Compare commits
8 Commits
f49f6cef73
...
complete_p
| Author | SHA1 | Date | |
|---|---|---|---|
| b4d630cd9e | |||
| 9a93b88d11 | |||
| a8903dcf9a | |||
| 083c848347 | |||
| dda0e83abe | |||
| 21e20e87cb | |||
|
3eccf446d6 | ||
| 3fa2a2fe03 |
@@ -103,7 +103,15 @@ class MatrixConnection {
|
||||
curl_setopt($handle, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
|
||||
curl_setopt($handle, CURLOPT_POSTFIELDS, json_encode($data));
|
||||
|
||||
return $this->exec_curl_request($handle);
|
||||
try {
|
||||
return $this->exec_curl_request($handle);
|
||||
} catch (Exception $e) {
|
||||
if (strcmp("AUTHENTICATION_FAILED", $e->getMessage()) == 0) {
|
||||
throw new Exception("WRONG_REGISTRATION_SHARED_SECRET");
|
||||
} else {
|
||||
throw $e;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function exec_curl_request($handle) {
|
||||
@@ -126,7 +134,7 @@ class MatrixConnection {
|
||||
$response = json_decode($response, true);
|
||||
error_log("Request has failed with error {$response['error']}\n");
|
||||
if ($http_code == 401) {
|
||||
throw new Exception('Invalid access token provided');
|
||||
throw new Exception("AUTHENTICATION_FAILED");
|
||||
}
|
||||
} else {
|
||||
$response = json_decode($response, true);
|
||||
|
||||
26
README.md
26
README.md
@@ -1,4 +1,6 @@
|
||||
# matrix-register-bot
|
||||
|
||||
[](https://matrix.to/#/#matrix-register-bot:msg-net.de)
|
||||
|
||||
This bot provides a two-step-registration for matrix ([synapse](https://github.com/matrix-org/synapse)).
|
||||
|
||||
@@ -16,11 +18,20 @@ To configure synapse so that the users can login that were created via this bot
|
||||
- set `operationMode=synapse` so the bot uses the register api to push the new users to synapse or
|
||||
- integrate it via [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth#integrate) by configuring your system to point at `internal/login.php`.
|
||||
|
||||
When using `operationMode=local` you can have the following benefits (some require [mxisd](https://github.com/kamax-io/mxisd/blob/master/docs/backends/rest.md))
|
||||
When using `operationMode=local` you can have the following benefits (some require [mxisd](https://github.com/kamax-io/mxisd/blob/master/docs/stores/rest.md))
|
||||
- Automatically set the display name based on first and last name on first login
|
||||
- Use the 3PID lookup for other users (only email)
|
||||
- Search for users that you have not seen yet
|
||||
|
||||
## Requirements
|
||||
|
||||
- Working PHP environment with
|
||||
- database connection provider \[one of sqlite, mysql, postgres\]
|
||||
- curl extension to notify admins and register users (in `operationMode=synapse`)
|
||||
- mail capability to interact with the users (Verification, Approval (+ initial password), Notifications)
|
||||
- matrix-synapse-rest-auth when using `operationMode=local`
|
||||
- some PHP capable webserver which makes the folder `public` accessible to the public and propably `internal` for server-internal access
|
||||
|
||||
## How to install
|
||||
|
||||
- Copy `config.sample.php` to `config.php` and configure the bot as you can find there
|
||||
@@ -28,7 +39,7 @@ When using `operationMode=local` you can have the following benefits (some requi
|
||||
The folder `internal` contains files that only provide API access. They can be accessed by mxisd or matrix-synapse-rest-auth
|
||||
- To integrate with [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth):
|
||||
- `/_matrix-internal/identity/v1/check_credentials` should map to `internal/login.php`
|
||||
- To integrate with [mxisd](https://github.com/kamax-io/mxisd): Have a look at [the docs of mxisd](https://github.com/kamax-io/mxisd/blob/master/docs/backends/rest.md) and apply as follows:
|
||||
- To integrate with [mxisd](https://github.com/kamax-io/mxisd): Have a look at [the docs of mxisd](https://github.com/kamax-io/mxisd/blob/master/docs/stores/rest.md) and apply as follows:
|
||||
|
||||
|
||||
| Key | file which handles that | Description |
|
||||
@@ -41,9 +52,11 @@ When using `operationMode=local` you can have the following benefits (some requi
|
||||
|
||||
## Further notes:
|
||||
|
||||
### This bot sends mails
|
||||
To allow the bot to verify the email address of the user and to interact with them e.g. in case of approval this bot needs a running mailserver configuration.
