Merge branch 'main' of github.com:matrix-org/dendrite into s7evink/csapiprofiletests

.github/workflows/schedules.yaml

@@ -219,7 +219,7 @@ jobs:
           flags: complement
           fail_ci_if_error: true
 
-  element_web:
+  element-web:
     timeout-minutes: 120
     runs-on: ubuntu-latest
     steps:
@@ -257,3 +257,42 @@ jobs:
         env:
           PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: true
           TMPDIR: ${{ runner.temp }}
+
+  element-web-pinecone:
+    timeout-minutes: 120
+    runs-on: ubuntu-latest
+    steps:
+      - uses: tecolicom/actions-use-apt-tools@v1
+        with:
+          # Our test suite includes some screenshot tests with unusual diacritics, which are
+          # supposed to be covered by STIXGeneral.
+          tools: fonts-stix
+      - uses: actions/checkout@v2
+        with:
+          repository: matrix-org/matrix-react-sdk
+      - uses: actions/setup-node@v3
+        with:
+          cache: 'yarn'
+      - name: Fetch layered build
+        run: scripts/ci/layered.sh
+      - name: Copy config
+        run: cp element.io/develop/config.json config.json
+        working-directory: ./element-web
+      - name: Build
+        env:
+          CI_PACKAGE: true
+          NODE_OPTIONS: "--openssl-legacy-provider"
+        run: yarn build
+        working-directory: ./element-web
+      - name: Edit Test Config
+        run: |
+          sed -i '/HOMESERVER/c\        HOMESERVER: "dendritePinecone",' cypress.config.ts
+      - name: "Run cypress tests"
+        uses: cypress-io/github-action@v4.1.1
+        with:
+          browser: chrome
+          start: npx serve -p 8080 ./element-web/webapp
+          wait-on: 'http://localhost:8080'
+        env:
+          PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: true
+          TMPDIR: ${{ runner.temp }}

clientapi/admin_test.go

@@ -8,7 +8,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
 	"github.com/matrix-org/dendrite/federationapi"
 	"github.com/matrix-org/dendrite/internal/caching"
 	"github.com/matrix-org/dendrite/internal/httputil"
@@ -54,10 +53,10 @@ func TestAdminResetPassword(t *testing.T) {
 		AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
 
 		// Create the users in the userapi and login
-		accessTokens := map[*test.User]string{
+		accessTokens := map[*test.User]userDevice{
-			aliceAdmin: "",
+			aliceAdmin: {},
-			bob:        "",
+			bob:        {},
-			vhUser:     "",
+			vhUser:     {},
 		}
 		createAccessTokens(t, accessTokens, userAPI, ctx, routers)
 
@@ -103,7 +102,7 @@ func TestAdminResetPassword(t *testing.T) {
 				}
 
 				if tc.withHeader {
-					req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser])
+					req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser].accessToken)
 				}
 
 				rec := httptest.NewRecorder()
@@ -154,8 +153,8 @@ func TestPurgeRoom(t *testing.T) {
 		AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
 
 		// Create the users in the userapi and login
-		accessTokens := map[*test.User]string{
+		accessTokens := map[*test.User]userDevice{
-			aliceAdmin: "",
+			aliceAdmin: {},
 		}
 		createAccessTokens(t, accessTokens, userAPI, ctx, routers)
 
@@ -174,7 +173,7 @@ func TestPurgeRoom(t *testing.T) {
 			t.Run(tc.name, func(t *testing.T) {
 				req := test.NewRequest(t, http.MethodPost, "/_dendrite/admin/purgeRoom/"+tc.roomID)
 
-				req.Header.Set("Authorization", "Bearer "+accessTokens[aliceAdmin])
+				req.Header.Set("Authorization", "Bearer "+accessTokens[aliceAdmin].accessToken)
 
 				rec := httptest.NewRecorder()
 				routers.DendriteAdmin.ServeHTTP(rec, req)
@@ -224,8 +223,8 @@ func TestAdminEvacuateRoom(t *testing.T) {
 		AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
 
 		// Create the users in the userapi and login
-		accessTokens := map[*test.User]string{
+		accessTokens := map[*test.User]userDevice{
-			aliceAdmin: "",
+			aliceAdmin: {},
 		}
 		createAccessTokens(t, accessTokens, userAPI, ctx, routers)
 
@@ -243,7 +242,7 @@ func TestAdminEvacuateRoom(t *testing.T) {
 			t.Run(tc.name, func(t *testing.T) {
 				req := test.NewRequest(t, http.MethodPost, "/_dendrite/admin/evacuateRoom/"+tc.roomID)
 
-				req.Header.Set("Authorization", "Bearer "+accessTokens[aliceAdmin])
+				req.Header.Set("Authorization", "Bearer "+accessTokens[aliceAdmin].accessToken)
 
 				rec := httptest.NewRecorder()
 				routers.DendriteAdmin.ServeHTTP(rec, req)
@@ -327,8 +326,8 @@ func TestAdminEvacuateUser(t *testing.T) {
 		AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
 
