forked-synapse/docs/usage/administration/admin_api/registration_tokens.md
Callum Brown 947dbbdfd1
Implement MSC3231: Token authenticated registration (#10142)
Signed-off-by: Callum Brown <callum@calcuode.com>

This is part of my GSoC project implementing [MSC3231](https://github.com/matrix-org/matrix-doc/pull/3231).
2021-08-21 22:14:43 +01:00

7.2 KiB

Registration Tokens

This API allows you to manage tokens which can be used to authenticate registration requests, as proposed in MSC3231. To use it, you will need to enable the registration_requires_token config option, and authenticate by providing an access_token for a server admin: see Admin API. Note that this API is still experimental; not all clients may support it yet.

Registration token objects

Most endpoints make use of JSON objects that contain details about tokens. These objects have the following fields:

  • token: The token which can be used to authenticate registration.
  • uses_allowed: The number of times the token can be used to complete a registration before it becomes invalid.
  • pending: The number of pending uses the token has. When someone uses the token to authenticate themselves, the pending counter is incremented so that the token is not used more than the permitted number of times. When the person completes registration the pending counter is decremented, and the completed counter is incremented.
  • completed: The number of times the token has been used to successfully complete a registration.
  • expiry_time: The latest time the token is valid. Given as the number of milliseconds since 1970-01-01 00:00:00 UTC (the start of the Unix epoch). To convert this into a human-readable form you can remove the milliseconds and use the date command. For example, date -d '@1625394937'.

List all tokens

Lists all tokens and details about them. If the request is successful, the top level JSON object will have a registration_tokens key which is an array of registration token objects.

GET /_synapse/admin/v1/registration_tokens

Optional query parameters:

  • valid: true or false. If true, only valid tokens are returned. If false, only tokens that have expired or have had all uses exhausted are returned. If omitted, all tokens are returned regardless of validity.

Example:

GET /_synapse/admin/v1/registration_tokens
200 OK

{
    "registration_tokens": [
        {
            "token": "abcd",
            "uses_allowed": 3,
            "pending": 0,
            "completed": 1,
            "expiry_time": null
        },
        {
            "token": "pqrs",
            "uses_allowed": 2,
            "pending": 1,
            "completed": 1,
            "expiry_time": null
        },
        {
            "token": "wxyz",
            "uses_allowed": null,
            "pending": 0,
            "completed": 9,
            "expiry_time": 1625394937000    // 2021-07-04 10:35:37 UTC
        }
    ]
}

Example using the valid query parameter:

GET /_synapse/admin/v1/registration_tokens?valid=false
200 OK

{
    "registration_tokens": [
        {
            "token": "pqrs",
            "uses_allowed": 2,
            "pending": 1,
            "completed": 1,
            "expiry_time": null
        },
        {
            "token": "wxyz",
            "uses_allowed": null,
            "pending": 0,
            "completed": 9,
            "expiry_time": 1625394937000    // 2021-07-04 10:35:37 UTC
        }
    ]
}

Get one token

Get details about a single token. If the request is successful, the response body will be a registration token object.

GET /_synapse/admin/v1/registration_tokens/<token>

Path parameters:

  • token: The registration token to return details of.

Example:

GET /_synapse/admin/v1/registration_tokens/abcd
200 OK

{
    "token": "abcd",
    "uses_allowed": 3,
    "pending": 0,
    "completed": 1,
    "expiry_time": null
}

Create token

Create a new registration token. If the request is successful, the newly created token will be returned as a registration token object in the response body.

POST /_synapse/admin/v1/registration_tokens/new

The request body must be a JSON object and can contain the following fields:

  • token: The registration token. A string of no more than 64 characters that consists only of characters matched by the regex [A-Za-z0-9-_]. Default: randomly generated.
  • uses_allowed: The integer number of times the token can be used to complete a registration before it becomes invalid. Default: null (unlimited uses).
  • expiry_time: The latest time the token is valid. Given as the number of milliseconds since 1970-01-01 00:00:00 UTC (the start of the Unix epoch). You could use, for example, date '+%s000' -d 'tomorrow'. Default: null (token does not expire).
  • length: The length of the token randomly generated if token is not specified. Must be between 1 and 64 inclusive. Default: 16.

If a field is omitted the default is used.

Example using defaults:

POST /_synapse/admin/v1/registration_tokens/new

{}
200 OK

{
    "token": "0M-9jbkf2t_Tgiw1",
    "uses_allowed": null,
    "pending": 0,
    "completed": 0,
    "expiry_time": null
}

Example specifying some fields:

POST /_synapse/admin/v1/registration_tokens/new

{
    "token": "defg",
    "uses_allowed": 1
}
200 OK

{
    "token": "defg",
    "uses_allowed": 1,
    "pending": 0,
    "completed": 0,
    "expiry_time": null
}

Update token

Update the number of allowed uses or expiry time of a token. If the request is successful, the updated token will be returned as a registration token object in the response body.

PUT /_synapse/admin/v1/registration_tokens/<token>

Path parameters:

  • token: The registration token to update.

The request body must be a JSON object and can contain the following fields:

  • uses_allowed: The integer number of times the token can be used to complete a registration before it becomes invalid. By setting uses_allowed to 0 the token can be easily made invalid without deleting it. If null the token will have an unlimited number of uses.
  • expiry_time: The latest time the token is valid. Given as the number of milliseconds since 1970-01-01 00:00:00 UTC (the start of the Unix epoch). If null the token will not expire.

If a field is omitted its value is not modified.

Example:

PUT /_synapse/admin/v1/registration_tokens/defg

{
    "expiry_time": 4781243146000    // 2121-07-06 11:05:46 UTC
}
200 OK

{
    "token": "defg",
    "uses_allowed": 1,
    "pending": 0,
    "completed": 0,
    "expiry_time": 4781243146000
}

Delete token

Delete a registration token. If the request is successful, the response body will be an empty JSON object.

DELETE /_synapse/admin/v1/registration_tokens/<token>

Path parameters:

  • token: The registration token to delete.

Example:

DELETE /_synapse/admin/v1/registration_tokens/wxyz
200 OK

{}

Errors

If a request fails a "standard error response" will be returned as defined in the Matrix Client-Server API specification.

For example, if the token specified in a path parameter does not exist a 404 Not Found error will be returned.

GET /_synapse/admin/v1/registration_tokens/1234
404 Not Found

{
    "errcode": "M_NOT_FOUND",
    "error": "No such registration token: 1234"
}