Skip to content

Commit 05c7b71

Browse files
jason-famedlyjason-famedly
committed
feat: Optionally require S2S auth for the server /version endpoint
Adds a new setting that defaults to 'False' for root level yaml configuration `require_auth_for_server_version`: boolean
1 parent 5c7d973 commit 05c7b71

File tree

3 files changed

+41
-0
lines changed

3 files changed

+41
-0
lines changed

synapse/config/server.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -409,6 +409,12 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
409409
"require_auth_for_profile_requests", False
410410
)
411411

412+
# Whether to require federation(server) authentication for the server /version
413+
# endpoint.
414+
self.require_auth_for_server_version = config.get(
415+
"require_auth_for_server_version", False
416+
)
417+
412418
# Whether to require sharing a room with a user to retrieve their
413419
# profile data
414420
self.limit_profile_requests_to_users_who_share_rooms = config.get(

synapse/federation/transport/server/federation.py

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -678,6 +678,18 @@ class FederationVersionServlet(BaseFederationServlet):
678678

679679
REQUIRE_AUTH = False
680680

681+
def __init__(
682+
self,
683+
hs: "HomeServer",
684+
authenticator: Authenticator,
685+
ratelimiter: FederationRateLimiter,
686+
server_name: str,
687+
):
688+
# Enable auth on the /version endpoint if enabled. Not sure how many
689+
# ramifications this will end up having.
690+
self.REQUIRE_AUTH = hs.config.server.require_auth_for_server_version
691+
super().__init__(hs, authenticator, ratelimiter, server_name)
692+
681693
async def on_GET(
682694
self,
683695
origin: Optional[str],

tests/federation/transport/server/test_federation.py

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
from synapse.types import JsonDict
2+
3+
from tests import unittest
4+
5+
6+
class TestAuthenticatedFederationVersionEndpoint(unittest.FederatingHomeserverTestCase):
7+
def default_config(self) -> JsonDict:
8+
config = super().default_config()
9+
config.update({"require_auth_for_server_version": True})
10+
return config
11+
12+
def test_endpoint(self) -> None:
13+
# Un-authed requests to endpoints that require them return a 401
14+
channel = self.make_request(
15+
"GET", "/_matrix/federation/v1/version", shorthand=False
16+
)
17+
assert channel.code == 401, channel
18+
19+
# Authing the request works as expected
20+
channel = self.make_signed_federation_request(
21+
"GET", "/_matrix/federation/v1/version"
22+
)
23+
assert channel.code == 200, channel

0 commit comments

Comments
 (0)