 		// Create the users in the userapi and login
-		accessTokens := map[*test.User]string{
+		accessTokens := map[*test.User]userDevice{
-			aliceAdmin: "",
+			aliceAdmin: {},
 		}
 		createAccessTokens(t, accessTokens, userAPI, ctx, routers)
 
@@ -348,7 +347,7 @@ func TestAdminEvacuateUser(t *testing.T) {
 			t.Run(tc.name, func(t *testing.T) {
 				req := test.NewRequest(t, http.MethodPost, "/_dendrite/admin/evacuateUser/"+tc.userID)
 
-				req.Header.Set("Authorization", "Bearer "+accessTokens[aliceAdmin])
+				req.Header.Set("Authorization", "Bearer "+accessTokens[aliceAdmin].accessToken)
 
 				rec := httptest.NewRecorder()
 				routers.DendriteAdmin.ServeHTTP(rec, req)
@@ -409,8 +408,8 @@ func TestAdminMarkAsStale(t *testing.T) {
 		AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
 
 		// Create the users in the userapi and login
-		accessTokens := map[*test.User]string{
+		accessTokens := map[*test.User]userDevice{
-			aliceAdmin: "",
+			aliceAdmin: {},
 		}
 		createAccessTokens(t, accessTokens, userAPI, ctx, routers)
 
@@ -428,7 +427,7 @@ func TestAdminMarkAsStale(t *testing.T) {
 			t.Run(tc.name, func(t *testing.T) {
 				req := test.NewRequest(t, http.MethodPost, "/_dendrite/admin/refreshDevices/"+tc.userID)
 
-				req.Header.Set("Authorization", "Bearer "+accessTokens[aliceAdmin])
+				req.Header.Set("Authorization", "Bearer "+accessTokens[aliceAdmin].accessToken)
 
 				rec := httptest.NewRecorder()
 				routers.DendriteAdmin.ServeHTTP(rec, req)
@@ -440,35 +439,3 @@ func TestAdminMarkAsStale(t *testing.T) {
 		}
 	})
 }
-
-func createAccessTokens(t *testing.T, accessTokens map[*test.User]string, userAPI uapi.UserInternalAPI, ctx context.Context, routers httputil.Routers) {
-	t.Helper()
-	for u := range accessTokens {
-		localpart, serverName, _ := gomatrixserverlib.SplitID('@', u.ID)
-		userRes := &uapi.PerformAccountCreationResponse{}
-		password := util.RandomString(8)
-		if err := userAPI.PerformAccountCreation(ctx, &uapi.PerformAccountCreationRequest{
-			AccountType: u.AccountType,
-			Localpart:   localpart,
-			ServerName:  serverName,
-			Password:    password,
-		}, userRes); err != nil {
-			t.Errorf("failed to create account: %s", err)
-		}
-
-		req := test.NewRequest(t, http.MethodPost, "/_matrix/client/v3/login", test.WithJSONBody(t, map[string]interface{}{
-			"type": authtypes.LoginTypePassword,
-			"identifier": map[string]interface{}{
-				"type": "m.id.user",
-				"user": u.ID,
-			},
-			"password": password,
-		}))
-		rec := httptest.NewRecorder()
-		routers.Client.ServeHTTP(rec, req)
-		if rec.Code != http.StatusOK {
-			t.Fatalf("failed to login: %s", rec.Body.String())
-		}
-		accessTokens[u] = gjson.GetBytes(rec.Body.Bytes(), "access_token").String()
-	}
-}

clientapi/clientapi_test.go

@@ -1,247 +1,373 @@
 package clientapi
 
 import (
-	"fmt"
+	"bytes"
-	"io"
+	"context"
+	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
 
-	"github.com/matrix-org/dendrite/appservice"
+	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
 	"github.com/matrix-org/dendrite/internal/caching"
 	"github.com/matrix-org/dendrite/internal/httputil"
 	"github.com/matrix-org/dendrite/internal/sqlutil"
 	"github.com/matrix-org/dendrite/roomserver"
-	"github.com/matrix-org/dendrite/setup/base"
 	"github.com/matrix-org/dendrite/setup/jetstream"
 	"github.com/matrix-org/dendrite/test"
 	"github.com/matrix-org/dendrite/test/testrig"
 	"github.com/matrix-org/dendrite/userapi"
+	uapi "github.com/matrix-org/dendrite/userapi/api"
+	"github.com/matrix-org/gomatrixserverlib"
+	"github.com/matrix-org/util"
 	"github.com/tidwall/gjson"
 )
 
