anoadragon453
commented
2 years ago Note that https://github.com/jkanefendt/prosody-mod-auth-matrix-user-verification-ng is an entirely different approach to this problem which removes the need to use Synapse-specific admin APIs.
Currently only a single Synapse homeserver URL and admin access token can be configured per instance of matrix-user-verification-service. However, in a deployment that features multiple, federated homeservers but only a single Jitsi cluster, one would need to verify room membership of users across multiple servers.
As the prosody module is passed the homeserver domain name in each verification request, we could query multiple homeservers, as long as each are configured.
This issue proposes a mechanism for allowing verification of both a user's registration as well as their participation in a room across multiple homeservers with only a single instance of the matrix-user-verification-service.
Currently homeserver credentials are configured through the use of environment variables.
UVS_HOMESERVER_URLis the URL of the homeserver to verify against, whileUVS_ACCESS_TOKENis the access token of a Synapse admin user. The matrix-user-verification-service will then callGET {UVS_HOMESERVER_URL}/_synapse/admin/v1/rooms/{ROOM_ID}/statewith the admin access token in order to check the state of the room and whether the user is currently present.There are many ways to alter this configuration to allow multiple homeservers. One such solution is to provide an additional environment variable, i.e:
which the matrix-user-verification-service would then use when fielding
POST /verify/user_in_roomrequests from themod_matrix_power_syncprosody module.Note that in the above deployment scenario, one should not set
UVS_OPENID_VERIFY_SERVER_NAME. This will cause the matrix-user-verification-service to verify OpenID tokens (ensuring that a user exists on the homeserver) against any requested homeserver, rather than just the one specified byUVS_OPENID_VERIFY_SERVER_NAME.