From 32eda925c0562b2fbd82f904086a88bf0bc36654 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Thu, 28 Apr 2022 16:58:29 +0100 Subject: [PATCH] Shuffle things around a bit --- build/gobind-pinecone/monolith.go | 2 ++ build/gobind-yggdrasil/monolith.go | 2 ++ cmd/dendrite-demo-pinecone/main.go | 2 ++ cmd/dendrite-demo-yggdrasil/main.go | 2 ++ cmd/dendritejs-pinecone/main.go | 2 ++ cmd/generate-config/main.go | 1 + setup/config/config_clientapi.go | 22 +++++++++++----------- setup/flags.go | 4 ++-- 8 files changed, 24 insertions(+), 13 deletions(-) diff --git a/build/gobind-pinecone/monolith.go b/build/gobind-pinecone/monolith.go index 9cc94d650..d92ee9008 100644 --- a/build/gobind-pinecone/monolith.go +++ b/build/gobind-pinecone/monolith.go @@ -259,6 +259,8 @@ func (m *DendriteMonolith) Start() { cfg.MediaAPI.BasePath = config.Path(fmt.Sprintf("%s/media", m.CacheDirectory)) cfg.MediaAPI.AbsBasePath = config.Path(fmt.Sprintf("%s/media", m.CacheDirectory)) cfg.MSCs.MSCs = []string{"msc2836", "msc2946"} + cfg.ClientAPI.RegistrationDisabled = false + cfg.ClientAPI.OpenRegistrationWithoutVerificationEnabled = true if err := cfg.Derive(); err != nil { panic(err) } diff --git a/build/gobind-yggdrasil/monolith.go b/build/gobind-yggdrasil/monolith.go index 87dcad2e8..6ab677d1d 100644 --- a/build/gobind-yggdrasil/monolith.go +++ b/build/gobind-yggdrasil/monolith.go @@ -97,6 +97,8 @@ func (m *DendriteMonolith) Start() { cfg.AppServiceAPI.Database.ConnectionString = config.DataSource(fmt.Sprintf("file:%s/dendrite-p2p-appservice.db", m.StorageDirectory)) cfg.MediaAPI.BasePath = config.Path(fmt.Sprintf("%s/tmp", m.StorageDirectory)) cfg.MediaAPI.AbsBasePath = config.Path(fmt.Sprintf("%s/tmp", m.StorageDirectory)) + cfg.ClientAPI.RegistrationDisabled = false + cfg.ClientAPI.OpenRegistrationWithoutVerificationEnabled = true if err = cfg.Derive(); err != nil { panic(err) } diff --git a/cmd/dendrite-demo-pinecone/main.go b/cmd/dendrite-demo-pinecone/main.go index dd1ab3697..767afd000 100644 --- a/cmd/dendrite-demo-pinecone/main.go +++ b/cmd/dendrite-demo-pinecone/main.go @@ -140,6 +140,8 @@ func main() { cfg.FederationAPI.Database.ConnectionString = config.DataSource(fmt.Sprintf("file:%s-federationapi.db", *instanceName)) cfg.AppServiceAPI.Database.ConnectionString = config.DataSource(fmt.Sprintf("file:%s-appservice.db", *instanceName)) cfg.MSCs.MSCs = []string{"msc2836", "msc2946"} + cfg.ClientAPI.RegistrationDisabled = false + cfg.ClientAPI.OpenRegistrationWithoutVerificationEnabled = true if err := cfg.Derive(); err != nil { panic(err) } diff --git a/cmd/dendrite-demo-yggdrasil/main.go b/cmd/dendrite-demo-yggdrasil/main.go index b840eb2b8..d8c3ba86f 100644 --- a/cmd/dendrite-demo-yggdrasil/main.go +++ b/cmd/dendrite-demo-yggdrasil/main.go @@ -89,6 +89,8 @@ func main() { cfg.AppServiceAPI.Database.ConnectionString = config.DataSource(fmt.Sprintf("file:%s-appservice.db", *instanceName)) cfg.MSCs.MSCs = []string{"msc2836"} cfg.MSCs.Database.ConnectionString = config.DataSource(fmt.Sprintf("file:%s-mscs.db", *instanceName)) + cfg.ClientAPI.RegistrationDisabled = false + cfg.ClientAPI.OpenRegistrationWithoutVerificationEnabled = true if err = cfg.Derive(); err != nil { panic(err) } diff --git a/cmd/dendritejs-pinecone/main.go b/cmd/dendritejs-pinecone/main.go index 211b3e131..8f2461cc3 100644 --- a/cmd/dendritejs-pinecone/main.go +++ b/cmd/dendritejs-pinecone/main.go @@ -171,6 +171,8 @@ func startup() { cfg.Global.KeyID = gomatrixserverlib.KeyID(signing.KeyID) cfg.Global.PrivateKey = sk cfg.Global.ServerName = gomatrixserverlib.ServerName(hex.EncodeToString(pk)) + cfg.ClientAPI.RegistrationDisabled = false + cfg.ClientAPI.OpenRegistrationWithoutVerificationEnabled = true if err := cfg.Derive(); err != nil { logrus.Fatalf("Failed to derive values from config: %s", err) diff --git a/cmd/generate-config/main.go b/cmd/generate-config/main.go index 7e03b9843..1c585d916 100644 --- a/cmd/generate-config/main.go +++ b/cmd/generate-config/main.go @@ -91,6 +91,7 @@ func main() { cfg.UserAPI.BCryptCost = bcrypt.MinCost cfg.Global.JetStream.InMemory = true cfg.ClientAPI.RegistrationDisabled = false + cfg.ClientAPI.OpenRegistrationWithoutVerificationEnabled = true cfg.ClientAPI.RegistrationSharedSecret = "complement" cfg.Global.Presence = config.PresenceOptions{ EnableInbound: true, diff --git a/setup/config/config_clientapi.go b/setup/config/config_clientapi.go index fd126fa42..18cfa1564 100644 --- a/setup/config/config_clientapi.go +++ b/setup/config/config_clientapi.go @@ -19,7 +19,7 @@ type ClientAPI struct { // Enable registration without captcha verification or shared secret. Note: this option is *not* recommended, // as registration without verification is a known vector for spam and abuse. Defaults to false. Has no effect // unless `registration_disabled` is set to false. - RegistrationWithoutVerificationEnabled bool `yaml:"-"` + OpenRegistrationWithoutVerificationEnabled bool `yaml:"-"` // If set, allows registration by anyone who also has the shared // secret, even if registration is otherwise disabled. @@ -62,11 +62,7 @@ func (c *ClientAPI) Defaults(generate bool) { c.RecaptchaBypassSecret = "" c.RecaptchaSiteVerifyAPI = "" c.RegistrationDisabled = true - c.RegistrationWithoutVerificationEnabled = false - if generate { - c.RegistrationDisabled = false - c.RegistrationWithoutVerificationEnabled = true - } + c.OpenRegistrationWithoutVerificationEnabled = false c.RateLimiting.Defaults() } @@ -85,12 +81,16 @@ func (c *ClientAPI) Verify(configErrs *ConfigErrors, isMonolith bool) { c.RateLimiting.Verify(configErrs) // Ensure there is any spam counter measure when enabling registration - if !c.RegistrationDisabled && !c.RegistrationWithoutVerificationEnabled { + if !c.RegistrationDisabled && !c.OpenRegistrationWithoutVerificationEnabled { if !c.RecaptchaEnabled && c.RegistrationSharedSecret == "" { - configErrs.Add("You have enabled open registration without any verification. This is a known vector for " + - "spam and abuse. If you would like to allow public registration, please consider adding captcha" + - " or token-based verification. Otherwise this check can be removed by setting the " + - "`enable_registration_without_verification` config option to `true`.") + configErrs.Add( + "You have tried to enable open registration without any secondary verification methods " + + "(such as captcha or shared secret). By enabling open registration, you are SIGNIFICANTLY " + + "increasing the risk that your server will be used to send spam or abuse, and may result in " + + "your server being banned from some rooms. If you are ABSOLUTELY CERTAIN you want to do this, " + + "start Dendrite with the -really-enable-open-registration command line flag. Otherwise, you " + + "should set the registration_disabled option in your Dendrite config.", + ) } } } diff --git a/setup/flags.go b/setup/flags.go index ecacfbed5..bf8c2f4ac 100644 --- a/setup/flags.go +++ b/setup/flags.go @@ -27,7 +27,7 @@ import ( var ( configPath = flag.String("config", "dendrite.yaml", "The path to the config file. For more information, see the config file in this repository.") version = flag.Bool("version", false, "Shows the current version and exits immediately.") - enableRegistrationWithoutVerification = flag.Bool("really-enable-open-registration", false, "This allows open registration without verification (captcha, shared secret etc). (NOT RECOMMENDED)") + enableRegistrationWithoutVerification = flag.Bool("really-enable-open-registration", false, "This allows open registration without secondary verification (captcha, shared secret etc). This is NOT RECOMMENDED and will SIGNIFICANTLY increase the risk that your server will be used to send spam or conduct attacks, which may result in your server being banned from rooms.") ) // ParseFlags parses the commandline flags and uses them to create a config. @@ -50,7 +50,7 @@ func ParseFlags(monolith bool) *config.Dendrite { } if *enableRegistrationWithoutVerification { - cfg.ClientAPI.RegistrationWithoutVerificationEnabled = true + cfg.ClientAPI.OpenRegistrationWithoutVerificationEnabled = true } return cfg