-func TestSetDisplayname(t *testing.T) {
+type userDevice struct {
+	accessToken string
+	deviceID    string
+	password    string
+}
+
+func TestGetPutDevices(t *testing.T) {
 	alice := test.NewUser(t)
 	bob := test.NewUser(t)
-	notLocalUser := &test.User{ID: "@charlie:localhost", Localpart: "charlie"}
-	changeDisplayName := "my new display name"
-
-	testCases := []struct {
-		name            string
-		user            *test.User
-		wantOK          bool
-		changeReq       io.Reader
-		wantDisplayName string
-	}{
-		{
-			name: "invalid user",
-			user: &test.User{ID: "!notauser"},
-		},
-		{
-			name: "non-existent user",
-			user: &test.User{ID: "@doesnotexist:test"},
-		},
-		{
-			name: "non-local user is not allowed",
-			user: notLocalUser,
-		},
-		{
-			name:            "existing user is allowed to change own name",
-			user:            alice,
-			wantOK:          true,
-			wantDisplayName: changeDisplayName,
-		},
-		{
-			name:            "existing user is not allowed to change own name if name is empty",
-			user:            bob,
-			wantOK:          false,
-			wantDisplayName: "",
-		},
-	}
 
 	test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
-		cfg, processCtx, closeDB := testrig.CreateConfig(t, dbType)
+		testCases := []struct {
-		defer closeDB()
+			name           string
-		caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
+			requestUser    *test.User
-		routers := httputil.NewRouters()
+			deviceUser     *test.User
-		cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
+			request        *http.Request
-		natsInstance := &jetstream.NATSInstance{}
+			wantStatusCode int
-
+			validateFunc   func(t *testing.T, device userDevice, routers httputil.Routers)
-		rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, natsInstance, caches, caching.DisableMetrics)
+		}{
-		rsAPI.SetFederationAPI(nil, nil)
+			{
-		userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, natsInstance, rsAPI, nil)
+				name:           "can get all devices",
-		asPI := appservice.NewInternalAPI(processCtx, cfg, natsInstance, userAPI, rsAPI)
+				requestUser:    alice,
-
+				request:        httptest.NewRequest(http.MethodGet, "/_matrix/client/v3/devices", strings.NewReader("")),
-		AddPublicRoutes(processCtx, routers, cfg, natsInstance, base.CreateFederationClient(cfg, nil), rsAPI, asPI, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
+				wantStatusCode: http.StatusOK,
-
+			},
-		accessTokens := map[*test.User]string{
+			{
-			alice: "",
+				name:           "can get specific own device",
-			bob:   "",
+				requestUser:    alice,
+				deviceUser:     alice,
+				request:        httptest.NewRequest(http.MethodGet, "/_matrix/client/v3/devices/", strings.NewReader("")),
+				wantStatusCode: http.StatusOK,
+			},
+			{
+				name:           "can not get device for different user",
+				requestUser:    alice,
+				deviceUser:     bob,
+				request:        httptest.NewRequest(http.MethodGet, "/_matrix/client/v3/devices/", strings.NewReader("")),
+				wantStatusCode: http.StatusNotFound,
+			},
+			{
+				name:           "can update own device",
+				requestUser:    alice,
+				deviceUser:     alice,
+				request:        httptest.NewRequest(http.MethodPut, "/_matrix/client/v3/devices/", strings.NewReader(`{"display_name":"my new displayname"}`)),
+				wantStatusCode: http.StatusOK,
+				validateFunc: func(t *testing.T, device userDevice, routers httputil.Routers) {
+					req := httptest.NewRequest(http.MethodGet, "/_matrix/client/v3/devices/"+device.deviceID, strings.NewReader(""))
+					req.Header.Set("Authorization", "Bearer "+device.accessToken)
+					rec := httptest.NewRecorder()
+					routers.Client.ServeHTTP(rec, req)
+					if rec.Code != http.StatusOK {
+						t.Fatalf("expected HTTP 200, got %d: %s", rec.Code, rec.Body.String())
+					}
+					gotDisplayName := gjson.GetBytes(rec.Body.Bytes(), "display_name").Str
+					if gotDisplayName != "my new displayname" {
+						t.Fatalf("expected displayname '%s', got '%s'", "my new displayname", gotDisplayName)
+					}
+				},
+			},
+			{
+				// this should return "device does not exist"
+				name:           "can not update device for different user",
+				requestUser:    alice,
+				deviceUser:     bob,
+				request:        httptest.NewRequest(http.MethodPut, "/_matrix/client/v3/devices/", strings.NewReader(`{"display_name":"my new displayname"}`)),
+				wantStatusCode: http.StatusNotFound,
+			},
 		}
 
+		cfg, processCtx, close := testrig.CreateConfig(t, dbType)
+		caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
+		natsInstance := jetstream.NATSInstance{}
+		defer close()
+
+		routers := httputil.NewRouters()
+		cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
+		rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
+		userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
+
+		// We mostly need the rsAPI for this test, so nil for other APIs/caches etc.
+		AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
+
+		accessTokens := map[*test.User]userDevice{
+			alice: {},
+			bob:   {},
+		}
 		createAccessTokens(t, accessTokens, userAPI, processCtx.Context(), routers)
 
