Add Playwright tests for OIDC-aware & OIDC-native (#12252)
* Resolve race condition between opening settings & well-known check in OIDC mode Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Add OIDC-aware and OIDC-native tests using MAS Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --------- Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
This commit is contained in:
parent
6e73d6579e
commit
36a8d503df
14 changed files with 798 additions and 9 deletions
|
@ -85,7 +85,7 @@ to be left with some stray containers if, for example, you terminate a test such
|
||||||
that the `after()` does not run and also exit Playwright uncleanly. All the containers
|
that the `after()` does not run and also exit Playwright uncleanly. All the containers
|
||||||
it starts are prefixed, so they are easy to recognise. They can be removed safely.
|
it starts are prefixed, so they are easy to recognise. They can be removed safely.
|
||||||
|
|
||||||
After each test run, logs from the Synapse instances are saved in `playwright/synapselogs`
|
After each test run, logs from the Synapse instances are saved in `playwright/logs/synapse`
|
||||||
with each instance in a separate directory named after its ID. These logs are removed
|
with each instance in a separate directory named after its ID. These logs are removed
|
||||||
at the start of each test run.
|
at the start of each test run.
|
||||||
|
|
||||||
|
|
2
playwright/.gitignore
vendored
2
playwright/.gitignore
vendored
|
@ -1,6 +1,6 @@
|
||||||
/test-results/
|
/test-results/
|
||||||
/html-report/
|
/html-report/
|
||||||
/synapselogs/
|
/logs/
|
||||||
# Only commit snapshots from Linux
|
# Only commit snapshots from Linux
|
||||||
/snapshots/**/*.png
|
/snapshots/**/*.png
|
||||||
!/snapshots/**/*-linux.png
|
!/snapshots/**/*-linux.png
|
||||||
|
|
104
playwright/e2e/oidc/index.ts
Normal file
104
playwright/e2e/oidc/index.ts
Normal file
|
@ -0,0 +1,104 @@
|
||||||
|
/*
|
||||||
|
Copyright 2023 The Matrix.org Foundation C.I.C.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import { API, Messages } from "mailhog";
|
||||||
|
import { Page } from "@playwright/test";
|
||||||
|
|
||||||
|
import { test as base, expect } from "../../element-web-test";
|
||||||
|
import { MatrixAuthenticationService } from "../../plugins/matrix-authentication-service";
|
||||||
|
import { StartHomeserverOpts } from "../../plugins/homeserver";
|
||||||
|
|
||||||
|
export const test = base.extend<{
|
||||||
|
masPrepare: MatrixAuthenticationService;
|
||||||
|
mas: MatrixAuthenticationService;
|
||||||
|
}>({
|
||||||
|
// There's a bit of a chicken and egg problem between MAS & Synapse where they each need to know how to reach each other
|
||||||
|
// so spinning up a MAS is split into the prepare & start stage: prepare mas -> homeserver -> start mas to disentangle this.
|
||||||
|
masPrepare: async ({ context }, use) => {
|
||||||
|
const mas = new MatrixAuthenticationService(context);
|
||||||
|
await mas.prepare();
|
||||||
|
await use(mas);
|
||||||
|
},
|
||||||
|
mas: [
|
||||||
|
async ({ masPrepare: mas, homeserver, mailhog }, use, testInfo) => {
|
||||||
|
await mas.start(homeserver, mailhog.instance);
|
||||||
|
await use(mas);
|
||||||
|
await mas.stop(testInfo);
|
||||||
|
},
|
||||||
|
{ auto: true },
|
||||||
|
],
|
||||||
|
startHomeserverOpts: async ({ masPrepare }, use) => {
|
||||||
|
await use({
|
||||||
|
template: "mas-oidc",
|
||||||
|
variables: {
|
||||||
|
MAS_PORT: masPrepare.port,
|
||||||
|
},
|
||||||
|
});
|
||||||
|
},
|
||||||
|
config: async ({ homeserver, startHomeserverOpts, context }, use) => {
|
||||||
|
const issuer = `http://localhost:${(startHomeserverOpts as StartHomeserverOpts).variables["MAS_PORT"]}/`;
|
||||||
|
const wellKnown = {
|
||||||
|
"m.homeserver": {
|
||||||
|
base_url: homeserver.config.baseUrl,
|
||||||
|
},
|
||||||
|
"org.matrix.msc2965.authentication": {
|
||||||
|
issuer,
|
||||||
|
account: `${issuer}account`,
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
|
// Ensure org.matrix.msc2965.authentication is in well-known
|
||||||
|
await context.route("https://localhost/.well-known/matrix/client", async (route) => {
|
||||||
|
await route.fulfill({ json: wellKnown });
|
||||||
|
});
|
||||||
|
|
||||||
|
await use({
|
||||||
|
default_server_config: wellKnown,
|
||||||
|
});
|
||||||
|
},
|
||||||
|
});
|
||||||
|
|
||||||
|
export { expect };
|
||||||
|
|
||||||
|
export async function registerAccountMas(
|
||||||
|
page: Page,
|
||||||
|
mailhog: API,
|
||||||
|
username: string,
|
||||||
|
email: string,
|
||||||
|
password: string,
|
||||||
|
): Promise<void> {
|
||||||
|
await expect(page.getByText("Please sign in to continue:")).toBeVisible();
|
||||||
|
|
||||||
|
await page.getByRole("link", { name: "Create Account" }).click();
|
||||||
|
await page.getByRole("textbox", { name: "Username" }).fill(username);
|
||||||
|
await page.getByRole("textbox", { name: "Email address" }).fill(email);
|
||||||
|
await page.getByRole("textbox", { name: "Password", exact: true }).fill(password);
|
||||||
|
await page.getByRole("textbox", { name: "Confirm Password" }).fill(password);
|
||||||
|
await page.getByRole("button", { name: "Continue" }).click();
|
||||||
|
|
||||||
|
let messages: Messages;
|
||||||
|
await expect(async () => {
|
||||||
|
messages = await mailhog.messages();
|
||||||
|
expect(messages.items).toHaveLength(1);
|
||||||
|
}).toPass();
|
||||||
|
expect(messages.items[0].to).toEqual(`${username} <${email}>`);
|
||||||
|
const [code] = messages.items[0].text.match(/(\d{6})/);
|
||||||
|
|
||||||
|
await page.getByRole("textbox", { name: "6-digit code" }).fill(code);
|
||||||
|
await page.getByRole("button", { name: "Continue" }).click();
|
||||||
|
await expect(page.getByText("Allow access to your account?")).toBeVisible();
|
||||||
|
await page.getByRole("button", { name: "Continue" }).click();
|
||||||
|
}
|
42
playwright/e2e/oidc/oidc-aware.spec.ts
Normal file
42
playwright/e2e/oidc/oidc-aware.spec.ts
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
/*
|
||||||
|
Copyright 2023 The Matrix.org Foundation C.I.C.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import { test, expect, registerAccountMas } from ".";
|
||||||
|
import { isDendrite } from "../../plugins/homeserver/dendrite";
|
||||||
|
|
||||||
|
test.describe("OIDC Aware", () => {
|
||||||
|
test.skip(isDendrite, "does not yet support MAS");
|
||||||
|
test.slow(); // trace recording takes a while here
|
||||||
|
|
||||||
|
test("can register an account and manage it", async ({ context, page, homeserver, mailhog, app }) => {
|
||||||
|
await page.goto("/#/login");
|
||||||
|
await page.getByRole("button", { name: "Continue" }).click();
|
||||||
|
await registerAccountMas(page, mailhog.api, "alice", "alice@email.com", "Pa$sW0rD!");
|
||||||
|
|
||||||
|
// Eventually, we should end up at the home screen.