|
||||
This bot relies on php to be properly configured.
|
||||
### Security: Passwords from registration form are stored in clear text
|
||||
Currently the passwords which are typed in while capturing the register request are stored in clear text.
|
||||
The bot needs to access them to trigger a register request with correct credentials.
|
||||
It is currently strongly recommended to set `"getPasswordOnRegistration" => false` in your config!
|
||||
This leads to autocreating passwords which will then be send to the users directly without storing it.
|
||||
|
||||
### Use the ChangePasswortInterceptor (if `operationMode=local`)
|
||||
|
||||
@@ -58,6 +71,3 @@ Here is an example for nginx:
|
||||
### The bot postpones some actions
|
||||
There is a cron.php which implements retries and database cleanups (e.g. to remove a username claim)
|
||||
For this run cron.php regularly with your system of choice.
|
||||
|
||||
### Chat
|
||||
For further questions, comments, feedback and more come and talk in [#matrix-register-bot:msg-net.de](https://matrix.to/#/#matrix-register-bot:msg-net.de)
|
||||
|
||||
6
cron.php
6
cron.php
@@ -19,7 +19,9 @@ require_once(__DIR__ . "/language.php");
|
||||
require_once(__DIR__ . "/mail_templates.php");
|
||||
require_once(__DIR__ . "/database.php");
|
||||
|
||||
$sql = "SELECT id, first_name, last_name, username, email, state, note, verify_token, admin_token FROM registrations "
|
||||
$sql = "SELECT id, first_name, last_name, username, password, email,"
|
||||
. " state, note, verify_token, admin_token "
|
||||
. "FROM registrations "
|
||||
. "WHERE state = " . RegisterState::PendingEmailSend
|
||||
. " OR state = " . RegisterState::PendingAdminSend
|
||||
. " OR state = " . RegisterState::PendingRegistration
|
||||
@@ -87,7 +89,7 @@ foreach ($mx_db->query($sql) as $row) {
|
||||
break;
|
||||
case "local":
|
||||
// register by adding a user to the local database
|
||||
$password = $mx_db->addUser($row["first_name"], $row["last_name"], $row["username"], $row["email"]);
|
||||
$password = $mx_db->addUser($row["first_name"], $row["last_name"], $row["username"], $row["password"], $row["email"]);
|
||||
break;
|
||||
default:
|
||||
throw new Exception("Unknown operationMode");
|
||||
|
||||
21
database.php
21
database.php
@@ -78,7 +78,7 @@ class mxDatabase {
|
||||
first_name TEXT,
|
||||
last_name TEXT,
|
||||
username TEXT,
|
||||
password_hash TEXT DEFAULT '',
|
||||
password TEXT DEFAULT '',
|
||||
note TEXT,
|
||||
email TEXT,
|
||||
verify_token TEXT,
|
||||
@@ -98,7 +98,7 @@ class mxDatabase {
|
||||
)");
|
||||
// make sure the bot is allowed to login
|
||||
if (!$this->userRegistered("register_bot")) {
|
||||
$password = $this->addUser("Register", "Bot", "register_bot", $config["register_email"]);
|
||||
$password = $this->addUser("Register", "Bot", "register_bot", NULL, $config["register_email"]);
|
||||
