Encryption: Unable to start matrix-hookshot with MAS

[voc0der]

Config:

1. Docker serves all matrix services.
2. Matrix Authentication Service is installed and configured to use a OIDC upstream.
3. Using Authelia for IdP, and SWAG as a reverse proxy.
4. This worked until I tried to get encryption working.

WARN 11:27:02:665 [Config] 
You have enabled encryption support in the bridge. This feature is HIGHLY EXPERIMENTAL AND SUBJECT TO CHANGE.
For more details, see https://github.com/matrix-org/matrix-hookshot/issues/594.
            
INFO 11:27:02:670 [ListenerService] Listening on http://0.0.0.0:9000 for webhooks
DEBUG 11:27:02:670 [LogWrapper] Reconfigured logging
INFO 11:27:02:671 [Appservice] Initialising Redis storage
INFO 11:27:02:673 [Appservice] Initialising crypto storage
INFO 11:27:02:679 [UserTokenStore] Loading token key file /data/passkey.pem
INFO 11:27:02:720 [Bridge] Starting up
INFO 11:27:02:721 [RedisASProvider] Successfully connected
INFO 11:27:02:721 [Bridge] Ensuring homeserver can be reached...
INFO 11:27:02:742 [BotUsersManager] Ensuring bot users are set up...
DEBUG 11:27:02:742 [BotUsersManager] Ensuring bot user @hookshot:mydomain.xyz is registered
DEBUG 11:27:02:743 [BotUsersManager] Ensuring profile for @hookshot:mydomain.xyz is updated
INFO 11:27:02:747 [BotUsersManager] Getting joined rooms...
ERROR 11:27:02:750 [MatrixHttpClient] (REQ-5) { errcode: 'M_UNRECOGNIZED', error: 'Invalid login type' }
ERROR 11:27:02:751 [Appservice] Failed to set up crypto on intent @hookshot:mydomain.xyz MatrixError: M_UNRECOGNIZED: Invalid login type
    at doHttpRequest (/usr/bin/matrix-hookshot/node_modules/matrix-bot-sdk/lib/http.js:95:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async descriptor.value (/usr/bin/matrix-hookshot/node_modules/matrix-bot-sdk/lib/metrics/decorators.js:19:32)
    at async /usr/bin/matrix-hookshot/node_modules/matrix-bot-sdk/lib/appservice/Intent.js:166:41 {
  body: { errcode: 'M_UNRECOGNIZED', error: 'Invalid login type' },
  statusCode: 400,
  errcode: 'M_UNRECOGNIZED',
  error: 'Invalid login type',
  retryAfterMs: undefined
}
node:internal/process/promises:289
            triggerUncaughtException(err, true /* fromPromise */);
            ^

MatrixError: M_UNRECOGNIZED: Invalid login type
    at doHttpRequest (/usr/bin/matrix-hookshot/node_modules/matrix-bot-sdk/lib/http.js:95:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async descriptor.value (/usr/bin/matrix-hookshot/node_modules/matrix-bot-sdk/lib/metrics/decorators.js:19:32)
    at async /usr/bin/matrix-hookshot/node_modules/matrix-bot-sdk/lib/appservice/Intent.js:166:41 {
  body: { errcode: 'M_UNRECOGNIZED', error: 'Invalid login type' },
  statusCode: 400,
  errcode: 'M_UNRECOGNIZED',
  error: 'Invalid login type',
  retryAfterMs: undefined
}

Node.js v20.12.2

In the MAS logs:

12024-10-26T11:07:44.243634Z ERROR http.server.request{otel.kind="server" otel.name="POST /_matrix/client/:version/login" network.protocol.name="http" network.protocol.version="1.1" http.request.method="POST" url.path="/_matrix/client/v3/login" url.scheme="http" http.route="/_matrix/client/:version/login" url.query="user_id=%40hookshot%somedomain.xyz"}:handlers.compat.login.post: mas_handlers::compat::login: crates/handlers/src/compat/login.rs:219: error=unsupported login method

So, MAS requires this: https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html#compatibility-layer
Which means that requests that go to that endpoint, like it appears to be, it's making a POST request to https://matrix.mydomain.xyz/_matrix/client/v3/login?user_id=%40hookshot%3Adomain.xyz
That will be redirected to MAS. it then fails to login. Then also, if you use the internal IP, instead of the matrix homeserver URL like above, such as http://172.28.0.100:8008 then it fails because the endpoint is already not accepting login states at THAT endpoint since it's bypassing the compatibility layer.

Anyways, does anyone have this working with MAS?

[Half-Shot]

So, my understanding is you need to tell hookshot to go via the compatibility layer by pointing it to your load balancer rather than internal IP of your homeserver. You will probably need to do this anyway if you are running Synapse in worker mode, so it's generally good practice to do so.

[voc0der]

Yeah. After inspecting the traffic, that's what I did. It was failing to get inside internally.

bridge:
  # Basic homeserver configuration
  domain: mydomain.xyz
  url: https://matrix.mydomain.xyz
  port: 9993
  bindAddress: 0.0.0.0

Is what I've got, which produces that error. it still can't get in , because of the snippet from MAS logs above.

crates/handlers/src/compat/login.rs:219: error=unsupported login method.

I think there's something going on because other matrix extensions aren't having this same issue. I can't see any other route to try.

[voc0der]

Anyone have this working / any update? I'd think most people would want to be using MAS by now...

Edit: Looks like no: turt2live/matrix-bot-sdk#298