|
||||||
|
await expect(page).toHaveURL(/\/#\/home$/, { timeout: 10000 });
|
||||||
|
await expect(page.getByRole("heading", { name: "Welcome alice", exact: true })).toBeVisible();
|
||||||
|
|
||||||
|
// Open settings and navigate to account management
|
||||||
|
await app.settings.openUserSettings("General");
|
||||||
|
const newPagePromise = context.waitForEvent("page");
|
||||||
|
await page.getByRole("button", { name: "Manage account" }).click();
|
||||||
|
|
||||||
|
// Assert new tab opened
|
||||||
|
const newPage = await newPagePromise;
|
||||||
|
await expect(newPage.getByText("Primary email")).toBeVisible();
|
||||||
|
});
|
||||||
|
});
|
74
playwright/e2e/oidc/oidc-native.spec.ts
Normal file
74
playwright/e2e/oidc/oidc-native.spec.ts
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
/*
|
||||||
|
Copyright 2023 The Matrix.org Foundation C.I.C.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import { test, expect, registerAccountMas } from ".";
|
||||||
|
import { isDendrite } from "../../plugins/homeserver/dendrite";
|
||||||
|
|
||||||
|
test.describe("OIDC Native", () => {
|
||||||
|
test.skip(isDendrite, "does not yet support MAS");
|
||||||
|
test.slow(); // trace recording takes a while here
|
||||||
|
|
||||||
|
test.use({
|
||||||
|
labsFlags: ["feature_oidc_native_flow"],
|
||||||
|
});
|
||||||
|
|
||||||
|
test("can register the oauth2 client and an account", async ({ context, page, homeserver, mailhog, app, mas }) => {
|
||||||
|
const tokenUri = `http://localhost:${mas.port}/oauth2/token`;
|
||||||
|
const tokenApiPromise = page.waitForRequest(
|
||||||
|
(request) => request.url() === tokenUri && request.postDataJSON()["grant_type"] === "authorization_code",
|
||||||
|
);
|
||||||
|
|
||||||
|
await page.goto("/#/login");
|
||||||
|
await page.getByRole("button", { name: "Continue" }).click();
|
||||||
|
await registerAccountMas(page, mailhog.api, "alice", "alice@email.com", "Pa$sW0rD!");
|
||||||
|
|
||||||
|
// Eventually, we should end up at the home screen.
|
||||||
|
await expect(page).toHaveURL(/\/#\/home$/, { timeout: 10000 });
|
||||||
|
await expect(page.getByRole("heading", { name: "Welcome alice", exact: true })).toBeVisible();
|
||||||
|
|
||||||
|
const tokenApiRequest = await tokenApiPromise;
|
||||||
|
expect(tokenApiRequest.postDataJSON()["grant_type"]).toBe("authorization_code");
|
||||||
|
|
||||||
|
const deviceId = await page.evaluate<string>(() => window.localStorage.mx_device_id);
|
||||||
|
|
||||||
|
await app.settings.openUserSettings("General");
|
||||||
|
const newPagePromise = context.waitForEvent("page");
|
||||||
|
await page.getByRole("button", { name: "Manage account" }).click();
|
||||||
|
await app.settings.closeDialog();
|
||||||
|
|
||||||
|
// Assert MAS sees the session as OIDC Native
|
||||||
|
const newPage = await newPagePromise;
|
||||||
|
await newPage.getByText("Sessions").click();
|
||||||
|
await newPage.getByText(deviceId).click();
|
||||||
|
await expect(newPage.getByText("Element")).toBeVisible();
|
||||||
|
await expect(newPage.getByText("oauth2_session:")).toBeVisible();
|
||||||
|
await expect(newPage.getByText("http://localhost:8080/")).toBeVisible();
|
||||||
|
await newPage.close();
|
||||||
|
|
||||||
|
// Assert logging out revokes both tokens
|
||||||
|
const revokeUri = `http://localhost:${mas.port}/oauth2/revoke`;
|
||||||
|
const revokeAccessTokenPromise = page.waitForRequest(
|
||||||
|
(request) => request.url() === revokeUri && request.postDataJSON()["token_type_hint"] === "access_token",
|
||||||
|
);
|
||||||
|
const revokeRefreshTokenPromise = page.waitForRequest(
|
||||||
|
(request) => request.url() === revokeUri && request.postDataJSON()["token_type_hint"] === "refresh_token",
|
||||||
|
);
|
||||||
|
const locator = await app.settings.openUserMenu();
|
||||||
|
await locator.getByRole("menuitem", { name: "Sign out", exact: true }).click();
|
||||||
|
await revokeAccessTokenPromise;
|
||||||
|
await revokeRefreshTokenPromise;
|
||||||
|
});
|
||||||
|
});
|
|
@ -134,7 +134,7 @@ export class Synapse implements Homeserver, HomeserverInstance {
|
||||||
public async stop(): Promise<string[]> {
|
public async stop(): Promise<string[]> {
|
||||||
if (!this.config) throw new Error("Missing existing synapse instance, did you call stop() before start()?");
|
if (!this.config) throw new Error("Missing existing synapse instance, did you call stop() before start()?");