$config["register_password"] = $password;
|
||||
$myfile = fopen(dirname(__FILE__) . "/config.json", "w");
|
||||
fwrite($myfile, json_encode($config, JSON_PRETTY_PRINT));
|
||||
@@ -184,7 +184,7 @@ class mxDatabase {
|
||||
*
|
||||
* @return ["verify_token"]
|
||||
*/
|
||||
function addRegistration($first_name, $last_name, $username, $note, $email) {
|
||||
function addRegistration($first_name, $last_name, $username, $password, $note, $email) {
|
||||
if ($this->userPendingRegistrations($username)) {
|
||||
throw new Exception("USERNAME_PENDING_REGISTRATION");
|
||||
}
|
||||
@@ -196,8 +196,9 @@ class mxDatabase {
|
||||
$admin_token = bin2hex(random_bytes(16));
|
||||
|
||||
$this->db->exec("INSERT INTO registrations
|
||||
(first_name, last_name, username, note, email, verify_token, admin_token)
|
||||
VALUES ('" . $first_name . "','" . $last_name . "','" . $username . "','" . $note . "','"
|
||||
(first_name, last_name, username, password, note, email, verify_token, admin_token)
|
||||
VALUES ('" . $first_name . "','" . $last_name . "','"
|
||||
. $username . "','" . $password . "','" . $note . "','"
|
||||
. $email . "','" . $verify_token . "','" . $admin_token . "')");
|
||||
|
||||
return [
|
||||
@@ -217,7 +218,7 @@ class mxDatabase {
|
||||
$res = $this->db->query($sql);
|
||||
|
||||
if ($res->fetchColumn() > 0) {
|
||||
$sql = "SELECT first_name, last_name, username, note, email FROM registrations"
|
||||
$sql = "SELECT first_name, last_name, username, password, note, email FROM registrations"
|
||||
. " WHERE admin_token = '" . $admin_token . "'"
|
||||
. " AND state = " . RegisterState::PendingAdminVerify
|
||||
. " LIMIT 1;";
|
||||
@@ -282,14 +283,16 @@ class mxDatabase {
|
||||
* NULL when failed
|
||||
*
|
||||
*/
|
||||
function addUser($first_name, $last_name, $username, $email) {
|
||||
function addUser($first_name, $last_name, $username, $password, $email) {
|
||||
// check if user already exists and abort in that case
|
||||
if ($this->userRegistered($username)) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
// generate a password with 10 characters
|
||||
$password = bin2hex(openssl_random_pseudo_bytes(5));
|
||||
if ($password == NULL) {
|
||||
// generate a password with 10 characters
|
||||
$password = bin2hex(openssl_random_pseudo_bytes(5));
|
||||
}
|
||||
$password_hash = password_hash($password, PASSWORD_BCRYPT, ["cost" => 12]);
|
||||
|
||||
$sql = "INSERT INTO logins (first_name, last_name, localpart, password_hash, email) VALUES "
|
||||
|
||||
@@ -31,10 +31,13 @@ $language = array(
|
||||
"UNKNOWN_SESSION" => "Sitzungstoken nicht vorhanden oder ungültig.",
|
||||
"UNKNOWN_USERNAME" => "Nutzername fehlt",
|
||||
"UNKNOWN_TOKEN" => "Token ist unbekannt",
|
||||
"USERNAME_LENGTH_INVALID" => "Entweder mehr als 20 oder weniger als 3 Zeichen für den Nutzernamen verwendet",
|
||||
"AUTHENTICATION_FAILED" => "Authentifizierung fehlgeschlagen",