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
-				wantDisplayName := tc.user.Localpart
+				dev := accessTokens[tc.requestUser]
-				if tc.changeReq == nil {
+				if tc.deviceUser != nil {
-					tc.changeReq = strings.NewReader("")
+					tc.request = httptest.NewRequest(tc.request.Method, tc.request.RequestURI+accessTokens[tc.deviceUser].deviceID, tc.request.Body)
 				}
-
+				tc.request.Header.Set("Authorization", "Bearer "+dev.accessToken)
-				// check profile after initial account creation
 				rec := httptest.NewRecorder()
-				req := httptest.NewRequest(http.MethodGet, "/_matrix/client/v3/profile/"+tc.user.ID, strings.NewReader(""))
+				routers.Client.ServeHTTP(rec, tc.request)
-				t.Logf("%s", req.URL.String())
+				if rec.Code != tc.wantStatusCode {
-				routers.Client.ServeHTTP(rec, req)
-
-				if tc.wantOK && rec.Code != http.StatusOK {
-					t.Fatalf("expected HTTP 200, got %d", rec.Code)
-				}
-
-				if gotDisplayName := gjson.GetBytes(rec.Body.Bytes(), "displayname").Str; tc.wantOK && gotDisplayName != wantDisplayName {
-					t.Fatalf("expected displayname to be '%s', but got '%s'", wantDisplayName, gotDisplayName)
-				}
-
-				// now set the new display name
-				wantDisplayName = tc.wantDisplayName
-				tc.changeReq = strings.NewReader(fmt.Sprintf(`{"displayname":"%s"}`, tc.wantDisplayName))
-
-				rec = httptest.NewRecorder()
-				req = httptest.NewRequest(http.MethodPut, "/_matrix/client/v3/profile/"+tc.user.ID+"/displayname", tc.changeReq)
-				req.Header.Set("Authorization", "Bearer "+accessTokens[tc.user])
-
-				routers.Client.ServeHTTP(rec, req)
-				if tc.wantOK && rec.Code != http.StatusOK {
 					t.Fatalf("expected HTTP 200, got %d: %s", rec.Code, rec.Body.String())
 				}
-
+				if tc.wantStatusCode != http.StatusOK && rec.Code != http.StatusOK {
-				// now only get the display name
+					return
-				rec = httptest.NewRecorder()
-				req = httptest.NewRequest(http.MethodGet, "/_matrix/client/v3/profile/"+tc.user.ID+"/displayname", strings.NewReader(""))
-
-				routers.Client.ServeHTTP(rec, req)
-				if tc.wantOK && rec.Code != http.StatusOK {
-					t.Fatalf("expected HTTP 200, got %d: %s", rec.Code, rec.Body.String())
 				}
-
+				if tc.validateFunc != nil {
-				if gotDisplayName := gjson.GetBytes(rec.Body.Bytes(), "displayname").Str; tc.wantOK && gotDisplayName != wantDisplayName {
+					tc.validateFunc(t, dev, routers)
-					t.Fatalf("expected displayname to be '%s', but got '%s'", wantDisplayName, gotDisplayName)
 				}
 			})
 		}
 	})
 }
 
-func TestSetAvatarURL(t *testing.T) {
+// Deleting devices requires the UIA dance, so do this in a different test
+func TestDeleteDevice(t *testing.T) {
 	alice := test.NewUser(t)
-	bob := test.NewUser(t)
+	localpart, serverName, _ := gomatrixserverlib.SplitID('@', alice.ID)
-	notLocalUser := &test.User{ID: "@charlie:localhost", Localpart: "charlie"}
-	changeDisplayName := "mxc://newMXID"
-
-	testCases := []struct {
-		name       string
-		user       *test.User
-		wantOK     bool
-		changeReq  io.Reader
-		avatar_url string
-	}{
-		{
-			name: "invalid user",
-			user: &test.User{ID: "!notauser"},
-		},
-		{
-			name: "non-existent user",
-			user: &test.User{ID: "@doesnotexist:test"},
-		},
-		{
-			name: "non-local user is not allowed",
-			user: notLocalUser,
-		},
-		{
-			name:       "existing user is allowed to change own avatar",
-			user:       alice,
-			wantOK:     true,
-			avatar_url: changeDisplayName,
-		},
-		{
-			name:       "existing user is not allowed to change own avatar if avatar is empty",
-			user:       bob,
-			wantOK:     false,
-			avatar_url: "",
-		},
-	}
 
 	test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
 		cfg, processCtx, closeDB := testrig.CreateConfig(t, dbType)
 		defer closeDB()
-		caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
+
+		natsInstance := jetstream.NATSInstance{}
 		routers := httputil.NewRouters()
 		cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
-		natsInstance := &jetstream.NATSInstance{}
+		caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
+		rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
+		userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
 
-		rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, natsInstance, caches, caching.DisableMetrics)
+		// We mostly need the rsAPI/ for this test, so nil for other APIs/caches etc.
-		rsAPI.SetFederationAPI(nil, nil)
+		AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
-		userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, natsInstance, rsAPI, nil)
-		asPI := appservice.NewInternalAPI(processCtx, cfg, natsInstance, userAPI, rsAPI)
 
-		AddPublicRoutes(processCtx, routers, cfg, natsInstance, base.CreateFederationClient(cfg, nil), rsAPI, asPI, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
+		accessTokens := map[*test.User]userDevice{
-
+			alice: {},
-		accessTokens := map[*test.User]string{
-			alice: "",
-			bob:   "{}",
 		}
 
