Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/keys/device_signing/upload should not pass an empty auth object initially #27501

Closed
avdb13 opened this issue May 27, 2024 · 5 comments
Closed

/keys/device_signing/upload should not pass an empty auth object initially #27501

avdb13 opened this issue May 27, 2024 · 5 comments
Labels
A-Authentication S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect X-Needs-Info This issue is blocked awaiting information from the reporter Z-Spec-Compliance An area where Element doesn't correctly implement the spec

Comments

@avdb13
Copy link

avdb13 commented May 27, 2024

Steps to reproduce

While working on Conduit I noticed that when Element web calls /keys/device_signing/upload it passes an empty auth object in the initial request which is problematic as this leads to the assumption that the object contains a UIA session identifier. To reproduce one simply has to register a new account.

Related: matrix-org/matrix-spec-proposals#3967

Outcome

auth should only be present in the request when it contains a valid session identifier.

Operating system

non-applicable

Browser information

librewolf-bin-125.0.3

URL for webapp

app.element.io

Application version

Element version: 1.11.67

Homeserver

non-applicable

Will you send logs?

No
@dosubot dosubot bot added A-Authentication S-Minor Impairs non-critical functionality or suitable workarounds exist labels May 27, 2024
@t3chguy
Copy link
Member

t3chguy commented May 28, 2024

which is problematic as this leads to the assumption that the object contains a UIA session identifier. To reproduce one simply has to register a new account.

Where in the spec does it say to not do this?

The auth field and its contents are both optional which implies both are valid approaches.

@t3chguy t3chguy added X-Needs-Info This issue is blocked awaiting information from the reporter Z-Spec-Compliance An area where Element doesn't correctly implement the spec labels May 28, 2024
@avdb13
Copy link
Author

avdb13 commented May 28, 2024

which is problematic as this leads to the assumption that the object contains a UIA session identifier. To reproduce one simply has to register a new account.

Where in the spec does it say to not do this?

The auth field and its contents are both optional which implies both are valid approaches.

https://spec.matrix.org/v1.10/client-server-api/#user-interactive-api-in-the-rest-api

A client should first make a request with no auth parameter.

@t3chguy
Copy link
Member

t3chguy commented May 28, 2024

the verb used there is should not must so this is not against the spec inherently

@t3chguy
Copy link
Member

t3chguy commented May 28, 2024

Given the spec says should rather than must and that UIA is on the way out in favour of OIDC I'm not sure this will be resolved.

@avdb13
Copy link
Author

avdb13 commented May 28, 2024

Given the spec says should rather than must and that UIA is on the way out in favour of OIDC I'm not sure this will be resolved.

I see, thanks for clarifying.

@avdb13 avdb13 closed this as not planned Won't fix, can't repro, duplicate, stale May 28, 2024
@nomelif nomelif mentioned this issue Mar 2, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Authentication S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect X-Needs-Info This issue is blocked awaiting information from the reporter Z-Spec-Compliance An area where Element doesn't correctly implement the spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t3chguy @avdb13