|
||||||
const id = this.config.serverId;
|
const id = this.config.serverId;
|
||||||
const synapseLogsPath = path.join("playwright", "synapselogs", id);
|
const synapseLogsPath = path.join("playwright", "logs", "synapse", id);
|
||||||
await fse.ensureDir(synapseLogsPath);
|
await fse.ensureDir(synapseLogsPath);
|
||||||
await this.docker.persistLogsToFile({
|
await this.docker.persistLogsToFile({
|
||||||
stdoutFile: path.join(synapseLogsPath, "stdout.log"),
|
stdoutFile: path.join(synapseLogsPath, "stdout.log"),
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
A synapse configured with auth delegated to via matrix authentication service
|
|
@ -0,0 +1,194 @@
|
||||||
|
server_name: "localhost"
|
||||||
|
pid_file: /data/homeserver.pid
|
||||||
|
public_baseurl: "{{PUBLIC_BASEURL}}"
|
||||||
|
listeners:
|
||||||
|
- port: 8008
|
||||||
|
tls: false
|
||||||
|
bind_addresses: ["::"]
|
||||||
|
type: http
|
||||||
|
x_forwarded: true
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- names: [client]
|
||||||
|
compress: false
|
||||||
|
|
||||||
|
database:
|
||||||
|
name: "sqlite3"
|
||||||
|
args:
|
||||||
|
database: ":memory:"
|
||||||
|
|
||||||
|
log_config: "/data/log.config"
|
||||||
|
|
||||||
|
rc_messages_per_second: 10000
|
||||||
|
rc_message_burst_count: 10000
|
||||||
|
rc_registration:
|
||||||
|
per_second: 10000
|
||||||
|
burst_count: 10000
|
||||||
|
rc_joins:
|
||||||
|
local:
|
||||||
|
per_second: 9999
|
||||||
|
burst_count: 9999
|
||||||
|
remote:
|
||||||
|
per_second: 9999
|
||||||
|
burst_count: 9999
|
||||||
|
rc_joins_per_room:
|
||||||
|
per_second: 9999
|
||||||
|
burst_count: 9999
|
||||||
|
rc_3pid_validation:
|
||||||
|
per_second: 1000
|
||||||
|
burst_count: 1000
|
||||||
|
|
||||||
|
rc_invites:
|
||||||
|
per_room:
|
||||||
|
per_second: 1000
|
||||||
|
burst_count: 1000
|
||||||
|
per_user:
|
||||||
|
per_second: 1000
|
||||||
|
burst_count: 1000
|
||||||
|
|
||||||
|
rc_login:
|
||||||
|
address:
|
||||||
|
per_second: 10000
|
||||||
|
burst_count: 10000
|
||||||
|
account:
|
||||||
|
per_second: 10000
|
||||||
|
burst_count: 10000
|
||||||
|
failed_attempts:
|
||||||
|
per_second: 10000
|
||||||
|
burst_count: 10000
|
||||||
|
|
||||||
|
media_store_path: "/data/media_store"
|
||||||
|
uploads_path: "/data/uploads"
|
||||||
|
registration_shared_secret: "{{REGISTRATION_SECRET}}"
|
||||||
|
report_stats: false
|
||||||
|
macaroon_secret_key: "{{MACAROON_SECRET_KEY}}"
|
||||||
|
form_secret: "{{FORM_SECRET}}"
|
||||||
|
signing_key_path: "/data/localhost.signing.key"
|
||||||
|
|
||||||
|
trusted_key_servers:
|
||||||
|
- server_name: "matrix.org"
|
||||||
|
suppress_key_server_warning: true
|
||||||
|
|
||||||
|
ui_auth:
|
||||||
|
session_timeout: "300s"
|
||||||
|
|
||||||
|
# Inhibit background updates as this Synapse isn't long-lived
|
||||||
|
background_updates:
|
||||||
|
min_batch_size: 100000
|
||||||
|
sleep_duration_ms: 100000
|
||||||
|
|
||||||
|
serve_server_wellknown: true
|
||||||
|
experimental_features:
|
||||||
|
msc3861:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
issuer: http://localhost:%MAS_PORT%/
|
||||||
|
# We have to bake in the metadata here as we need to override `introspection_endpoint`
|
||||||
|
issuer_metadata: {
|
||||||
|
"issuer": "http://localhost:%MAS_PORT%/",
|
||||||
|
"authorization_endpoint": "http://localhost:%MAS_PORT%/authorize",
|
||||||
|
"token_endpoint": "http://localhost:%MAS_PORT%/oauth2/token",
|
||||||
|
"jwks_uri": "http://localhost:%MAS_PORT%/oauth2/keys.json",
|
||||||
|
"registration_endpoint": "http://localhost:%MAS_PORT%/oauth2/registration",
|
||||||
|
"scopes_supported": ["openid", "email"],
|
||||||
|
"response_types_supported": ["code", "id_token", "code id_token"],
|
||||||
|
"response_modes_supported": ["form_post", "query", "fragment"],
|
||||||
|
"grant_types_supported":
|
||||||
|
[
|
||||||
|
"authorization_code",
|
||||||
|
"refresh_token",
|
||||||
|
"client_credentials",
|
||||||
|
"urn:ietf:params:oauth:grant-type:device_code",
|
||||||
|
],
|
||||||
|
"token_endpoint_auth_methods_supported":
|
||||||
|
["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"],
|
||||||
|
"token_endpoint_auth_signing_alg_values_supported":
|
||||||
|
[
|
||||||
|
"HS256",
|
||||||
|
"HS384",
|
||||||
|
"HS512",
|
||||||
|
"RS256",
|
||||||
|