+		// create the account and an initial device
 		createAccessTokens(t, accessTokens, userAPI, processCtx.Context(), routers)
 
-		for _, tc := range testCases {
+		// create some more devices
-			t.Run(tc.name, func(t *testing.T) {
+		accessToken := util.RandomString(8)
-				wantAvatarURL := ""
+		devRes := &uapi.PerformDeviceCreationResponse{}
-				if tc.changeReq == nil {
+		if err := userAPI.PerformDeviceCreation(processCtx.Context(), &uapi.PerformDeviceCreationRequest{
-					tc.changeReq = strings.NewReader("")
+			Localpart:          localpart,
-				}
+			ServerName:         serverName,
+			AccessToken:        accessToken,
+			NoDeviceListUpdate: true,
+		}, devRes); err != nil {
+			t.Fatal(err)
+		}
+		if !devRes.DeviceCreated {
+			t.Fatalf("failed to create device")
+		}
+		secondDeviceID := devRes.Device.ID
 
-				// check profile after initial account creation
+		// initiate UIA for the second device
-				rec := httptest.NewRecorder()
+		rec := httptest.NewRecorder()
-				req := httptest.NewRequest(http.MethodGet, "/_matrix/client/v3/profile/"+tc.user.ID, strings.NewReader(""))
+		req := httptest.NewRequest(http.MethodDelete, "/_matrix/client/v3/devices/"+secondDeviceID, strings.NewReader(""))
-				t.Logf("%s", req.URL.String())
+		req.Header.Set("Authorization", "Bearer "+accessTokens[alice].accessToken)
-				routers.Client.ServeHTTP(rec, req)
+		routers.Client.ServeHTTP(rec, req)
+		if rec.Code != http.StatusUnauthorized {
+			t.Fatalf("expected HTTP 401, got %d: %s", rec.Code, rec.Body.String())
+		}
+		// get the session ID
+		sessionID := gjson.GetBytes(rec.Body.Bytes(), "session").Str
 
-				if tc.wantOK && rec.Code != http.StatusOK {
+		// prepare UIA request body
-					t.Fatalf("expected HTTP 200, got %d", rec.Code)
+		reqBody := bytes.Buffer{}
-				}
+		if err := json.NewEncoder(&reqBody).Encode(map[string]interface{}{
+			"auth": map[string]string{
+				"session":  sessionID,
+				"type":     authtypes.LoginTypePassword,
+				"user":     alice.ID,
+				"password": accessTokens[alice].password,
+			},
+		}); err != nil {
+			t.Fatal(err)
+		}
 
-				if gotDisplayName := gjson.GetBytes(rec.Body.Bytes(), "avatar_url").Str; tc.wantOK && gotDisplayName != wantAvatarURL {
+		// copy the request body, so we can use it again for the successful delete
-					t.Fatalf("expected displayname to be '%s', but got '%s'", wantAvatarURL, gotDisplayName)
+		reqBody2 := reqBody
-				}
 
-				// now set the new display name
+		// do the same request again, this time with our UIA, but for a different device ID, this should fail
-				wantAvatarURL = tc.avatar_url
+		rec = httptest.NewRecorder()
-				tc.changeReq = strings.NewReader(fmt.Sprintf(`{"avatar_url":"%s"}`, tc.avatar_url))
 
-				rec = httptest.NewRecorder()
+		req = httptest.NewRequest(http.MethodDelete, "/_matrix/client/v3/devices/"+accessTokens[alice].deviceID, &reqBody)
-				req = httptest.NewRequest(http.MethodPut, "/_matrix/client/v3/profile/"+tc.user.ID+"/avatar_url", tc.changeReq)
+		req.Header.Set("Authorization", "Bearer "+accessTokens[alice].accessToken)
-				req.Header.Set("Authorization", "Bearer "+accessTokens[tc.user])
+		routers.Client.ServeHTTP(rec, req)
+		if rec.Code != http.StatusForbidden {
+			t.Fatalf("expected HTTP 403, got %d: %s", rec.Code, rec.Body.String())
+		}
 
-				routers.Client.ServeHTTP(rec, req)
+		// do the same request again, this time with our UIA, but for the correct device ID, this should be fine
-				if tc.wantOK && rec.Code != http.StatusOK {
+		rec = httptest.NewRecorder()
-					t.Fatalf("expected HTTP 200, got %d: %s", rec.Code, rec.Body.String())
+		req = httptest.NewRequest(http.MethodDelete, "/_matrix/client/v3/devices/"+secondDeviceID, &reqBody2)
-				}
+		req.Header.Set("Authorization", "Bearer "+accessTokens[alice].accessToken)
+		routers.Client.ServeHTTP(rec, req)
+		if rec.Code != http.StatusOK {
+			t.Fatalf("expected HTTP 200, got %d: %s", rec.Code, rec.Body.String())
+		}
 
