joepitt91 commented 2 months ago

I've got some automation scripts which use the _synapse/admin/... API endpoints, which need a authentication token.

Before MAS

Previously I:

With MAS

Since switching to MAS this method no longer works, as per the docs, with this error:

{"errcode":"M_FORBIDDEN","error":"You are not a server admin"}

While the docs say that Synapse will no longer manage who is an admin, I couldn't see anything about how to manage this in MAS.

As a workaround I've:

Set can_request_admin to true for my user in users in the MAS DB,
Log into Element Desktop,
Find my token in advance settings,
Find the associated compat_session_id in compat_access_tokens based on access_token (surprised tokens are stored in plain-text not salted and hashed - by design?),
Update is_synapse_admin to true in compat_sessions for my compat_session_id,
Use token from Element Desktop.

This feels very hacky, the sort of flow that I think would be ideal is:

Log in to MAS web UI.
is_synapse_admin is updated on the fly based on a configurable OIDC role attestation (maybe a CLI option to toggle as a fallback).
Click a button to generate a token.
Dialog opens to:
1. Set a friendly name,
2. Toggle a checkbox for if it should be an admin token (only shown for users where is_synapse_admin is true), and
3. Optionally, set a expiry period.
The new Token is shown once then unrecoverable through the UI.
Web UI has a tab for tokens, just like sessions and browsers, to allow manual revocation before expiry.

Is there a better way than my workaround to do this currently?
Would it be possible to get my proposed solution on the backlog - appreciate it may not be a high priority?

Thanks

dklimpel commented 1 month ago

Related to:

matrixbot commented 3 days ago

For your information, this issue has been copied over to the Element fork of matrix-authentication-service: https://github.com/element-hq/matrix-authentication-service/issues/2913