"RS384",
|
||||||
|
"RS512",
|
||||||
|
"PS256",
|
||||||
|
"PS384",
|
||||||
|
"PS512",
|
||||||
|
"ES256",
|
||||||
|
"ES384",
|
||||||
|
"ES256K",
|
||||||
|
],
|
||||||
|
"revocation_endpoint": "http://localhost:%MAS_PORT%/oauth2/revoke",
|
||||||
|
"revocation_endpoint_auth_methods_supported":
|
||||||
|
["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"],
|
||||||
|
"revocation_endpoint_auth_signing_alg_values_supported":
|
||||||
|
[
|
||||||
|
"HS256",
|
||||||
|
"HS384",
|
||||||
|
"HS512",
|
||||||
|
"RS256",
|
||||||
|
"RS384",
|
||||||
|
"RS512",
|
||||||
|
"PS256",
|
||||||
|
"PS384",
|
||||||
|
"PS512",
|
||||||
|
"ES256",
|
||||||
|
"ES384",
|
||||||
|
"ES256K",
|
||||||
|
],
|
||||||
|
# This is the only changed value
|
||||||
|
"introspection_endpoint": "http://host.containers.internal:%MAS_PORT%/oauth2/introspect",
|
||||||
|
"introspection_endpoint_auth_methods_supported":
|
||||||
|
["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"],
|
||||||
|
"introspection_endpoint_auth_signing_alg_values_supported":
|
||||||
|
[
|
||||||
|
"HS256",
|
||||||
|
"HS384",
|
||||||
|
"HS512",
|
||||||
|
"RS256",
|
||||||
|
"RS384",
|
||||||
|
"RS512",
|
||||||
|
"PS256",
|
||||||
|
"PS384",
|
||||||
|
"PS512",
|
||||||
|
"ES256",
|
||||||
|
"ES384",
|
||||||
|
"ES256K",
|
||||||
|
],
|
||||||
|
"code_challenge_methods_supported": ["plain", "S256"],
|
||||||
|
"userinfo_endpoint": "http://localhost:%MAS_PORT%/oauth2/userinfo",
|
||||||
|
"subject_types_supported": ["public"],
|
||||||
|
"id_token_signing_alg_values_supported":
|
||||||
|
["RS256", "RS384", "RS512", "ES256", "ES384", "PS256", "PS384", "PS512", "ES256K"],
|
||||||
|
"userinfo_signing_alg_values_supported":
|
||||||
|
["RS256", "RS384", "RS512", "ES256", "ES384", "PS256", "PS384", "PS512", "ES256K"],
|
||||||
|
"display_values_supported": ["page"],
|
||||||
|
"claim_types_supported": ["normal"],
|
||||||
|
"claims_supported": ["iss", "sub", "aud", "iat", "exp", "nonce", "auth_time", "at_hash", "c_hash"],
|
||||||
|
"claims_parameter_supported": false,
|
||||||
|
"request_parameter_supported": false,
|
||||||
|
"request_uri_parameter_supported": false,
|
||||||
|
"prompt_values_supported": ["none", "login", "create"],
|
||||||
|
"device_authorization_endpoint": "http://localhost:%MAS_PORT%/oauth2/device",
|
||||||
|
"org.matrix.matrix-authentication-service.graphql_endpoint": "http://localhost:%MAS_PORT%/graphql",
|
||||||
|
"account_management_uri": "http://localhost:%MAS_PORT%/account/",
|
||||||
|
"account_management_actions_supported":
|
||||||
|
[
|
||||||
|
"org.matrix.profile",
|
||||||
|
"org.matrix.sessions_list",
|
||||||
|
"org.matrix.session_view",
|
||||||
|
"org.matrix.session_end",
|
||||||
|
],
|
||||||
|
}
|
||||||
|
|
||||||
|
# Matches the `client_id` in the auth service config
|
||||||
|
client_id: 0000000000000000000SYNAPSE
|
||||||
|
# Matches the `client_auth_method` in the auth service config
|
||||||
|
client_auth_method: client_secret_basic
|
||||||
|
# Matches the `client_secret` in the auth service config
|
||||||
|
client_secret: "SomeRandomSecret"
|
||||||
|
|
||||||
|
# Matches the `matrix.secret` in the auth service config
|
||||||
|
admin_token: "AnotherRandomSecret"
|
||||||
|
|
||||||
|
# URL to advertise to clients where users can self-manage their account
|
||||||
|
account_management_url: "http://localhost:%MAS_PORT%/account"
|
|
@ -0,0 +1,50 @@
|
||||||
|
# Log configuration for Synapse.
|
||||||
|
#
|
||||||
|
# This is a YAML file containing a standard Python logging configuration
|
||||||
|
# dictionary. See [1] for details on the valid settings.
|
||||||
|
#
|
||||||
|
# Synapse also supports structured logging for machine readable logs which can
|
||||||
|
# be ingested by ELK stacks. See [2] for details.
|
||||||
|
#
|
||||||
|
# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
|
||||||
|
# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html
|
||||||
|
|
||||||
|
version: 1
|
||||||
|
|
||||||
|
formatters:
|
||||||
|
precise:
|
||||||
|
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
# A handler that writes logs to stderr. Unused by default, but can be used
|
||||||
|
# instead of "buffer" and "file" in the logger handlers.
|
||||||
|
console:
|
||||||
|
class: logging.StreamHandler
|
||||||
|
formatter: precise
|
||||||
|
|
||||||
|
loggers:
|
||||||
|
synapse.storage.SQL:
|
||||||
|
# beware: increasing this to DEBUG will make synapse log sensitive
|
||||||
|
# information such as access tokens.
|
||||||
|
level: DEBUG
|
||||||
|
|
||||||
|
twisted:
|
||||||
|
# We send the twisted logging directly to the file handler,
|
||||||
|
# to work around https://github.com/matrix-org/synapse/issues/3471
|
||||||
|
# when using "buffer" logger. Use "console" to log to stderr instead.
|
||||||
|
handlers: [console]
|
||||||
|
propagate: false
|
||||||
|
|
||||||
|
root:
|
||||||
|
level: DEBUG
|
||||||
|
|
||||||
|
# Write logs to the `buffer` handler, which will buffer them together in memory,
|
||||||
|
# then write them to a file.
|
||||||
|
#
|
||||||
|
# Replace "buffer" with "console" to log to stderr instead. (Note that you'll
|
||||||
|
# also need to update the configuration for the `twisted` logger above, in
|
||||||
|
# this case.)
|
||||||
|
#
|
||||||
|
handlers: [console]
|
||||||
|
|
||||||
|
disable_existing_loggers: false
|
153
playwright/plugins/matrix-authentication-service/config.yaml
Normal file
153
playwright/plugins/matrix-authentication-service/config.yaml
Normal file
|
@ -0,0 +1,153 @@
|
||||||
|
clients:
|
||||||
|
- client_id: 0000000000000000000SYNAPSE
|
||||||
|
client_auth_method: client_secret_basic
|
||||||
|
client_secret: "SomeRandomSecret"
|
||||||
|
http:
|
||||||
|
listeners:
|
||||||
|
- name: web
|
||||||
|
resources:
|
||||||
|
- name: discovery
|
||||||
|
- name: human
|
||||||
|
- name: oauth
|
||||||
|
- name: compat
|
||||||
|
- name: graphql
|
||||||
|
playground: true
|
||||||
|
- name: assets
|
||||||
|
path: /usr/local/share/mas-cli/assets/
|
||||||
|
binds:
|
||||||
|
- address: "[::]:8080"
|
||||||
|
proxy_protocol: false
|
||||||
|
- name: internal
|
||||||
|
resources:
|
||||||
|
- name: health
|
||||||
|
binds:
|
||||||
|
- host: localhost
|
||||||
|
port: 8081
|
||||||
|
proxy_protocol: false
|
||||||
|
trusted_proxies:
|
||||||
|
- 192.128.0.0/16
|
||||||
|
- 172.16.0.0/12
|
||||||
|
- 10.0.0.0/10
|
||||||
|
- 127.0.0.1/8
|
||||||
|
- fd00::/8
|
||||||
|
- ::1/128
|
||||||
|
public_base: "http://localhost:{{MAS_PORT}}/"
|
||||||
|
issuer: http://localhost:{{MAS_PORT}}/
|
||||||
|
database:
|
||||||
|
host: "{{POSTGRES_HOST}}"
|
||||||
|
port: 5432
|
||||||
|
database: postgres
|
||||||
|
username: postgres
|
||||||
|
password: "{{POSTGRES_PASSWORD}}"
|
||||||
|
max_connections: 10
|
||||||
|
min_connections: 0
|
||||||
|
connect_timeout: 30
|
||||||
|
idle_timeout: 600
|
||||||
|
max_lifetime: 1800
|
||||||
|
telemetry:
|
||||||
|
tracing:
|
||||||
|
exporter: none
|
||||||
|
propagators: []
|
||||||
|
metrics:
|
||||||
|
exporter: none
|
||||||
|
sentry:
|
||||||
|
dsn: null
|
||||||
|
templates:
|
||||||
|
path: /usr/local/share/mas-cli/templates/
|
||||||
|
assets_manifest: /usr/local/share/mas-cli/manifest.json
|
||||||
|
translations_path: /usr/local/share/mas-cli/translations/
|
||||||
|
email:
|
||||||
|
from: '"Authentication Service" <root@localhost>'
|
||||||
|
reply_to: '"Authentication Service" <root@localhost>'
|
||||||
|
transport: smtp
|
||||||
|
mode: plain
|
||||||
|
hostname: "host.containers.internal"
|
||||||
|
port: %{{SMTP_PORT}}
|
||||||
|
username: username
|
||||||
|
password: password
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
encryption: 984b18e207c55ad5fbb2a49b217481a722917ee87b2308d4cf314c83fed8e3b5
|
||||||
|
keys:
|
||||||
|
- kid: YEAhzrKipJ
|
||||||
|
key: |
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEowIBAAKCAQEAuIV+AW5vx52I4CuumgSxp6yvKfIAnRdALeZZCoFkIGxUli1B
|
||||||
|
S79NJ3ls46oLh1pSD9RrhaMp6HTNoi4K3hnP9Q9v77pD7KwdFKG3UdG1zksIB0s/
|
||||||
|
+/Ey/DmX4LPluwBBS7r/LkQ1jk745lENA++oiDqZf2D/uP8jCHlvaSNyVKTqi1ki
|
||||||
|
OXPd4T4xBUjzuas9ze5jQVSYtfOidgnv1EzUipbIxgvH1jNt4raRlmP8mOq7xEnW
|
||||||
|
R+cF5x6n/g17PdSEfrwO4kz6aKGZuMP5lVlDEEnMHKabFSQDBl7+Mpok6jXutbtA
|
||||||
|
uiBnsKEahF9eoj4na4fpbRNPdIVyoaN5eGvm5wIDAQABAoIBAApyFCYEmHNWaa83
|
||||||
|
CdVSOrRhRDE9r+c0r79pcNT1ajOjrk4qFa4yEC4R46YntCtfY5Hd1pBkIjU0l4d8
|
||||||
|
z8Su9WTMEOwjQUEepS7L0NLi6kXZXYT8L40VpGs+32grBvBFHW0qEtQNrHJ36gMv
|
||||||
|
x2rXoFTF7HaXiSJx3wvVxAbRqOE9tBXLsmNHaWaAdWQG5o77V9+zvMri3cAeEg2w
|
||||||
|
VkKokb0dza7es7xG3tqS26k69SrwGeeuKo7qCHPH2cfyWmY5Yhv8iOoA59JzzbiK
|
||||||
|
