Merge branch 'registration-token-in-config' into 'next'

add registration_token in default cfg and DEPLOY

See merge request famedly/conduit!557

conduit-example.toml

@@ -38,6 +38,12 @@ max_request_size = 20_000_000 # in bytes
 # Enables registration. If set to false, no users can register on this server.
 allow_registration = true
 
+# A static registration token that new users will have to provide when creating
+# an account. YOU NEED TO EDIT THIS.
+# - Insert a password that users will have to enter on registration
+# - Start the line with '#' to remove the condition
+registration_token = ""
+
 allow_federation = true
 allow_check_for_updates = true
 

debian/postinst

@@ -72,9 +72,22 @@ max_request_size = 20_000_000 # in bytes
 # Enables registration. If set to false, no users can register on this server.
 allow_registration = true
 
+# A static registration token that new users will have to provide when creating
+# an account.
+# - Insert a password that users will have to enter on registration
+# - Start the line with '#' to remove the condition
+#registration_token = ""
+
 allow_federation = true
 allow_check_for_updates = true
 
+# Enable the display name lightning bolt on registration.
+enable_lightning_bolt = true
+
+# Servers listed here will be used to gather public keys of other servers.
+# Generally, copying this exactly should be enough. (Currently, Conduit doesn't
+# support batched key requests, so this list should only contain Synapse
+# servers.)
 trusted_servers = ["matrix.org"]
 
 #max_concurrent_requests = 100 # How many requests Conduit sends to other servers at the same time

docs/deploying/docker-compose.for-traefik.yml

@@ -28,6 +28,7 @@ services:
             CONDUIT_PORT: 6167
             CONDUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB
             CONDUIT_ALLOW_REGISTRATION: 'true'
+            #CONDUIT_REGISTRATION_TOKEN: '' # require password for registration
             CONDUIT_ALLOW_FEDERATION: 'true'
             CONDUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
             CONDUIT_TRUSTED_SERVERS: '["matrix.org"]'

docs/deploying/docker-compose.with-traefik.yml

@@ -31,14 +31,13 @@ services:
             ### Uncomment and change values as desired
             # CONDUIT_ADDRESS: 0.0.0.0
             # CONDUIT_PORT: 6167
+            # CONDUIT_REGISTRATION_TOKEN: '' # require password for registration
             # CONDUIT_CONFIG: '/srv/conduit/conduit.toml'  # if you want to configure purely by env vars, set this to an empty string ''
             # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
-            # CONDUIT_ALLOW_JAEGER: 'false'
             # CONDUIT_ALLOW_ENCRYPTION: 'true'
             # CONDUIT_ALLOW_FEDERATION: 'true'
             # CONDUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
             # CONDUIT_DATABASE_PATH: /srv/conduit/.local/share/conduit
-            # CONDUIT_WORKERS: 10
             # CONDUIT_MAX_REQUEST_SIZE: 20_000_000  # in bytes, ~20 MB
 
     # We need some way to server the client and server .well-known json. The simplest way is to use a nginx container

src/api/client_server/account.rs

@@ -75,10 +75,7 @@ pub async fn get_register_available_route(
 /// - Creates a new account and populates it with default account data
 /// - If `inhibit_login` is false: Creates a device and returns device id and access_token
 pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<register::v3::Response> {
-    if !services().globals.allow_registration()
+    if !services().globals.allow_registration() && !body.from_appservice {
-        && !body.from_appservice
-        && services().globals.config.registration_token.is_none()
-    {
         return Err(Error::BadRequest(
             ErrorKind::Forbidden,
             "Registration has been disabled.",
@@ -130,21 +127,35 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
     };
 
     // UIAA
-    let mut uiaainfo = UiaaInfo {
+    let mut uiaainfo;
+    let skip_auth;
+    if services().globals.config.registration_token.is_some() {
+        // Registration token required
+        uiaainfo = UiaaInfo {
             flows: vec![AuthFlow {
-            stages: if services().globals.config.registration_token.is_some() {
+                stages: vec![AuthType::RegistrationToken],
-                vec![AuthType::RegistrationToken]
-            } else {
-                vec![AuthType::Dummy]
-            },
             }],
             completed: Vec::new(),
             params: Default::default(),
             session: None,
             auth_error: None,
         };
+        skip_auth = body.from_appservice;
+    } else {
+        // No registration token necessary, but clients must still go through the flow
+        uiaainfo = UiaaInfo {
+            flows: vec![AuthFlow {
+                stages: vec![AuthType::Dummy],
+            }],
+            completed: Vec::new(),
+            params: Default::default(),
+            session: None,
+            auth_error: None,
+        };
+        skip_auth = body.from_appservice || is_guest;
+    }
 
-    if !body.from_appservice && !is_guest {
+    if !skip_auth {
         if let Some(auth) = &body.auth {
             let (worked, uiaainfo) = services().uiaa.try_auth(
                 &UserId::parse_with_server_name("", services().globals.server_name())