Add a config option to specify which homeservers can access Sydent #566
Conversation
|
Doesn't this rely on us turning off the v1 api (#338), which doesn't require an access token? |
There's already a config for turning that off, which I believe we can use in the use case where we're interested in restricting by HS. Though we might want to error if you enable this option without disabling v1? |
|
So the only config option I found referring to turning off the V1 API was this: sydent/sydent/config/__init__.py Lines 54 to 55 in c9980a9 but it only governs one endpoint it seems (albeit an important one): sydent/sydent/http/httpserver.py Lines 129 to 130 in c9980a9 Is this Good Enough:tm: or should I add a config option to turn off the rest of the VI API endpoints? |
Oh, hmm. Yeah, we probably want to be able to disable all of it. Or maybe we can make specifying the homeserver config automagically disable API access if you're not authorized (i.e. disabling v1 API), but I'm not sure I like that. |
H-Shay
force-pushed
the
shay/limit_homeservers
branch
from
0fd6e6a to
994e528
Compare
|
Merged #566 into main. |
This PR adds a config option
homeserver_allow_listwhich enables a user to specify a list of homeservers which Sydent will work with. The option defaults to allow all homeservers if not set. It works by disabling registration unless the homeserver associated with the registration request is in thehomeserver_allow_list. The thinking behind this is that without registration an access token cannot be granted - and access tokens are necessary for most functions of Sydent. Fixes #565.