UdxyzCHskrPSpRKVkVVwmY3RBt282TmSRG7td7e5ESSj50P2e5BI5uu1Hp/dvU4F
|
||||||
|
vYjV7kECgYEA6WqYoUpVsgQiqhvJwJIc/8gRm0mUy8TenI36z4Iim01Nt7fibWH7
|
||||||
|
XnsFqLGjXtYNVWvBcCrUl9doEnRbJeG2eRGbGKYAWVrOeFvwM4fYvw9GoOiJdDj4
|
||||||
|
cgWDe7eHbHE+UTqR7Nnr/UBfipoNWDh6X68HRBuXowh0Q6tOfxsrRFECgYEAyl/V
|
||||||
|
4b8bFp3pKZZCb+KPSYsQf793cRmrBexPcLWcDPYbMZQADEZ/VLjbrNrpTOWxUWJT
|
||||||
|
hr8MrWswnHO+l5AFu5CNO+QgV2dHLk+2w8qpdpFRPJCfXfo2D3wZ0c4cv3VCwv1V
|
||||||
|
5y7f6XWVjDWZYV4wj6c3shxZJjZ+9Hbhf3/twbcCgYA6fuRRR3fCbRbi2qPtBrEN
|
||||||
|
yO3gpMgNaQEA6vP4HPzfPrhDWmn8T5nXS61XYW03zxz4U1De81zj0K/cMBzHmZFJ
|
||||||
|
NghQXQmpWwBzWVcREvJWr1Vb7erEnaJlsMwKrSvbGWYspSj82oAxr3hCG+lMOpsw
|
||||||
|
b4S6pM+TpAK/EqdRY1WsgQKBgQCGoMaaTRXqL9bC0bEU2XVVCWxKb8c3uEmrwQ7/
|
||||||
|
/fD4NmjUzI5TnDps1CVfkqoNe+hAKddDFqmKXHqUOfOaxDbsFje+lf5l5tDVoDYH
|
||||||
|
fjTKKdYPIm7CiAeauYY7qpA5Vfq52Opixy4yEwUPp0CII67OggFtPaqY3zwJyWQt
|
||||||
|
+57hdQKBgGCXM/KKt7ceUDcNJxSGjvu0zD9D5Sv2ihYlEBT/JLaTCCJdvzREevaJ
|
||||||
|
1d+mpUAt0Lq6A8NWOMq8HPaxAik3rMQ0WtM5iG+XgsUqvTSb7NcshArDLuWGnW3m
|
||||||
|
MC4rM0UBYAS4QweduUSH1imrwH/1Gu5+PxbiecceRMMggWpzu0Bq
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
|
- kid: 8J1AxrlNZT
|
||||||
|
key: |
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHcCAQEEIF1cjfIOEdy3BXJ72x6fKpEB8WP1ddZAUJAaqqr/6CpToAoGCCqGSM49
|
||||||
|
AwEHoUQDQgAEfHdNuI1Yeh3/uOq2PlnW2vymloOVpwBYebbw4VVsna9xhnutIdQW
|
||||||
|
dE8hkX8Yb0pIDasrDiwllVLzSvsWJAI0Kw==
|
||||||
|
-----END EC PRIVATE KEY-----
|
||||||
|
- kid: 3BW6un1EBi
|
||||||
|
key: |
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MIGkAgEBBDA+3ZV17r8TsiMdw1cpbTSNbyEd5SMy3VS1Mk/kz6O2Ev/3QZut8GE2
|
||||||
|
q3eGtLBoVQigBwYFK4EEACKhZANiAASs8Wxjk/uRimRKXnPr2/wDaXkN9wMDjYQK
|
||||||
|
mZULb+0ZP1/cXmuXuri8hUGhQvIU8KWY9PkpV+LMPEdpE54mHPKSLjq5CDXoSZ/P
|
||||||
|
9f7cdRaOZ000KQPZfIFR9ujJTtDN7Vs=
|
||||||
|
-----END EC PRIVATE KEY-----
|
||||||
|
- kid: pkZ0pTKK0X
|
||||||
|
key: |
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
MHQCAQEEIHenfsXYPc5yzjZKUfvmydDR1YRwdsfZYvwHf/2wsYxooAcGBSuBBAAK
|
||||||
|
oUQDQgAEON1x7Vlu+nA0KvC5vYSOHhDUkfLYNZwYSLPFVT02h9E13yFFMIJegIBl
|
||||||
|
Aer+6PMZpPc8ycyeH9N+U9NAyliBhQ==
|
||||||
|
-----END EC PRIVATE KEY-----
|
||||||
|
passwords:
|
||||||
|
enabled: true
|
||||||
|
schemes:
|
||||||
|
- version: 1
|
||||||
|
algorithm: argon2id
|
||||||
|
matrix:
|
||||||
|
homeserver: localhost
|
||||||
|
secret: AnotherRandomSecret
|
||||||
|
endpoint: "{{SYNAPSE_URL}}"
|
||||||
|
policy:
|
||||||
|
wasm_module: /usr/local/share/mas-cli/policy.wasm
|
||||||
|
client_registration_entrypoint: client_registration/violation
|
||||||
|
register_entrypoint: register/violation
|
||||||
|
authorization_grant_entrypoint: authorization_grant/violation
|
||||||
|
password_entrypoint: password/violation
|
||||||
|
email_entrypoint: email/violation
|
||||||
|
data:
|
||||||
|
client_registration:
|
||||||
|
allow_insecure_uris: true # allow non-SSL and localhost URIs
|
||||||
|
allow_missing_contacts: true # EW doesn't have contacts at this time
|
||||||
|
upstream_oauth2:
|
||||||
|
providers: []
|
||||||
|
branding:
|
||||||
|
service_name: null
|
||||||
|
policy_uri: null
|
||||||
|
tos_uri: null
|
||||||
|
imprint: null
|
||||||
|
logo_uri: null
|
||||||
|
experimental:
|
||||||
|
access_token_ttl: 300
|
||||||
|
compat_token_ttl: 300
|
159
playwright/plugins/matrix-authentication-service/index.ts
Normal file
159
playwright/plugins/matrix-authentication-service/index.ts
Normal file
|
@ -0,0 +1,159 @@
|
||||||
|
/*
|
||||||
|
Copyright 2023 The Matrix.org Foundation C.I.C.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import path, { basename } from "node:path";
|
||||||
|
import os from "node:os";
|
||||||
|
import * as fse from "fs-extra";
|
||||||
|
import { BrowserContext, TestInfo } from "@playwright/test";
|
||||||
|
|
||||||
|
import { getFreePort } from "../utils/port";
|
||||||
|
import { Docker } from "../docker";
|
||||||
|
import { PG_PASSWORD, PostgresDocker } from "../postgres";
|
||||||
|
import { HomeserverInstance } from "../homeserver";
|
||||||
|
import { Instance as MailhogInstance } from "../mailhog";
|
||||||
|
|
||||||
|
// Docker tag to use for `ghcr.io/matrix-org/matrix-authentication-service` image.