-				// now only get the display name
+		// verify devices are deleted
-				rec = httptest.NewRecorder()
+		rec = httptest.NewRecorder()
-				req = httptest.NewRequest(http.MethodGet, "/_matrix/client/v3/profile/"+tc.user.ID+"/avatar_url", strings.NewReader(""))
+		req = httptest.NewRequest(http.MethodGet, "/_matrix/client/v3/devices", strings.NewReader(""))
-
+		req.Header.Set("Authorization", "Bearer "+accessTokens[alice].accessToken)
-				routers.Client.ServeHTTP(rec, req)
+		routers.Client.ServeHTTP(rec, req)
-				if tc.wantOK && rec.Code != http.StatusOK {
+		if rec.Code != http.StatusOK {
-					t.Fatalf("expected HTTP 200, got %d: %s", rec.Code, rec.Body.String())
+			t.Fatalf("expected HTTP 200, got %d: %s", rec.Code, rec.Body.String())
-				}
+		}
-
+		for _, device := range gjson.GetBytes(rec.Body.Bytes(), "devices.#.device_id").Array() {
-				if gotDisplayName := gjson.GetBytes(rec.Body.Bytes(), "avatar_url").Str; tc.wantOK && gotDisplayName != wantAvatarURL {
+			if device.Str == secondDeviceID {
-					t.Fatalf("expected displayname to be '%s', but got '%s'", wantAvatarURL, gotDisplayName)
+				t.Fatalf("expected device %s to be deleted, but wasn't", secondDeviceID)
-				}
+			}
-			})
 		}
 	})
 }
+
+// Deleting devices requires the UIA dance, so do this in a different test
+func TestDeleteDevices(t *testing.T) {
+	alice := test.NewUser(t)
+	localpart, serverName, _ := gomatrixserverlib.SplitID('@', alice.ID)
+
+	test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
+		cfg, processCtx, closeDB := testrig.CreateConfig(t, dbType)
+		defer closeDB()
+
+		natsInstance := jetstream.NATSInstance{}
+		routers := httputil.NewRouters()
+		cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
+		caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
+		rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
+		userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil)
+
+		// We mostly need the rsAPI/ for this test, so nil for other APIs/caches etc.
+		AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, caching.DisableMetrics)
+
+		accessTokens := map[*test.User]userDevice{
+			alice: {},
+		}
+
+		// create the account and an initial device
+		createAccessTokens(t, accessTokens, userAPI, processCtx.Context(), routers)
+
+		// create some more devices
+		var devices []string
+		for i := 0; i < 10; i++ {
+			accessToken := util.RandomString(8)
+			devRes := &uapi.PerformDeviceCreationResponse{}
+			if err := userAPI.PerformDeviceCreation(processCtx.Context(), &uapi.PerformDeviceCreationRequest{
+				Localpart:          localpart,
+				ServerName:         serverName,
+				AccessToken:        accessToken,
+				NoDeviceListUpdate: true,
+			}, devRes); err != nil {
+				t.Fatal(err)
+			}
+			if !devRes.DeviceCreated {
+				t.Fatalf("failed to create device")
+			}
+			devices = append(devices, devRes.Device.ID)
+		}
+
+		// initiate UIA
+		rec := httptest.NewRecorder()
+		req := httptest.NewRequest(http.MethodPost, "/_matrix/client/v3/delete_devices", strings.NewReader(""))
+		req.Header.Set("Authorization", "Bearer "+accessTokens[alice].accessToken)
+		routers.Client.ServeHTTP(rec, req)
+		if rec.Code != http.StatusUnauthorized {
+			t.Fatalf("expected HTTP 401, got %d: %s", rec.Code, rec.Body.String())
+		}
+		// get the session ID
+		sessionID := gjson.GetBytes(rec.Body.Bytes(), "session").Str
+
+		// prepare UIA request body
+		reqBody := bytes.Buffer{}
+		if err := json.NewEncoder(&reqBody).Encode(map[string]interface{}{
+			"auth": map[string]string{
+				"session":  sessionID,
+				"type":     authtypes.LoginTypePassword,
+				"user":     alice.ID,
+				"password": accessTokens[alice].password,
+			},
+			"devices": devices[5:],
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		// do the same request again, this time with our UIA,
+		rec = httptest.NewRecorder()
+		req = httptest.NewRequest(http.MethodPost, "/_matrix/client/v3/delete_devices", &reqBody)
+		req.Header.Set("Authorization", "Bearer "+accessTokens[alice].accessToken)
+		routers.Client.ServeHTTP(rec, req)
+		if rec.Code != http.StatusOK {
+			t.Fatalf("expected HTTP 200, got %d: %s", rec.Code, rec.Body.String())
+		}
+
+		// verify devices are deleted
+		rec = httptest.NewRecorder()
+		req = httptest.NewRequest(http.MethodGet, "/_matrix/client/v3/devices", strings.NewReader(""))
+		req.Header.Set("Authorization", "Bearer "+accessTokens[alice].accessToken)
+		routers.Client.ServeHTTP(rec, req)
+		if rec.Code != http.StatusOK {
+			t.Fatalf("expected HTTP 200, got %d: %s", rec.Code, rec.Body.String())
+		}
+		for _, device := range gjson.GetBytes(rec.Body.Bytes(), "devices.#.device_id").Array() {
+			for _, deletedDevice := range devices[5:] {
+				if device.Str == deletedDevice {
+					t.Fatalf("expected device %s to be deleted, but wasn't", deletedDevice)
+				}
+			}
+		}
+	})
+}
+
+func createAccessTokens(t *testing.T, accessTokens map[*test.User]userDevice, userAPI uapi.UserInternalAPI, ctx context.Context, routers httputil.Routers) {
+	t.Helper()
+	for u := range accessTokens {
+		localpart, serverName, _ := gomatrixserverlib.SplitID('@', u.ID)
+		userRes := &uapi.PerformAccountCreationResponse{}
+		password := util.RandomString(8)
+		if err := userAPI.PerformAccountCreation(ctx, &uapi.PerformAccountCreationRequest{
+			AccountType: u.AccountType,
+			Localpart:   localpart,
+			ServerName:  serverName,
+			Password:    password,
+		}, userRes); err != nil {
+			t.Errorf("failed to create account: %s", err)
+		}
+		req := test.NewRequest(t, http.MethodPost, "/_matrix/client/v3/login", test.WithJSONBody(t, map[string]interface{}{
+			"type": authtypes.LoginTypePassword,
+			"identifier": map[string]interface{}{
+				"type": "m.id.user",
+				"user": u.ID,
+			},
+			"password": password,
+		}))
+		rec := httptest.NewRecorder()
+		routers.Client.ServeHTTP(rec, req)
+		if rec.Code != http.StatusOK {
+			t.Fatalf("failed to login: %s", rec.Body.String())
+		}
+		accessTokens[u] = userDevice{
+			accessToken: gjson.GetBytes(rec.Body.Bytes(), "access_token").String(),
+			deviceID:    gjson.GetBytes(rec.Body.Bytes(), "device_id").String(),
+			password:    password,
+		}
+	}
+}

