Password reset conflicts with YNH permissions

[tio-trom]

Say a user, that is not a ynh user, tries to reset the Synapse password via the element web client. The user then receives an email with a link to click to confirm the new password. It looks like this: https://matrix.trom.tf/_synapse/client/password_reset/email/submit_token?***** - but if the user clicks it redirects to the main domain for the YNH install and asked to login with their YNH user and password. https://matrix.trom.tf/ is the Synapse server.

I see in my permissions that visitors can still access that URL.

However trying to access https://matrix.trom.tf/ in an incognito window redirects to the YNH portal login page...

Must be a permission thing but I cannot find any matrix.trom.tf in the list of allowed domains for all visitors. I allowed them all...

Any help?

[tio-trom]

In the Users Permissions I can find the "naked" matrix.trom.tf that I can add to permissions: However I cannot find that in the Visitors one:

[tio-trom]

So the confirmation link redirects to https://server.trom.tf/yunohost/sso/?r=****** type of link. Using SSO.

[Josue-T]

Duplicate #305

[tio-trom]

Updated to the latest Synapse 1.85.1~ynh1 and I still cannot reset any password since I am sent to the Yunohost login page. This is a critical issue for open servers like mine, since no user can resent their passwords unless they are also YNH users.

Please reopen?

[Josue-T]

Hello,

Normally this command should fix partially the issue

yunohost user permission add synapse.admin_api visitors

With #392 it should works.

[tio-trom]

Thanks but this is what I get

sudo yunohost user permission add synapse.admin_api visitors
[sudo] password for admin: 
Warning: Group 'visitors' already has permission 'synapse.admin_api' enabled
additional_urls: 
allowed: 
  - visitors
  - all_users
auth_header: False
corresponding_users: 
*******
label: matrix.trom.tf (Server administration API.)
protected: False
show_tile: False
sublabel: Server administration API.
url: /_synapse

[tio-trom]

I even did the Nginx change you proposed in the pull. Restarted it and the matrix server. Same exact issue....

But you see the entire URL for Matrix, in my case matrix.trom.tf, is not accessible to the visitors. I think that's why it redirects to the YNH login. Isn't it a good idea to make the URL accessible to the visitors?

I cannot even make that accessible to visitors:

And when I do have the option to open it for visitors is for specific things like client-apps/well-known and such, even those are greyed-out...

I am also curious...Element is installed at chat.trom.tf and the password reset is done via chat.trom.tf. Is it normal that the password reset link starts with matrix.trom.tf (where synapse is installed)?

[tio-trom]

Also this is the YNH config panel for my Synapse, if that helps:

[Josue-T]

Well I think it still be a issue with the permissions

[tio-trom]

This is my entire nginx config for synapse:

location /_matrix/ {
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

        client_max_body_size 100M;

        # Use the specific path for the php file. It's more secure than global php path
        location /_matrix/cas_server.php {
            alias /var/www/synapse/;
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            fastcgi_pass unix:/run/php7.4-fpm-synapse.sock;
            include fastcgi_params;
            fastcgi_param REMOTE_USER $remote_user;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param SCRIPT_FILENAME cas_server.php;
        }
}

location /_synapse/ {
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

        client_max_body_size 10M;
}

[Josue-T]

Can you share me the synapse.admin_api section of /etc/ssowat/conf.json

[tio-trom]

 "synapse.admin_api": {
            "auth_header": false,
            "label": "matrix.trom.tf (Server administration API.)",
            "public": true,
            "show_tile": false,
            "uris": [
                "matrix.trom.tf/_matrix/_synapse"
            ],
            "use_remote_user_var_in_nginx_conf": true,
            "users": [
                *****
            ]
        },

[Josue-T]

Well your uri matrix.trom.tf/_matrix/_synapse is completly false. Did you add it manually ?

[tio-trom]

Well your uri matrix.trom.tf/_matrix/_synapse is completly false. Did you add it manually ?

No.... Should it be matrix.trom.tf/_synapse ?

[Josue-T]

Yes

[Josue-T]

You should edit the permission synapse.admin_api to have the correct url matrix.trom.tf/_synapse instead of /_synapse.

[tio-trom]

Yup I did so now. Testing.

[tio-trom]

Oh god! Not only that it works now to reset the passwords but the Synapse Admin WORKS! I think this issue https://github.com/YunoHost-Apps/synapse-admin_ynh/issues/15 is also because of that config. Maybe a year or two ago when Synapse was packaged it dragged that synapse.admin_api wrong config with it. Man thank you so much! For the past year I've been trying to fix both of these issues and now you fixed both of them. Much appreciated!