|
||||||
|
// We use a debug tag so that we have a shell and can run all 3 necessary commands in one run.
|
||||||
|
const TAG = "0.8.0-debug";
|
||||||
|
|
||||||
|
export interface ProxyInstance {
|
||||||
|
containerId: string;
|
||||||
|
postgresId: string;
|
||||||
|
configDir: string;
|
||||||
|
port: number;
|
||||||
|
}
|
||||||
|
|
||||||
|
async function cfgDirFromTemplate(opts: {
|
||||||
|
postgresHost: string;
|
||||||
|
synapseUrl: string;
|
||||||
|
masPort: string;
|
||||||
|
smtpPort: string;
|
||||||
|
}): Promise<{
|
||||||
|
configDir: string;
|
||||||
|
}> {
|
||||||
|
const configPath = path.join(__dirname, "config.yaml");
|
||||||
|
const tempDir = await fse.mkdtemp(path.join(os.tmpdir(), "react-sdk-mas-"));
|
||||||
|
|
||||||
|
const outputHomeserver = path.join(tempDir, "config.yaml");
|
||||||
|
console.log(`Gen ${configPath} -> ${outputHomeserver}`);
|
||||||
|
let config = await fse.readFile(configPath, "utf8");
|
||||||
|
config = config.replace(/{{MAS_PORT}}/g, opts.masPort);
|
||||||
|
config = config.replace(/{{POSTGRES_HOST}}/g, opts.postgresHost);
|
||||||
|
config = config.replace(/{{POSTGRES_PASSWORD}}/g, PG_PASSWORD);
|
||||||
|
config = config.replace(/%{{SMTP_PORT}}/g, opts.smtpPort);
|
||||||
|
config = config.replace(/{{SYNAPSE_URL}}/g, opts.synapseUrl);
|
||||||
|
|
||||||
|
await fse.writeFile(outputHomeserver, config);
|
||||||
|
|
||||||
|
// Allow anyone to read, write and execute in the temp directory
|
||||||
|
// so that the DIND setup that we use to update the playwright screenshots work without any issues.
|
||||||
|
await fse.chmod(tempDir, 0o757);
|
||||||
|
|
||||||
|
return {
|
||||||
|
configDir: tempDir,
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
export class MatrixAuthenticationService {
|
||||||
|
private readonly masDocker = new Docker();
|
||||||
|
private readonly postgresDocker = new PostgresDocker("mas");
|
||||||
|
private instance: ProxyInstance;
|
||||||
|
public port: number;
|
||||||
|
|
||||||
|
constructor(private context: BrowserContext) {}
|
||||||
|
|
||||||
|
async prepare(): Promise<{ port: number }> {
|
||||||
|
this.port = await getFreePort();
|
||||||
|
return { port: this.port };
|
||||||
|
}
|
||||||
|
|
||||||
|
async start(homeserver: HomeserverInstance, mailhog: MailhogInstance): Promise<ProxyInstance> {
|
||||||
|
console.log(new Date(), "Starting mas...");
|
||||||
|
|
||||||
|
if (!this.port) await this.prepare();
|
||||||
|
const port = this.port;
|
||||||
|
const { containerId: postgresId, ipAddress: postgresIp } = await this.postgresDocker.start();
|
||||||
|
const { configDir } = await cfgDirFromTemplate({
|
||||||
|
masPort: port.toString(),
|
||||||
|
postgresHost: postgresIp,
|
||||||
|
synapseUrl: homeserver.config.dockerUrl,
|
||||||
|
smtpPort: mailhog.smtpPort.toString(),
|
||||||
|
});
|
||||||
|
|
||||||
|
console.log(new Date(), "starting mas container...", TAG);
|
||||||
|
const containerId = await this.masDocker.run({
|
||||||
|
image: "ghcr.io/matrix-org/matrix-authentication-service:" + TAG,
|
||||||
|
containerName: "react-sdk-playwright-mas",
|
||||||
|
params: ["-p", `${port}:8080/tcp`, "-v", `${configDir}:/config`, "--entrypoint", "sh"],
|
||||||
|
cmd: [
|
||||||
|
"-c",
|
||||||
|
"mas-cli database migrate --config /config/config.yaml && " +
|
||||||
|
"mas-cli config sync --config /config/config.yaml && " +
|
||||||
|
"mas-cli server --config /config/config.yaml",
|
||||||
|
],
|
||||||
|
});
|
||||||
|
console.log(new Date(), "started!");
|
||||||
|
|
||||||
|
// Set up redirects
|
||||||
|
const baseUrl = `http://localhost:${port}`;
|
||||||
|
for (const path of [
|
||||||
|
"**/_matrix/client/*/login",
|
||||||
|
"**/_matrix/client/*/login/**",
|
||||||
|
"**/_matrix/client/*/logout",
|
||||||
|
"**/_matrix/client/*/refresh",
|
||||||
|
]) {
|
||||||
|
await this.context.route(path, async (route) => {
|
||||||
|
await route.continue({
|
||||||
|
url: new URL(route.request().url().split("/").slice(3).join("/"), baseUrl).href,
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
this.instance = { containerId, postgresId, port, configDir };
|
||||||
|
return this.instance;
|
||||||
|
}
|
||||||
|
|
||||||
|
async stop(testInfo: TestInfo): Promise<void> {
|
||||||
|
if (!this.instance) return; // nothing to stop
|
||||||
|
const id = this.instance.containerId;
|
||||||
|
const logPath = path.join("playwright", "logs", "matrix-authentication-service", id);
|
||||||
|
await fse.ensureDir(logPath);
|
||||||
|
await this.masDocker.persistLogsToFile({
|
||||||
|