clientapi/routing/deactivate.go

@@ -33,7 +33,7 @@ func Deactivate(
 		return *errRes
 	}
 
-	localpart, _, err := gomatrixserverlib.SplitID('@', login.Username())
+	localpart, serverName, err := gomatrixserverlib.SplitID('@', login.Username())
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("gomatrixserverlib.SplitID failed")
 		return jsonerror.InternalServerError()
@@ -41,7 +41,8 @@ func Deactivate(
 
 	var res api.PerformAccountDeactivationResponse
 	err = accountAPI.PerformAccountDeactivation(ctx, &api.PerformAccountDeactivationRequest{
-		Localpart: localpart,
+		Localpart:  localpart,
+		ServerName: serverName,
 	}, &res)
 	if err != nil {
 		util.GetLogger(ctx).WithError(err).Error("userAPI.PerformAccountDeactivation failed")

clientapi/routing/device.go

@@ -15,6 +15,7 @@
 package routing
 
 import (
+	"encoding/json"
 	"io"
 	"net"
 	"net/http"
@@ -146,12 +147,6 @@ func UpdateDeviceByID(
 			JSON: jsonerror.Forbidden("device does not exist"),
 		}
 	}
-	if performRes.Forbidden {
-		return util.JSONResponse{
-			Code: http.StatusForbidden,
-			JSON: jsonerror.Forbidden("device not owned by current user"),
-		}
-	}
 
 	return util.JSONResponse{
 		Code: http.StatusOK,
@@ -189,7 +184,7 @@ func DeleteDeviceById(
 		if dev != deviceID {
 			return util.JSONResponse{
 				Code: http.StatusForbidden,
-				JSON: jsonerror.Forbidden("session & device mismatch"),
+				JSON: jsonerror.Forbidden("session and device mismatch"),
 			}
 		}
 	}
@@ -242,16 +237,37 @@ func DeleteDeviceById(
 
 // DeleteDevices handles POST requests to /delete_devices
 func DeleteDevices(
-	req *http.Request, userAPI api.ClientUserAPI, device *api.Device,
+	req *http.Request, userInteractiveAuth *auth.UserInteractive, userAPI api.ClientUserAPI, device *api.Device,
 ) util.JSONResponse {
 	ctx := req.Context()
-	payload := devicesDeleteJSON{}
 
-	if resErr := httputil.UnmarshalJSONRequest(req, &payload); resErr != nil {
+	bodyBytes, err := io.ReadAll(req.Body)
-		return *resErr
+	if err != nil {
+		return util.JSONResponse{
+			Code: http.StatusBadRequest,
+			JSON: jsonerror.BadJSON("The request body could not be read: " + err.Error()),
+		}
+	}
+	defer req.Body.Close() // nolint:errcheck
+
+	// initiate UIA
+	login, errRes := userInteractiveAuth.Verify(ctx, bodyBytes, device)
+	if errRes != nil {
+		return *errRes
 	}
 