|
||||
"WRONG_REGISTRATION_SHARED_SECRET" => "registration_shared_secret fehlerhaft",
|
||||
"USERNAME_INVALID" => "Nutzername muss aus 3 bis 20 Kleinbuchstaben bestehen",
|
||||
"USERNAME_NOT_ALNUM" => "Nutzername ist nicht alphanumerisch",
|
||||
"USERNAME_PENDING_REGISTRATION" => "Dieser Nutzername wurde bereits zur Registrierung vorgemerkt. Versuche es später noch einmal oder wähle einen anderen Nutzernamen",
|
||||
"USERNAME_REGISTERED" => "Dieser Nutzername wurde bereits registriert. Bitte wähle einen anderen Nutzernamen",
|
||||
"PASSWORD_NOT_PROVIDED" => "Ein oder beide Passwörter wurden nicht gesetzt",
|
||||
"PASSWORD_NOT_MATCH" => "Passwörter stimmen nicht überein",
|
||||
"NOTE_LENGTH_EXEEDED" => "Notiz ist länger als die erlaubten 50 Zeichen",
|
||||
"PLACEHOLDER_NOTE_ABOUT_YOURSELF" => "Notiz zu dir (max. 50 Zeichen)",
|
||||
|
||||
@@ -31,10 +31,13 @@ $language = array(
|
||||
"UNKNOWN_SESSION" => "Session token not found of invalid.",
|
||||
"UNKNOWN_USERNAME" => "username unknown",
|
||||
"UNKNOWN_TOKEN" => "Token is unknown",
|
||||
"USERNAME_LENGTH_INVALID" => "Username cpnsists pf more than 20 or less than 3 characters",
|
||||
"AUTHENTICATION_FAILED" => "Authentication failed",
|
||||
"WRONG_REGISTRATION_SHARED_SECRET" => "wrong registration_shared_secret",
|
||||
"USERNAME_INVALID" => "Username has to consist of 3 to 20 small letters",
|
||||
"USERNAME_NOT_ALNUM" => "Username is not alphanumeric",
|
||||
"USERNAME_PENDING_REGISTRATION" => "This username is locked for registration. Try again later or try again with a different username",
|
||||
"USERNAME_REGISTERED" => "This username is already registered. Please try again with another username",
|
||||
"PASSWORD_NOT_PROVIDED" => "One or both passwords are not provided",
|
||||
"PASSWORD_NOT_MATCH" => "passwords do not match",
|
||||
"NOTE_LENGTH_EXEEDED" => "Note consists of more than 50 characters",
|
||||
"PLACEHOLDER_NOTE_ABOUT_YOURSELF" => "Note about yourself (max. 50 characters)",
|
||||
|
||||
@@ -79,7 +79,7 @@ Deine Registrierungsanfrage wurde durch die Administratoren bestätigt.
|
||||
|
||||
Zum Anmelden kannst du folgende Zugangsdaten verwenden:
|
||||
Nutzername: $username
|
||||
Passwort: $password
|
||||
Passwort: " . (empty($password) ? "wie selbst gesetzt": $password) . "
|
||||
|
||||
Hinweis: Das Passwort kannst du aktuell über die App selbst ändern. Auch wenn das Passwort nirgends
|
||||
im Klartext gespeichert wird, kann jemand Zugriff auf diese Mail erlangen und so den Zugriff bekommen.
|
||||
|
||||
@@ -78,7 +78,7 @@ Your registration request got verified by the admin team.
|
||||
|
||||
To log in you can use the following credentials::
|
||||
Username: $username
|
||||
Password: $password
|
||||
Passwort: " . (empty($password) ? "as self-set": $password) . "
|
||||
|
||||
Important: Please change your password as soon as possible after your first login.
