From a57dec9c97095b867de126eeb8b5799a24012b17 Mon Sep 17 00:00:00 2001 From: jejo86 <28619134+jejo86@users.noreply.github.com> Date: Fri, 8 Jul 2022 23:14:57 +0200 Subject: [PATCH 1/3] Admin API request explanation improved Pointed out, that the Admin API is not accessible by default from any remote computer, but only from the PC `matrix-synapse` is running on. Added a full, working example, making sure to include the cURL flag `-X`, which needs to be prepended to `GET`, `POST`, `PUT` etc. and listing the full query string including protocol, IP address and port. --- docs/usage/administration/admin_api/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/usage/administration/admin_api/README.md b/docs/usage/administration/admin_api/README.md index 3cbedc5dfa30..8e5dd1c6f3ff 100644 --- a/docs/usage/administration/admin_api/README.md +++ b/docs/usage/administration/admin_api/README.md @@ -18,6 +18,9 @@ already on your `$PATH` depending on how Synapse was installed. Finding your user's `access_token` is client-dependent, but will usually be shown in the client's settings. ## Making an Admin API request +The Admin API (`/_synapse/admin/...`) is by default only accessible from within the host, so be sure to +call the queries from a terminal on the PC `matrix-synapse` is running on. + Once you have your `access_token`, you will need to authenticate each request to an Admin API endpoint by providing the token as either a query parameter or a request header. To add it as a request header in cURL: @@ -25,5 +28,12 @@ providing the token as either a query parameter or a request header. To add it a curl --header "Authorization: Bearer " ``` +For example, to query the information regarding the user '@foo:bar.com' call the following command in the terminal +using the access token 'syt_AjfVef2_L33JNpafeif_0feKJfeaf0CQpoZk'. + +```sh +curl --header "Authorization: Bearer syt_AjfVef2_L33JNpafeif_0feKJfeaf0CQpoZk" -X GET http://127.0.0.1:8008/_synapse/admin/v2/users/@foo:bar.com +``` + For more details on access tokens in Matrix, please refer to the complete [matrix spec documentation](https://matrix.org/docs/spec/client_server/r0.6.1#using-access-tokens). From 47126577d29f5dc03c11bf8e55c134d05a9d442a Mon Sep 17 00:00:00 2001 From: jejo86 <28619134+jejo86@users.noreply.github.com> Date: Fri, 8 Jul 2022 23:24:40 +0200 Subject: [PATCH 2/3] Admin API request explanation improved --- changelog.d/13231.doc | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelog.d/13231.doc diff --git a/changelog.d/13231.doc b/changelog.d/13231.doc new file mode 100644 index 000000000000..41db13bfb9f0 --- /dev/null +++ b/changelog.d/13231.doc @@ -0,0 +1,2 @@ +Pointed out, that the Admin API is not accessible by default from any remote computer, but only from the PC `matrix-synapse` is running on. +Added a full, working example, making sure to include the cURL flag `-X`, which needs to be prepended to `GET`, `POST`, `PUT` etc. and listing the full query string including protocol, IP address and port. From 7d513925680b475f503a2e22d0b0e1226f77a7d0 Mon Sep 17 00:00:00 2001 From: David Robertson Date: Tue, 12 Jul 2022 16:08:05 +0100 Subject: [PATCH 3/3] Apply suggestions from code review Update changelog. Reword prose. --- changelog.d/13231.doc | 3 +-- docs/usage/administration/admin_api/README.md | 15 +++++++++++---- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/changelog.d/13231.doc b/changelog.d/13231.doc index 41db13bfb9f0..e750f9da499a 100644 --- a/changelog.d/13231.doc +++ b/changelog.d/13231.doc @@ -1,2 +1 @@ -Pointed out, that the Admin API is not accessible by default from any remote computer, but only from the PC `matrix-synapse` is running on. -Added a full, working example, making sure to include the cURL flag `-X`, which needs to be prepended to `GET`, `POST`, `PUT` etc. and listing the full query string including protocol, IP address and port. +Provide an example of using the Admin API. Contributed by @jejo86. diff --git a/docs/usage/administration/admin_api/README.md b/docs/usage/administration/admin_api/README.md index 8e5dd1c6f3ff..c60b6da0de6f 100644 --- a/docs/usage/administration/admin_api/README.md +++ b/docs/usage/administration/admin_api/README.md @@ -18,8 +18,10 @@ already on your `$PATH` depending on how Synapse was installed. Finding your user's `access_token` is client-dependent, but will usually be shown in the client's settings. ## Making an Admin API request -The Admin API (`/_synapse/admin/...`) is by default only accessible from within the host, so be sure to -call the queries from a terminal on the PC `matrix-synapse` is running on. +For security reasons, we [recommend](reverse_proxy.md#synapse-administration-endpoints) +that the Admin API (`/_synapse/admin/...`) should be hidden from public view using a +reverse proxy. This means you should typically query the Admin API from a terminal on +the machine which runs Synapse. Once you have your `access_token`, you will need to authenticate each request to an Admin API endpoint by providing the token as either a query parameter or a request header. To add it as a request header in cURL: @@ -28,8 +30,13 @@ providing the token as either a query parameter or a request header. To add it a curl --header "Authorization: Bearer " ``` -For example, to query the information regarding the user '@foo:bar.com' call the following command in the terminal -using the access token 'syt_AjfVef2_L33JNpafeif_0feKJfeaf0CQpoZk'. +For example, suppose we want to +[query the account](user_admin_api.md#query-user-account) of the user +`@foo:bar.com`. We need an admin access token (e.g. +`syt_AjfVef2_L33JNpafeif_0feKJfeaf0CQpoZk`), and we need to know which port +Synapse's [`client` listener](config_documentation.md#listeners) is listening +on (e.g. `8008`). Then we can use the following command to request the account +information from the Admin API. ```sh curl --header "Authorization: Bearer syt_AjfVef2_L33JNpafeif_0feKJfeaf0CQpoZk" -X GET http://127.0.0.1:8008/_synapse/admin/v2/users/@foo:bar.com