref": "definitions/auth_response.yaml"
|
|
429:
|
|
description: This request was rate-limited.
|
|
schema:
|
|
"$ref": "definitions/error.yaml"
|
|
tags:
|
|
- User data
|
|
"/register/email/requestToken":
|
|
post:
|
|
summary: Requests a validation token be sent to the given email address for the purpose of registering an account
|
|
description: |-
|
|
Proxies the identity server API ``validate/email/requestToken``, but
|
|
first checks that the given email address is not already associated
|
|
with an account on this Home Server. Note that, for consistency,
|
|
this API takes JSON objects, though the Identity Server API takes
|
|
``x-www-form-urlencoded`` parameters. See the Identity Server API for
|
|
further information.
|
|
parameters:
|
|
- in: body
|
|
name: body
|
|
schema:
|
|
type: object
|
|
properties:
|
|
id_server:
|
|
type: string
|
|
description: The ID server to send the onward request to as a hostname with an appended colon and port number if the port is not the default.
|
|
example: "id.matrix.org"
|
|
client_secret:
|
|
type: string
|
|
description: Client-generated secret string used to protect this session
|
|
example: "this_is_my_secret_string"
|
|
email:
|
|
type: string
|
|
description: The email address
|
|
example: "example@example.com"
|
|
send_attempt:
|
|
type: number
|
|
description: Used to distinguish protocol level retries from requests to re-send the email.
|
|
example: "1"
|
|
required: ["client_secret", "email", "send_attempt"]
|
|
responses:
|
|
200:
|
|
description: |-
|
|
An email has been sent to the specified address.
|
|
Note that this may be an email containing the validation token or it may be informing
|
|
the user of an error.
|
|
examples:
|
|
application/json: "{}"
|
|
schema:
|
|
type: object
|
|
400:
|
|
description: |-
|
|
Part of the request was invalid. This may include one of the following error codes:
|
|
|
|
* ``M_THREEPID_IN_USE`` : The email address is already registered to an account on this server.
|
|
However, if the home server has the ability to send email, it is recommended that the server
|
|
instead send an email to the user with instructions on how to reset their password.
|
|
This prevents malicious parties from being able to determine if a given email address
|
|
has an account on the Home Server in question.
|
|
* ``M_SERVER_NOT_TRUSTED`` : The ``id_server`` parameter refers to an ID server
|
|
that is not trusted by this Home Server.
|
|
examples:
|
|
application/json: |-
|
|
{
|
|
"errcode": "M_THREEPID_IN_USE",
|
|
"error": "The specified address is already in use"
|
|
}
|
|
schema:
|
|
type: object
|
|
"/account/password":
|
|
post:
|
|
summary: "Changes a user's password."
|
|
description: |-
|
|
Changes the password for an account on this homeserver.
|
|
|
|
This API endpoint uses the `User-Interactive Authentication API`_.
|
|
|
|
An access token should be submitted to this endpoint if the client has
|
|
an active session.
|
|
|
|
The homeserver may change the flows available depending on whether a
|
|
valid access token is provided.
|
|
security:
|
|
- accessToken: []
|
|
parameters:
|
|
- in: body
|
|
name: body
|
|
schema:
|
|
type: object
|
|
properties:
|
|
new_password:
|
|
type: string
|
|
description: The new password for the account.
|
|
example: "ihatebananas"
|
|
auth:
|
|
description: |-
|
|
Additional authentication information for the user-interactive authentication API.
|
|
"$ref": "definitions/auth_data.yaml"
|
|
required: ["new_password"]
|
|
responses:
|
|
200:
|
|
description: The password has been changed.
|
|
examples:
|
|
application/json: "{}"
|
|
schema:
|
|
type: object
|
|
401:
|
|
description: |-
|
|
The homeserver requires additional authentication information.
|
|
schema:
|
|
"$ref": "definitions/auth_response.yaml"
|
|
429:
|
|
description: This request was rate-limited.
|
|
schema:
|
|
"$ref": "definitions/error.yaml"
|
|
tags:
|
|
- User data
|
|
"/account/password/email/requestToken":
|
|
post:
|
|
summary: Requests a validation token be sent to the given email address for the purpose of resetting a user's password
|
|
description: |-
|
|
Proxies the identity server API ``validate/email/requestToken``, but
|
|
first checks that the given email address **is** associated with an account
|
|
on this Home Server. This API should be used to request
|
|
validation tokens when authenticating for the
|
|
`account/password` endpoint. This API's parameters and response are
|
|
identical to that of the HS API |/register/email/requestToken|_ except that
|
|
`M_THREEPID_NOT_FOUND` may be returned if no account matching the
|
|
given email address could be found. The server may instead send an
|
|
email to the given address prompting the user to create an account.
|
|
`M_THREEPID_IN_USE` may not be returned.
|
|
|
|
.. |/register/email/requestToken| replace:: ``/register/email/requestToken``
|
|
|
|
.. _/register/email/requestToken: #post-matrix-client-%CLIENT_MAJOR_VERSION%-register-email-requesttoken
|
|
responses:
|
|
200:
|
|
description: An email was sent to the given address
|
|
"/account/deactivate":
|
|
post:
|
|
summary: "Deactivate a user's account."
|
|
description: |-
|
|
Deactivate the user's account, removing all ability for the user to
|
|
login again.
|
|
|
|
This API endpoint uses the `User-Interactive Authentication API`_.
|
|
|
|
An access token should be submitted to this endpoint if the client has
|
|
an active session.
|
|
|
|
The homeserver may change the flows available depending on whether a
|
|
valid access token is provided.
|
|
security:
|
|
- accessToken: []
|
|
parameters:
|
|
- in: body
|
|
name: body
|
|
schema:
|
|
type: object
|
|
properties:
|
|
auth:
|
|
description: |-
|
|
Additional authentication information for the user-interactive authentication API.
|
|
"$ref": "definitions/auth_data.yaml"
|
|
responses:
|
|
200:
|
|
description: The account has been deactivated.
|
|
examples:
|
|
application/json: "{}"
|
|
schema:
|
|
type: object
|
|
401:
|
|
description: |-
|
|
The homeserver requires additional authentication information.
|
|
schema:
|
|
"$ref": "definitions/auth_response.yaml"
|
|
429:
|
|
description: This request was rate-limited.
|
|
schema:
|
|
"$ref": "definitions/error.yaml"
|
|
tags:
|
|
- User data
|