search

zeratax / matrix-registration

a token based matrix registration api
https://zeratax.github.io/matrix-registration/
MIT License
227 stars 41 forks source link

Documentation for Curl suggests use of SharedSecret where AdminAPIPass is actually required #58

Closed squarepupil closed 3 years ago

squarepupil commented 3 years ago

Describe the bug

The api documentation in the api documentation suggests that one should use the SharedSecret:

curl -X POST \
     -H "Authorization: SharedSecret verysecuresecret" \
     -H "Content-Type: application/json" \
     -d '{"one_time": true, "ex_date": "24.12.2020"}' \
     http://localhost:5000/token

@ZerataX clarified for me in #matrix-registration:dmnd.sh that the AdminAPIPass belongs in that field. This was confusing as I was coming from a previous version of matrix-registration in which SharedSecret was the necessary credential in this field.

The Readme also does not clarify which password is meant in the curl example given.

curl -X POST \
     -F 'username=test' \
     -F 'password=verysecure' \
     -F 'confirm=verysecure' \
     -F 'token=DoubleWizardSki' \
     http://localhost:5000/register

To Reproduce

  1. Attempt any of the above curl commands using the now-unsupported SharedSecret (i.e., the Synapse shared secret found in homeserver.yaml)
  2. Note failure

Expected behavior

Documentation should expressly specify AdminAPIPass in commands where it is required.

olmari commented 3 years ago

well... "shared secret" IS what the admin api token is... an secret that is shared between the automaton and admin user... So it is not wrong either...

squarepupil commented 3 years ago

I should also mention that the error code if you enter the wrong credential is also misleading: {"errcode":"MR_BAD_SECRET","error":"wrong shared secret"}

This again suggests that it is SharedSecret that we're looking for and not AdminAPIPass

squarepupil commented 3 years ago

well... "shared secret" IS what the admin api token is... an secret that is shared between the automaton and admin user... So it is not wrong either...

image

You're suggesting that when I'm asked for "shared secret" I should know to input "admin secret" instead of "shared secret", the one with the same exact name?

lantrix commented 3 years ago

As far as I can tell shared_secret here shows a value of RegistrationSharedSecret which seems to me would be:

I'm trying to set this up too.

zeratax commented 3 years ago

ehm sorry for not being active in so long, real life stuff happened. anywas @lantrix yeah you're correct it does correspond to these value. idk if it works with dendrite though, i am using a specific synapse api that is not part of the matrix spec.

@squarepupil Before I left I was working on a 1.0.0 release and wanted to rename a lot of variables to make more sense, so I am totally open to renaming these config values. would registration_shared_secretand admin_api_secretmake more sense?