letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
NaN Commits 2 Branches 1 Tag
fa9ff0c67bb1b4f7ec31eb263ddb80a347068e6f
Commit Graph

80 Commits

Author SHA1 Message Date
Olivier 'reivilibre
fa9ff0c67b (delint: Is this a less messy rule?) 2025-12-01 11:51:51 +00:00
Olivier 'reivilibre
70f3efc0b8 Remove is_interactive and carry on with login types 2025-12-01 11:47:59 +00:00
Olivier 'reivilibre
d2ac79d4c8 fixup! Introduce compat login policy 2025-11-26 13:48:01 +00:00
Olivier 'reivilibre
f450d0449c Make policy depend on whether the login is interactive or not 2025-11-25 18:41:14 +00:00
Olivier 'reivilibre
6fdb63b361 Don't apply a session limit when genuinely replacing a session 2025-11-25 18:41:14 +00:00
Olivier 'reivilibre
069b57758b Introduce compat login policy 2025-11-25 18:41:14 +00:00
Olivier 'reivilibre
c007695e04 (update files after merge) 2025-11-13 15:55:25 +00:00
Olivier 'reivilibre
236de8f071 Merge branch 'main' into rei/policy_driven_session_limit 2025-11-13 15:54:48 +00:00
Quentin Gliech
7d2f85c891 Remove the nullable transform from the policies schemas 2025-11-07 11:11:41 +01:00
Quentin Gliech
56911f25c1 Merge remote-tracking branch 'origin/main' into quenting/schemars-0.9 2025-11-06 17:34:43 +01:00
Olivier 'reivilibre
f599728f21 Add policy violation for too many devices 2025-11-06 10:12:14 +00:00
Olivier 'reivilibre
cb5ea26792 Add session counts to policy input 2025-11-06 10:12:14 +00:00
Olivier 'reivilibre
aeabc9cbf2 Only allow C-S device scopes when the C-S API scope has been requested 
It'd be weird for a client to request a device on the client-server API but yet not request any client-server API scopes to use it with.

By adding this restriction, we can then create a partial index on the oauth2_sessions table to quickly identify sessions that have C-S API scopes and use this as a proxy metric for how many sessions may have device scopes.
This in turn makes it feasible to efficiently limit the number of 'devices' a user has, or more precisely: the number of sessions with client-server API access.

We can't do the same for device scopes themselves because, other than nastiness like parsing the JSON stringification of the scope list, it's not feasible to identify device scopes within a Postgres index predicate.

Part of: #4339
 2025-10-31 15:17:39 +00:00
Olivier 'reivilibre
f45d9c1291 Update tests to prepare for needing C-S API scope 2025-10-31 15:12:45 +00:00
Olivier 'reivilibre
c8184fd5aa Drive-by podman Makefile fix 2025-10-31 15:07:29 +00:00
Quentin Gliech
28e573b400 Add a configuration option to make email optional for password registration 2025-10-07 17:28:01 +02:00
Quentin Gliech
2ed3ee08f9 Allow more characters in redirect URI paths (#4975) 2025-09-12 14:51:36 +02:00
Quentin Gliech
9a932e1b60 Fix reference to the regal image 2025-09-12 10:58:55 +02:00
Quentin Gliech
e74061730e Upgrade OPA and regal to latest versions 2025-09-12 10:52:39 +02:00
Andrew Ferrazzutti
b2d7e2d835 Don't mistakenly invoke a regex range expression 2025-09-03 12:56:21 -04:00
Andrew Ferrazzutti
ac5db76e71 Allow more characters in redirect URI paths 
Allow all unreserved characters permitted in URI paths according to
https://www.rfc-editor.org/rfc/rfc3986#section-3.3
 2025-09-03 11:29:49 -04:00
Quentin Gliech
4d83fcb25e Merge remote-tracking branch 'origin/main' into quenting/stable-api 2025-08-04 16:38:49 +02:00
Quentin Gliech
08642e2a3b Allow the stable scope in the policy 2025-06-13 15:55:22 +02:00
Quentin Gliech
e54664ad6f Upgrade schemars to 0.9 2025-06-12 15:48:24 +02:00
Quentin Gliech
6421d9d1f5 Add license headers in most files that missed them 2025-06-12 11:01:07 +02:00
Michael Telatynski
44913a94a6 delint 2025-05-28 14:57:51 +01:00
Michael Telatynski
4db990e998 Add tests 2025-05-28 14:53:19 +01:00
Michael Telatynski
1c2ad83838 Fix client_registration URI regex not accepting full query string grammar 2025-05-13 11:28:56 +01:00
Michael Telatynski
97aa4575d0 Move the test 2025-05-08 08:41:26 +01:00
Michael Telatynski
8c6d934cb9 Allow non-default https port 2025-05-08 08:39:37 +01:00
Michael Telatynski
4a875947ef opa fmt 2025-05-07 18:52:01 +01:00
Michael Telatynski
b0bbc3bae1 Fix MSC2966 compliance around redirect_uri validity 
Fixes https://github.com/element-hq/matrix-authentication-service/issues/4528
 2025-05-07 18:49:52 +01:00
Quentin Gliech
ee25f5a937 Allow banning/alllowing usernames patterns during registration 2025-03-03 10:31:14 +01:00
Quentin Gliech
430eed25dd Update OPA and Regal to their latest versions 2025-02-18 11:48:44 +01:00
Quentin Gliech
993342ef58 Match suffixes and prefixes in string constraints 2025-02-17 16:40:10 +01:00
Quentin Gliech
ad4f1eaa78 Built-in support for banning IPs, user agents and email patterns 2025-02-17 15:34:46 +01:00
Quentin Gliech
3a4aba049c Expose the user agent string to the policy execution context 2025-02-17 11:51:26 +01:00
Quentin Gliech
b1b7bf5725 Allow banning registrations by IP address 2025-02-17 10:18:11 +01:00
Quentin Gliech
fa85d60652 Remove the unused password input schema 2025-02-17 10:17:30 +01:00
Quentin Gliech
a51ab2fb5c Propagate more specific error messages from the policy on registration 
This makes some policy errors translatable
 2025-01-06 10:15:08 +01:00
Quentin Gliech
1e3d838c99 Allow longer & shorter usernames, complying with the MXID length spec 2025-01-06 10:15:08 +01:00
Quentin Gliech
1aa7762027 Setup Regal to lint policies and clean them up 2024-12-19 11:08:57 +01:00
Quentin Gliech
0e465f4904 Remove the contacts requirement from the client registration policy 2024-09-20 20:39:04 +02:00
reivilibre
fbd57ad51a Remove OPA-based password policy enforcement (#2875) 
Co-authored-by: Quentin Gliech <quenting@element.io>
 2024-07-16 14:33:04 +01:00
Quentin Gliech
f93f6dffc3 Bump OPA 2024-05-07 07:32:02 +02:00
Quentin Gliech
942c05cb1f Remove the invalid characters OPA policy tests 2024-05-03 16:56:56 +02:00
Quentin Gliech
7998d30ba8 Allow more characters in device IDs 2024-05-03 16:56:56 +02:00
Alex Babel
39f97396a7 Increase allowed username length to 64 in the default policy (#2471) 2024-03-18 10:58:21 +00:00
Quentin Gliech
34ce0f3e37 Move schemars to workspace dependencies 
Also enables the `preserve_order` feature, hence the big schema output diff.
 2024-03-01 14:36:37 +01:00
Andrew Ferrazzutti
026840d36d Add Podman support to policies Makefile 2024-02-29 17:50:38 +01:00