Skip to content
This repository has been archived by the owner on Sep 10, 2024. It is now read-only.

getting server admin API tokens #2913

Open
joepitt91 opened this issue Jun 29, 2024 · 2 comments
Open

getting server admin API tokens #2913

joepitt91 opened this issue Jun 29, 2024 · 2 comments

Comments

@joepitt91
Copy link

I've got some automation scripts which use the _synapse/admin/... API endpoints, which need a authentication token.

Before MAS

Previously I:

  1. Set admin to 1 for my users in the Synapse DB,
  2. Log into Element Desktop, and
  3. Use token from advanced settings page.

With MAS

Since switching to MAS this method no longer works, as per the docs, with this error:

{"errcode":"M_FORBIDDEN","error":"You are not a server admin"}

While the docs say that Synapse will no longer manage who is an admin, I couldn't see anything about how to manage this in MAS.

Workaround

As a workaround I've:

  1. Set can_request_admin to true for my user in users in the MAS DB,
  2. Log into Element Desktop,
  3. Find my token in advance settings,
  4. Find the associated compat_session_id in compat_access_tokens based on access_token (surprised tokens are stored in plain-text not salted and hashed - by design?),
  5. Update is_synapse_admin to true in compat_sessions for my compat_session_id,
  6. Use token from Element Desktop.

Proposed Solution

This feels very hacky, the sort of flow that I think would be ideal is:

  1. Log in to MAS web UI.
  2. is_synapse_admin is updated on the fly based on a configurable OIDC role attestation (maybe a CLI option to toggle as a fallback).
  3. Click a button to generate a token.
  4. Dialog opens to:
    1. Set a friendly name,
    2. Toggle a checkbox for if it should be an admin token (only shown for users where is_synapse_admin is true), and
    3. Optionally, set a expiry period.
  5. The new Token is shown once then unrecoverable through the UI.
  6. Web UI has a tab for tokens, just like sessions and browsers, to allow manual revocation before expiry.

Questions

  1. Is there a better way than my workaround to do this currently?
  2. Would it be possible to get my proposed solution on the backlog - appreciate it may not be a high priority?

Thanks
@dklimpel
Copy link
Contributor

Related to:

@matrixbot matrixbot mentioned this issue Sep 10, 2024
Open
@matrixbot
Copy link
Member

For your information, this issue has been copied over to the Element fork of matrix-authentication-service: element-hq/matrix-authentication-service#2913

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dklimpel @matrixbot @joepitt91