-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
riot-web doesn't preserve session id returned by server auth API #8458
Comments
Tested again with riot-web 1.0.8 and this issue is still there. |
@turt2live suggested that I pitch in here with a related issue... per the spec, regarding the
... however, Riot immediately fires a POST request at that route with the following body: { "auth": {} } ... despite my HS never returning a 401 at any point in time (as User-Interactive Authentication is not yet implemented at all). The specification is admittedly a bit vague in what exactly "empty" means, but I'd interpret it to mean that the client shouldn't attempt UIA at all unless told to do so by the HS, and thus this would be a violation of that. Related: matrix-org/matrix-spec-proposals#1980 Edit: The section on User-Interactive Authentication is actually much clearer on this, and confirms that Riot does indeed violate the specification:
|
I cannot reproduce the original issue with User-Interactive Authentication on the Debug output from my HS implementation, snipped for brevity: ## POST /_matrix/client/r0/register
{ query: {},
params: {},
host: 'localhost',
headers:
[... snipped ...]
cookies: undefined,
body:
{ auth: {},
username: 'joepie91',
password: 'testtest',
bind_email: true,
bind_msisdn: true,
x_show_msisdn: true } }
Unhandled error: UIARequired: User-Interactive Authentication is required for this endpoint
[... snipped ...]
errorMeta:
{ session: '1AGiKTE0eyTMbKRiLjXqH',
completed: [],
params: { m: undefined },
flows: [ { stages: [ 'm.login.dummy' ] } ] } }
## POST /_matrix/client/r0/register
{ query: {},
params: {},
host: 'localhost',
headers:
[... snipped ...]
cookies: undefined,
body:
{ auth: { session: '1AGiKTE0eyTMbKRiLjXqH', type: 'm.login.dummy' },
username: 'joepie91',
password: 'testtest',
bind_email: true,
bind_msisdn: true,
x_show_msisdn: true } } The @njouanin In your output, I can see that both This suggests that perhaps Riot did not understand the first response to be an UIA response at all (did that response correctly carry a 401 status code?), or it is not familiar with the Can you try to reproduce with an |
Tested again wit riot-web 1.1.2. Using |
@njouanin there have been recent changes in this area to make it compatible with the Conduit rs homeserver (WIP) - could you please check if it still affects Plasma? |
Is there a riot release I can use to test it ?
So, it works but may be riot should use the first session ID, so we can spare 1 API call. |
Try riot.im/develop for the latest but the vast majority of the changes are already in Riot 1.6.4 |
just tested with 1.6.4 can't see difference in the registration workflow. Still working with mascarene. |
besides, I have a regression when sending a message to a room. |
Description
riot-web seems to not preserve the
session
id returned by the server auth API first call. Because this session is not sent in next API calls, the server ignore the auth call and replies with a new session. Synapse seems to ignore this, but Plasma does not.See §5.3.2 of client-server-spec:
This is a session identifier that the client must pass back to the home server, if one is provided, in subsequent attempts to authenticate in the same API call.
Steps to reproduce
register
with{"auth":{}}
.{"completed":[],"flows":[{"stages":["m.login.email.identity"]}],"params":{},"session":"Mzg3NWRlMzUtM2VhYS00ZjNhLWJjMmYtYzFiMDM2ZDIyMjEz"}
register
endpoint with{"auth":{},"username":"xxxx","password":"xxxxxx","bind_email":true,"bind_msisdn":true,"x_show_msisdn":true}
auth
request doesn't contain the previoussession
attribute Plasma ignores the request and replies with a new session{"completed":[],"flows":[{"stages":["m.login.email.identity"]}],"params":{},"session":"NDEzOThlZDQtMmYxNS00OTFlLWJkZDAtMWI5MmMzYjEzNTNi"}
In the previous example, riot-web request should have contained :
"auth":{"session": "NDEzOThlZDQtMmYxNS00OTFlLWJkZDAtMWI5MmMzYjEzNTNi"}
along with registration data.Version information
The text was updated successfully, but these errors were encountered: