NOTE: This feature is beta: it is considered stable enough for production but is incomplete and may contain bugs.
Registration is an enhanced feature of ma1sd to control registrations involving 3PIDs on a Homeserver based on policies:
- Match pending 3PID invites on the server
- Match 3PID pattern, like a specific set of domains for emails
- In further releases, use 3PIDs found in Identity stores
It aims to help open or invite-only registration servers control what is possible to do and ensure only approved people can register on a given server in a implementation-agnostic manner.
IMPORTANT: This feature does not control registration in general. It only acts on endpoints related to 3PIDs during
the registration process.
As such, it relies on the homeserver to require 3PIDs with the registration flows.
This feature is not part of the Matrix Identity Server spec.
ma1sd needs to be integrated at several levels for this feature to work:
- Reverse proxy: intercept the 3PID register endpoints and act on them
- Homeserver: require 3PID to be part of the registration data
Later version(s) of this feature may directly control registration itself to create a coherent experience
location ~* ^/_matrix/client/r0/register/[^/]+/requestToken$ {
proxy_pass http://localhost:8090;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
TBC
enable_registration: true
registrations_require_3pid:
- email
See the Configuration introduction doc on how to read the configuration keys.
An example of working configuration is available at the end of this section.
register.allowed
, taking a boolean, can be used to enable/disable registration if the attempt is not 3PID-based.
false
is the default value to prevent open registration, as you must allow it on the homeserver side.
register.invite
, taking a boolean, controls if registration can be made using a 3PID which matches a pending 3PID invite.
true
is the default value.
At this time, only email
is supported with 3PID specific configuration with this feature.
Base key: register.threepid.email
If you would like to control which domains are allowed to be used when registering with an email, the following sub-keys are available:
domain.whitelist
domain.blacklist
The value format is an hybrid between glob patterns and postfix configuration files with the following syntax:
*<domain>
will match the domain and any sub-domain(s).<domain>
will only match sub-domain(s)<domain>
will only match the exact domain
The following table illustrates pattern and matching status against example values:
Config value | Matches example.org |
Matches sub.example.org |
---|---|---|
*example.org |
Yes | Yes |
.example.org |
No | Yes |
example.org |
Yes | No |
For the following example configuration:
register:
policy:
threepid:
email:
domain:
whitelist:
- '*example.org'
- '.example.net'
- 'example.com'
- Users can register using 3PIDs of pending invites, being allowed by default.
- Users can register using an email from
example.org
and any sub-domain, only sub-domains ofexample.net
andexample.com
but not its sub-domains. - Otherwise, user registration will be denied.
Nothing special is needed. Register using a regular Matrix client.