-	defer req.Body.Close() // nolint: errcheck
+	if login.Username() != device.UserID {
+		return util.JSONResponse{
+			Code: http.StatusForbidden,
+			JSON: jsonerror.Forbidden("unable to delete devices for other user"),
+		}
+	}
+
+	payload := devicesDeleteJSON{}
+	if err = json.Unmarshal(bodyBytes, &payload); err != nil {
+		util.GetLogger(ctx).WithError(err).Error("unable to unmarshal device deletion request")
+		return jsonerror.InternalServerError()
+	}
 
 	var res api.PerformDeviceDeletionResponse
 	if err := userAPI.PerformDeviceDeletion(ctx, &api.PerformDeviceDeletionRequest{

clientapi/routing/routing.go

@@ -1115,7 +1115,7 @@ func Setup(
 
 	v3mux.Handle("/delete_devices",
 		httputil.MakeAuthAPI("delete_devices", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
-			return DeleteDevices(req, userAPI, device)
+			return DeleteDevices(req, userInteractiveAuth, userAPI, device)
 		}),
 	).Methods(http.MethodPost, http.MethodOptions)
 

cmd/dendrite-demo-pinecone/monolith/monolith.go

@@ -213,7 +213,7 @@ func (p *P2PMonolith) Stop() {
 }
 
 func (p *P2PMonolith) WaitForShutdown() {
-	p.ProcessCtx.WaitForShutdown()
+	base.WaitForShutdown(p.ProcessCtx)
 	p.closeAllResources()
 }
 

helm/dendrite/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: dendrite
-version: "0.12.0"
+version: "0.12.1"
 appVersion: "0.12.0"
 description: Dendrite Matrix Homeserver
 type: application

helm/dendrite/templates/_helpers.tpl

@@ -1,15 +1,9 @@
 {{- define "validate.config" }}
-{{- if not .Values.signing_key.create -}}
+{{- if and (not .Values.signing_key.create) (eq .Values.signing_key.existingSecret "") -}}
-{{-  fail "You must create a signing key for configuration.signing_key. (see https://github.com/matrix-org/dendrite/blob/master/docs/INSTALL.md#server-key-generation)" -}}
+{{-  fail "You must create a signing key for configuration.signing_key OR specify an existing secret name in .Values.signing_key.existingSecret to mount it. (see https://github.com/matrix-org/dendrite/blob/master/docs/INSTALL.md#server-key-generation)" -}}
 {{- end -}}
-{{- if not (or .Values.dendrite_config.global.database.host .Values.postgresql.enabled) -}}
+{{- if and (not .Values.postgresql.enabled) (eq .Values.dendrite_config.global.database.connection_string "") -}}
-{{-  fail "Database server must be set." -}}
+{{-  fail "Database connection string must be set." -}}
-{{- end -}}
-{{- if not (or .Values.dendrite_config.global.database.user .Values.postgresql.enabled) -}}
-{{-  fail "Database user must be set." -}}
-{{- end -}}
-{{- if not (or .Values.dendrite_config.global.database.password .Values.postgresql.enabled) -}}
-{{-  fail "Database password must be set." -}}
 {{- end -}}
 {{- end -}}
 

helm/dendrite/templates/deployment.yaml

@@ -17,11 +17,7 @@ spec:
       labels:
         {{- include "dendrite.selectorLabels" . | nindent 8 }}
       annotations:
-        confighash-global: secret-{{ .Values.global | toYaml | sha256sum | trunc 32 }}
+        confighash: secret-{{ .Values.dendrite_config | toYaml | sha256sum | trunc 32 }}
-        confighash-clientapi: clientapi-{{ .Values.clientapi | toYaml | sha256sum | trunc 32 }}
-        confighash-federationapi: federationapi-{{ .Values.federationapi | toYaml | sha256sum | trunc 32 }}
-        confighash-mediaapi: mediaapi-{{ .Values.mediaapi | toYaml | sha256sum | trunc 32 }}
-        confighash-syncapi: syncapi-{{ .Values.syncapi | toYaml | sha256sum | trunc 32 }}
     spec:
       volumes:
       - name: {{ include "dendrite.fullname" . }}-conf-vol
@@ -57,7 +53,7 @@ spec:
         {{- if $.Values.dendrite_config.global.profiling.enabled }}
         env:
           - name: PPROFLISTEN
-            value: "localhost:{{- $.Values.global.profiling.port -}}"
+            value: "localhost:{{- $.Values.dendrite_config.global.profiling.port -}}"
         {{- end }}
         resources:
         {{- toYaml $.Values.resources | nindent 10 }}

userapi/api/api.go

@@ -228,7 +228,6 @@ type PerformDeviceUpdateRequest struct {
 }
 type PerformDeviceUpdateResponse struct {
 	DeviceExists bool
-	Forbidden    bool
 }
 
 type PerformDeviceDeletionRequest struct {

userapi/internal/user_api.go

@@ -388,11 +388,6 @@ func (a *UserInternalAPI) PerformDeviceUpdate(ctx context.Context, req *api.Perf
 	}
 	res.DeviceExists = true
 
-	if dev.UserID != req.RequestingUserID {
-		res.Forbidden = true
-		return nil
-	}
-
 	err = a.DB.UpdateDevice(ctx, localpart, domain, req.DeviceID, req.DisplayName)
 	if err != nil {
 		util.GetLogger(ctx).WithError(err).Error("deviceDB.UpdateDevice failed")