|
||||
The password is not stored in clear text on the server but people could get access to this mail
|
||||
|
||||
@@ -49,14 +49,18 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
||||
if (!isset($_POST["username"])) {
|
||||
throw new Exception("UNKNOWN_USERNAME");
|
||||
}
|
||||
if (strlen($_POST["username"] > 20 || strlen($_POST["username"]) < 3)) {
|
||||
throw new Exception("USERNAME_LENGTH_INVALID");
|
||||
if (strlen($_POST["username"]) > 20 ||
|
||||
strlen($_POST["username"]) < 3 ||
|
||||
!ctype_lower($_POST["username"])) {
|
||||
throw new Exception("USERNAME_INVALID");
|
||||
}
|
||||
if (ctype_alnum($_POST['username']) != true) {
|
||||
throw new Exception("USERNAME_NOT_ALNUM");
|
||||
}
|
||||
if (isset($config["getPasswordOnRegistration"]) && $config["getPasswordOnRegistration"] &&
|
||||
$_POST["password"] != $_POST["password_confirm"]) {
|
||||
if ($storePassword && (!isset($_POST["password"]) || !isset($_POST["password_confirm"]))) {
|
||||
throw new Exception("PASSWORD_NOT_PROVIDED");
|
||||
}
|
||||
if ($storePassword && $_POST["password"] != $_POST["password_confirm"]) {
|
||||
throw new Exception("PASSWORD_NOT_MATCH");
|
||||
}
|
||||
if (isset($_POST["note"]) && strlen($_POST["note"]) > 50) {
|
||||
@@ -80,6 +84,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
||||
}
|
||||
|
||||
$username = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
|
||||
$password = "";
|
||||
if ($storePassword && isset($_POST["password"])) {
|
||||
$password = filter_var($_POST["password"], FILTER_SANITIZE_STRING);
|
||||
}
|
||||
@@ -87,7 +92,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
||||
$email = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
|
||||
|
||||
require_once(__DIR__ . "/../database.php");
|
||||
$res = $mx_db->addRegistration($first_name, $last_name, $username, $note, $email);
|
||||
$res = $mx_db->addRegistration($first_name, $last_name, $username, $password, $note, $email);
|
||||
|
||||
if (!isset($res["verify_token"])) {
|
||||
error_log("sth. went wrong. registration did not throw but admin_token not set");
|
||||
@@ -215,7 +220,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
||||
<script type="text/javascript">
|
||||
var user_name = document.getElementById("username");
|
||||
user_name.oninvalid = function (event) {
|
||||
event.target.setCustomValidity("<?php echo $language["USERNAME_LENGTH_INVALID"]; ?>");
|
||||
event.target.setCustomValidity("<?php echo $language["USERNAME_INVALID"]; ?>");
|
||||
}
|
||||
user_name.onkeyup = function (event) {
|
||||
event.target.setCustomValidity("");
|
||||
|
||||
@@ -71,11 +71,17 @@ try {
|
||||
$mxConn = new MatrixConnection($config["homeserver"], $config["access_token"]);
|
||||
|
||||
$password = NULL;
|
||||
$use_db_password = (isset($config["getPasswordOnRegistration"]) && $config["getPasswordOnRegistration"]);
|
||||
if ($use_db_password && isset($user["password"]) && strlen($user["password"]) > 0) {
|
||||
$password = $user["password"];
|
||||
} else {
|
||||
$use_db_password = false;
|
||||
// generate a password with 10 characters
|
||||
$password = bin2hex(openssl_random_pseudo_bytes(5));
|
||||
}
|
||||
switch ($config["operationMode"]) {
|
||||
case "synapse":
|
||||
// register with registration_shared_secret
|
||||
// generate a password with 10 characters
|
||||
$password = bin2hex(openssl_random_pseudo_bytes(5));
|
||||
$res = $mxConn->register($username, $password, $config["registration_shared_secret"]);
|
||||
if (!$res) {
|
||||
// something went wrong while registering
|
||||
@@ -84,7 +90,7 @@ try {
|
||||
break;
|
||||
case "local":
|
||||
// register by adding a user to the local database
|
||||
$password = $mx_db->addUser($first_name, $last_name, $username, $email);
|
||||
$password = $mx_db->addUser($first_name, $last_name, $username, $password, $email);
|
||||
break;
|
||||
default:
|
||||
throw new Exception("Unknown operationMode");
|
||||
@@ -92,7 +98,13 @@ try {
|
||||
if ($password != NULL) {
|
||||
// send registration_success
|
||||
$res = send_mail_registration_success(
|
||||
$config["homeserver"], $first_name . " " . $last_name, $email, $username, $password, $config["howToURL"]
|
||||
$config["homeserver"],
|
||||
$first_name . " " . $last_name,
|
||||
$email,
|
||||
$username,
|
||||
// only send password when auto-created
|
||||
($use_db_password ? NULL : $password),
|
||||
$config["howToURL"]
|
||||
);
|
||||
if ($res) {
|
||||
$mx_db->setRegistrationStateAdmin(RegisterState::AllDone, $token);
|
||||
|
||||
Reference in New Issue
Block a user