Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

synapse's password policy is ignored/circumvented #79

Open
HarHarLinks opened this issue Oct 23, 2021 · 4 comments
Open

synapse's password policy is ignored/circumvented #79

HarHarLinks opened this issue Oct 23, 2021 · 4 comments
Labels
bug Something isn't working

Comments

@HarHarLinks
Copy link

Describe the bug

To Reproduce

  1. setup synapse password policy e.g. minimum length 10 letters
  2. register new user with token, using a policy violating password, e.g. 8 characters long

Expected behavior

respect pw policy

Screenshots

System:

  • OS: docker
  • python version: docker
  • matrix registration version: v0.7.2 (docker)

Additional context

not sure what good practices are in regards of informing users of the pw policy
@HarHarLinks HarHarLinks added the bug Something isn't working label Oct 23, 2021
@zeratax
Copy link
Owner

zeratax commented Oct 24, 2021

are those policies being exposed somehow? otherwise you can set this manually via https://github.com/ZerataX/matrix-registration/blob/master/config.sample.yaml#L41

@HarHarLinks
Copy link
Author

looks like they are, this is the MSC the synapse sample config file links to https://github.com/matrix-org/matrix-doc/blob/babolivier/password-policy/proposals/2000-password-policies.md

@xelantro
Copy link
Collaborator

Since the admin of the Synapse server also runs matrix-registration, we'd have two ways of implementing this:
Requesting the server policy via synapse api
+ following the configuration setup in synapse
- doesn't seem to have a default value (on my server it just returns empty json body - synapse 1.37.1 / edit: even matrix.org doesn't seem to implement /_matrix/client/r0/password_policy)
- doesn't seem to be suggested anywhere to change theese (correct me if I missed it)
- the synapse config files are quite cryptic and always scary for less experienced admins to touch

Implementing it ourselfes
+ centralised registration policies (e.g. usernames, passwords)
+ cleaner way of configuration (easier to find in my opinion)
(+ prettier on our side to implement without repeating api calls)

Conclusion / Proposal
The probability of one using the integrated registration feature of synapse alongside matrix-reistration is quite low.
So I propose that we include theese settings into our password reqirement field somewhat like this:

# password requirements
password:
  min_length: 8
  needs_lowercase: true
  needs_upercase: false
  needs_numbers: false
  needs_symbols: false

Of cause open to suggestions (esp. regarding the default values)

@zeratax
Copy link
Owner

zeratax commented Oct 25, 2021
edited

looks like this msc isn't yet merged?
matrix-org/matrix-spec-proposals#2000

it is in synapse though:
matrix-org/synapse#7118

@xelantro looks like if you don't define a password policy it just responds with {}
since as the msc describes all parameters are optional

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@HarHarLinks @zeratax @xelantro