Admin API for creating new users#3415
Conversation
There was a problem hiding this comment.
Hum. Given this is making an API which is incompatible to both the existing APIs, I think we should take the opportunity to move this to a completely separate endpoint.
It fits badly under /r0/register, since (a) it skips user-interactive auth, and (b) it's synapse specific.
In short, I'm afraid I would prefer making (and documenting) yet a third version, and deprecating the existing APIs, with a view to deleting them in short order.
hawkowl
changed the title
hawkowl
changed the title
|
This moves the disparate and theoretically-insecure APIs from v1 and r0 into an admin path, including nonce use to prevent replay attacks. This has an accompanying sytest change: matrix-org/sytest#453 |
richvdh
left a comment
richvdh
left a comment
There was a problem hiding this comment.
generally looks great.
Could we have a doc in docs/admin-api to document the new API?
There was a problem hiding this comment.
can we deprecate this for now, rather than remove it, please?
There was a problem hiding this comment.
I'm a bit confused as to what's going on here?
There was a problem hiding this comment.
Importing the admin APIs loads the media storage providers code, which tries to iterate over this (and you can't iterate over a mock)
There was a problem hiding this comment.
can we have a comment to explain what this does?
There was a problem hiding this comment.
how do we know it's being reused?
There was a problem hiding this comment.
Changed the comment to be a bit more accurate
There was a problem hiding this comment.
can we have a comment for this, please? what does it map to and from?
There was a problem hiding this comment.
ok, but can we define what it does?
hawkowl
force-pushed
the
hawkowl/register-user-improv
branch
from
3334d48 to
31f89bb
Compare
| Shared-Secret Registration | ||
| ========================== | ||
|
|
||
| This API allows for the creation of users in an administrative and non-interactive way. This is generally used for bootstrapping a Synapse instance with administrator accounts. |
There was a problem hiding this comment.
can we wrap at 80 chars please?
| "device_id": "device_id_here" | ||
| } | ||
|
|
||
| The MAC is the hex digest output of the HMAC-SHA1 algorithm, with the key being the shared secret and the content being the nonce, user, password, and either the string "admin" or "notadmin", each separated by NULLs. For an example of generation in Python:: |
| """ | ||
| Attributes: | ||
| NONCE_TIMEOUT (int): Seconds until a generated nonce won't be accepted | ||
| nonces (dict): The nonces that we will accept. A dict of nonce to the |
2 participants
This has an accompanying sytest change: matrix-org/sytest#453