stdoutFile: path.join(logPath, "stdout.log"),
|
||||||
|
stderrFile: path.join(logPath, "stderr.log"),
|
||||||
|
});
|
||||||
|
|
||||||
|
await this.masDocker.stop();
|
||||||
|
await this.postgresDocker.stop();
|
||||||
|
|
||||||
|
if (testInfo.status !== "passed") {
|
||||||
|
const logs = [path.join(logPath, "stdout.log"), path.join(logPath, "stderr.log")];
|
||||||
|
for (const path of logs) {
|
||||||
|
await testInfo.attach(`mas-${basename(path)}`, {
|
||||||
|
path,
|
||||||
|
contentType: "text/plain",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
await testInfo.attach("mas-config.yaml", {
|
||||||
|
path: path.join(this.instance.configDir, "config.yaml"),
|
||||||
|
contentType: "text/plain",
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
await fse.remove(this.instance.configDir);
|
||||||
|
console.log(new Date(), "Stopped mas.");
|
||||||
|
}
|
||||||
|
}
|
|
@ -175,6 +175,7 @@ export default class GeneralUserSettingsTab extends React.Component<IProps, ISta
|
||||||
// the enabled flag value.
|
// the enabled flag value.
|
||||||
const canChangePassword = !changePasswordCap || changePasswordCap["enabled"] !== false;
|
const canChangePassword = !changePasswordCap || changePasswordCap["enabled"] !== false;
|
||||||
|
|
||||||
|
await this.context.oidcClientStore.readyPromise; // wait for the store to be ready
|
||||||
const externalAccountManagementUrl = this.context.oidcClientStore.accountManagementEndpoint;
|
const externalAccountManagementUrl = this.context.oidcClientStore.accountManagementEndpoint;
|
||||||
// https://spec.matrix.org/v1.7/client-server-api/#m3pid_changes-capability
|
// https://spec.matrix.org/v1.7/client-server-api/#m3pid_changes-capability
|
||||||
// We support as far back as v1.1 which doesn't have m.3pid_changes
|
// We support as far back as v1.1 which doesn't have m.3pid_changes
|
||||||
|
|
|
@ -173,7 +173,10 @@ const SessionManagerTab: React.FC = () => {
|
||||||
* delegated auth provider.
|
* delegated auth provider.
|
||||||
* See https://github.com/matrix-org/matrix-spec-proposals/pull/3824
|
* See https://github.com/matrix-org/matrix-spec-proposals/pull/3824
|
||||||
*/
|
*/
|
||||||
const delegatedAuthAccountUrl = sdkContext.oidcClientStore.accountManagementEndpoint;
|
const delegatedAuthAccountUrl = useAsyncMemo(async () => {
|
||||||
|
await sdkContext.oidcClientStore.readyPromise; // wait for the store to be ready
|
||||||
|
return sdkContext.oidcClientStore.accountManagementEndpoint;
|
||||||
|
}, [sdkContext.oidcClientStore]);
|
||||||
const disableMultipleSignout = !!delegatedAuthAccountUrl;
|
const disableMultipleSignout = !!delegatedAuthAccountUrl;
|
||||||
|
|
||||||
const userId = matrixClient?.getUserId();
|
const userId = matrixClient?.getUserId();
|
||||||
|
|
|
@ -30,17 +30,25 @@ import PlatformPeg from "../../PlatformPeg";
|
||||||
export class OidcClientStore {
|
export class OidcClientStore {
|
||||||
private oidcClient?: OidcClient;
|
private oidcClient?: OidcClient;
|
||||||
private initialisingOidcClientPromise: Promise<void> | undefined;
|
private initialisingOidcClientPromise: Promise<void> | undefined;
|
||||||
private authenticatedIssuer?: string;
|
private authenticatedIssuer?: string; // set only in OIDC-native mode
|
||||||
private _accountManagementEndpoint?: string;
|
private _accountManagementEndpoint?: string;
|
||||||
|
/**
|
||||||
|
* Promise which resolves once this store is read to use, which may mean there is no OIDC client if we're in legacy mode,
|
||||||
|
* or we just have the account management endpoint if running in OIDC-aware mode.
|
||||||
|
*/
|
||||||
|
public readonly readyPromise: Promise<void>;
|
||||||
|
|
||||||
public constructor(private readonly matrixClient: MatrixClient) {
|
public constructor(private readonly matrixClient: MatrixClient) {
|
||||||
|
this.readyPromise = this.init();
|
||||||
|
}
|
||||||
|
|
||||||
|
private async init(): Promise<void> {
|
||||||
this.authenticatedIssuer = getStoredOidcTokenIssuer();
|
this.authenticatedIssuer = getStoredOidcTokenIssuer();
|
||||||
if (this.authenticatedIssuer) {
|
if (this.authenticatedIssuer) {
|
||||||
this.getOidcClient();
|
await this.getOidcClient();
|
||||||
} else {
|
} else {
|
||||||
matrixClient.waitForClientWellKnown().then((wellKnown) => {
|
const wellKnown = await this.matrixClient.waitForClientWellKnown();
|
||||||
this._accountManagementEndpoint = getDelegatedAuthAccountUrl(wellKnown);
|
this._accountManagementEndpoint = getDelegatedAuthAccountUrl(wellKnown);
|
||||||
});
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue