f243b383cb
style: Fix typo in validate_remote_member_event_stub
2026-02-08 15:37:40 +00:00
e0b7d03018
fix: Perform additional membership validation on remote knocks too
2026-02-08 15:34:07 +00:00
184ae2ebb9
fix: Apply validation to make_join process
2026-02-06 18:15:39 +00:00
0ea0d09b97
fix: Don't fail open when a PDU doesn't have a short state hash
2026-02-06 18:09:09 +00:00
00c054d356
fix: Get_missing_events returns the same event N times
2026-02-05 21:28:21 +00:00
082ed5b70c
feat: Use info level logs for residency check failures
2026-02-03 20:09:41 +00:00
c4a9f7a6d1
perf: Don't handle expensive requests for rooms we aren't in
...
Mostly borrowed from dendrite:
https://github.com/element-hq/dendrite/blob/a042861/federationapi/routing/routing.go#L601
2026-02-03 20:09:41 +00:00
fd9bbb08ed
fix: Restore admin room announcement for deactivations
2026-01-30 05:11:30 +00:00
25f7d80a8c
fix: Clippy lint
2026-01-30 05:11:30 +00:00
02fa0ba0b8
perf: Optimise account deactivation process
2026-01-30 05:11:30 +00:00
cb79a3b9d7
refactor(treewide): get rid of compile time build environment introspection
...
It's cursed and not very useful. Still a few uses of ctor left, but oh well.
2026-01-19 19:44:28 +00:00
ebc8df1c4d
feat: Add endpoints required for API-based takedowns and room bans
2026-01-18 18:47:15 +00:00
79a278b9e8
Fix verification loss; workaround Nheko-Reborn/nheko#1908 ( closes #146 )
...
Signed-off-by: Jason Volk <jason@zemos.net >
2026-01-18 14:41:01 +00:00
d260c4fcc2
style: Fix yo unused variables
2026-01-13 20:29:30 +00:00
86e450a835
fix: M_BAD_JSON in send_join and send_knock
2026-01-12 17:53:37 +00:00
99a10998b4
style: Remove unused import
2026-01-11 15:42:06 +00:00
05c6b5df75
fix: M_BAD_JSON in c2s invite
2026-01-11 15:37:59 +00:00
e3cf288f39
feat: Support creating custom v12 room IDs
2026-01-09 02:50:04 +00:00
5a2a1b6240
style: Clean up whoami code
2026-01-09 01:12:38 +00:00
d22d47954f
fix: Return 403 instead of 404 at /_matrix/client/v3/account/whoami
2026-01-09 00:44:38 +00:00
8cf2d175d6
fix: Update package and crate metadata
2026-01-08 19:28:27 +00:00
247bc15659
fix: Await future
2026-01-07 17:31:53 +00:00
88a35e139d
fix: Correctly return M_USER_LOCKED during login
2026-01-07 17:31:53 +00:00
1c816850ed
feat: Allow admins to disable the login capability of an account
...
# Conflicts:
# src/admin/user/commands.rs
2026-01-07 17:31:51 +00:00
adc7c5ac49
fix( !783 ): Don't allow registrations by default with no token configured
2026-01-07 14:22:37 +00:00
ca77970ff3
feat( !783 ): Add admin commands for managing tokens
2026-01-07 14:22:37 +00:00
42f4ec34cd
feat( !783 ): Initial implementation
...
Adds support for extra limited-use registration tokens
stored in the database, and a new service to manage them.
2026-01-07 14:22:37 +00:00
9552dd7485
style: Log error
2026-01-06 01:55:52 +00:00
88c84f221f
chore: Add comment and warning to unhappy path
2026-01-06 00:59:32 +00:00
a10bd71945
fix(admin): fix force-leaving rooms with no left_state PDU
2026-01-06 00:59:31 +00:00
279f7cbfe4
style: Fix failing lints
2026-01-05 20:10:29 +00:00
006c57face
perf: Don't check accept_make_join twice for restricted make_join
2026-01-05 20:10:29 +00:00
d52e0dc014
fix: Apply check_all_joins to make_join
2026-01-05 20:10:29 +00:00
4b873a1b95
fix: Apply spam checker to local restricted joins
2026-01-05 20:10:29 +00:00
76865e6f91
fix: Accept_may_join callback works again
2026-01-05 20:10:29 +00:00
99f16c2dfc
fix: Call user_may_join_room later in the join process
2026-01-05 20:10:28 +00:00
5ac82f36f3
feat: Consolidate antispam checks into a service
...
Also adds support for the spam checker join rule, and Draupnir callbacks
2026-01-05 20:10:28 +00:00
c249dd992e
feat: Add support for automatically rejecting pending invites
2026-01-05 20:10:28 +00:00
0956779802
feat: Add Meowlnir invite interception support
...
Co-authored-by: Jade Ellis <jade@ellis.link >
2026-01-05 20:10:27 +00:00
7502a944d7
feat: Add user locking and unlocking commands and functionality
...
Also corrects the response code returned by UserSuspended
2026-01-05 19:30:16 +00:00
aed15f246a
refactor: Clean up logging issues
...
Primary issues: Double escapes (debug fmt), spans without levels
2026-01-05 18:28:57 +00:00
27d6604d14
fix: Use a timeout instead of deadline
2026-01-03 17:08:47 +00:00
1c7bd2f6fa
style: Remove unnecessary then() calls in chain
2026-01-03 16:22:49 +00:00
56d7099011
style: Include errors in key claim response too
2026-01-03 16:10:06 +00:00
bc426e1bfc
fix: Apply client-requested timeout to federated key queries
...
Also parallelised federation calls in related functions
2026-01-03 16:05:05 +00:00
bf200ad12d
fix: Resolve compile errors
...
me and cargo check are oops now
2025-12-31 20:01:29 +00:00
44851ee6a2
feat: Fall back to remote room summary if local fails
2025-12-31 20:01:29 +00:00
a7e6e6e83f
feat: Allow local server admins to bypass summary visibility checks
...
feat: Allow local server admins to bypass summary visibility checks
Also improve error messages so they aren't so damn long.
2025-12-31 20:01:29 +00:00
f8c1e9bcde
feat: Config defined admin list
...
Closes !1246
2025-12-31 19:35:40 +00:00
12aecf8091
validate membership events returned by remote servers
...
This fixes a vulnerability where an attacker with a malicious remote
server and a user on the local server can trick the local server into
signing arbitrary events. The attacker issue a remote leave as the local
user to a room on the malicious server. Without any validation of the
make_leave response, the local server would sign the attacker-controlled
event and pass it back to the malicious server with send_leave.
The join and knock endpoints are also fixed in this commit, but are less
useful for exploitation because the local server replaces the "content"
field returned by the remote server. Remote invites are unaffected
because we already check that the event returned from /invite has the
same event ID as the event passed to it.
Co-authored-by: timedout <git@nexy7574.co.uk >
Co-authored-by: Jade Ellis <jade@ellis.link >
Co-authored-by: Ginger <ginger@gingershaped.computer >
2025-12-30 15:24:45 +00:00
timedout
K900
Jason Volk
Jade Ellis
Ginger
Laurențiu Nicola
Terry
Olivia Lee