Remove OpenID support

neilalexander · Mar 13, 2024 · 64b7e77 · 64b7e77
1 parent 4aa8eab
commit 64b7e77
Show file tree

Hide file tree

Showing 21 changed files with 49 additions and 446 deletions.
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ As with Dendrite, supported features include:
 * Presence
 * Fulltext search
 
-The primary goal of this fork is to make things simpler and easier to maintain. With that in mind, **a number of features have been removed**, including SQLite database support, the appservice API, support for 3PIDs, all P2P and relay-related work, support for the WebAssembly target, phone-home stats and others.
+The primary goal of this fork is to make things simpler and easier to maintain. With that in mind, **a number of features have been removed**, including SQLite database support, the appservice API, support for 3PIDs, support for OpenID, all P2P and relay-related work, support for the WebAssembly target, phone-home stats and others.
 
 Aside from that, Harmony can largely operate as a drop-in replacement for Dendrite.
 

diff --git a/clientapi/routing/openid.go b/clientapi/routing/openid.go
diff --git a/clientapi/routing/routing.go b/clientapi/routing/routing.go
@@ -980,19 +980,6 @@ func Setup(
 		}),
 	).Methods(http.MethodGet)
 
-	v3mux.Handle("/user/{userID}/openid/request_token",
-		httputil.MakeAuthAPI("openid_request_token", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
-			if r := rateLimits.Limit(req, device); r != nil {
-				return *r
-			}
-			vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
-			if err != nil {
-				return util.ErrorResponse(err)
-			}
-			return CreateOpenIDToken(req, userAPI, device, vars["userID"], cfg)
-		}),
-	).Methods(http.MethodPost, http.MethodOptions)
-
 	v3mux.Handle("/user_directory/search",
 		httputil.MakeAuthAPI("userdirectory_search", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			if r := rateLimits.Limit(req, device); r != nil {

diff --git a/config-sample.yaml b/config-sample.yaml
@@ -292,12 +292,6 @@ user_api:
   # can be lowered if performing tests or on embedded Dendrite instances (e.g WASM builds).
   bcrypt_cost: 10
 
-  # The length of time that a token issued for a relying party from
-  # /_matrix/client/r0/user/{userId}/openid/request_token endpoint
-  # is considered to be valid in milliseconds.
-  # The default lifetime is 3600000ms (60 minutes).
-  # openid_token_lifetime_ms: 3600000
-
   # Users who register on this homeserver will automatically be joined to the rooms listed under "auto_join_rooms" option.
   # By default, any room aliases included in this list will be created as a publicly joinable room
   # when the first user registers for the homeserver. If the room already exists,

diff --git a/federationapi/routing/openid.go b/federationapi/routing/openid.go
diff --git a/federationapi/routing/routing.go b/federationapi/routing/routing.go
@@ -543,12 +543,6 @@ func Setup(
 		},
 	)).Methods(http.MethodPost)
 
-	v1fedmux.Handle("/openid/userinfo",
-		httputil.MakeExternalAPI("federation_openid_userinfo", func(req *http.Request) util.JSONResponse {
-			return GetOpenIDUserInfo(req, userAPI)
-		}),
-	).Methods(http.MethodGet)
-
 	v1fedmux.Handle("/hierarchy/{roomID}", MakeFedAPI(
 		"federation_room_hierarchy", cfg.Matrix.ServerName, cfg.Matrix.IsLocalServerName, keys, wakeup,
 		func(httpReq *http.Request, request *fclient.FederationRequest, vars map[string]string) util.JSONResponse {

diff --git a/setup/config/config_userapi.go b/setup/config/config_userapi.go
@@ -8,9 +8,6 @@ type UserAPI struct {
 	// The cost when hashing passwords.
 	BCryptCost int `yaml:"bcrypt_cost"`
 
-	// The length of time an OpenID token is condidered valid in milliseconds
-	OpenIDTokenLifetimeMS int64 `yaml:"openid_token_lifetime_ms"`
-
 	// Disable TLS validation on HTTPS calls to push gatways. NOT RECOMMENDED!
 	PushGatewayDisableTLSValidation bool `yaml:"push_gateway_disable_tls_validation"`
 
@@ -27,11 +24,8 @@ type UserAPI struct {
 	WorkerCount int `yaml:"worker_count"`
 }
 
-const DefaultOpenIDTokenLifetimeMS = 3600000 // 60 minutes
-
 func (c *UserAPI) Defaults(opts DefaultOpts) {
 	c.BCryptCost = bcrypt.DefaultCost
-	c.OpenIDTokenLifetimeMS = DefaultOpenIDTokenLifetimeMS
 	c.WorkerCount = 8
 	if opts.Generate {
 		if !opts.SingleDatabase {
@@ -41,7 +35,6 @@ func (c *UserAPI) Defaults(opts DefaultOpts) {
 }
 
 func (c *UserAPI) Verify(configErrs *ConfigErrors) {
-	checkPositive(configErrs, "user_api.openid_token_lifetime_ms", c.OpenIDTokenLifetimeMS)
 	if c.Matrix.DatabaseOptions.ConnectionString == "" {
 		checkNotEmpty(configErrs, "user_api.account_database.connection_string", string(c.AccountDatabase.ConnectionString))
 	}

diff --git a/sytest-whitelist b/sytest-whitelist
@@ -507,8 +507,6 @@ Can pass a JSON filter as a query parameter
 Local room members can get room messages
 Remote room members can get room messages
 Guest users can send messages to guest_access rooms if joined
-Can generate a openid access_token that can be exchanged for information about a user
-Invalid openid access tokens are rejected
 Requests to userinfo without access tokens are rejected
 'ban' event respects room powerlevel
 Non-present room members cannot ban others

diff --git a/userapi/api/api.go b/userapi/api/api.go
@@ -61,7 +61,6 @@ type MediaUserAPI interface {
 // api functions required by the federation api
 type FederationUserAPI interface {
 	UploadDeviceKeysAPI
-	QueryOpenIDToken(ctx context.Context, req *QueryOpenIDTokenRequest, res *QueryOpenIDTokenResponse) error
 	QueryProfile(ctx context.Context, userID string) (*authtypes.Profile, error)
 	QueryDevices(ctx context.Context, req *QueryDevicesRequest, res *QueryDevicesResponse) error
 	QueryKeys(ctx context.Context, req *QueryKeysRequest, res *QueryKeysResponse)
@@ -109,7 +108,6 @@ type ClientUserAPI interface {
 	PerformPusherSet(ctx context.Context, req *PerformPusherSetRequest, res *struct{}) error
 	PerformPushRulesPut(ctx context.Context, userID string, ruleSets *pushrules.AccountRuleSets) error
 	PerformAccountDeactivation(ctx context.Context, req *PerformAccountDeactivationRequest, res *PerformAccountDeactivationResponse) error
-	PerformOpenIDTokenCreation(ctx context.Context, req *PerformOpenIDTokenCreationRequest, res *PerformOpenIDTokenCreationResponse) error
 	QueryNotifications(ctx context.Context, req *QueryNotificationsRequest, res *QueryNotificationsResponse) error
 	InputAccountData(ctx context.Context, req *InputAccountDataRequest, res *InputAccountDataResponse) error
 }
@@ -397,27 +395,6 @@ type PerformAccountDeactivationResponse struct {
 	AccountDeactivated bool
 }
 
-// PerformOpenIDTokenCreationRequest is the request for PerformOpenIDTokenCreation
-type PerformOpenIDTokenCreationRequest struct {
-	UserID string
-}
-
-// PerformOpenIDTokenCreationResponse is the response for PerformOpenIDTokenCreation
-type PerformOpenIDTokenCreationResponse struct {
-	Token OpenIDToken
-}
-
-// QueryOpenIDTokenRequest is the request for QueryOpenIDToken
-type QueryOpenIDTokenRequest struct {
-	Token string
-}
-
-// QueryOpenIDTokenResponse is the response for QueryOpenIDToken
-type QueryOpenIDTokenResponse struct {
-	Sub         string // The Matrix User ID that generated the token
-	ExpiresAtMS int64
-}
-
 // Device represents a client's device (mobile, web, etc)
 type Device struct {
 	ID     string
@@ -461,24 +438,6 @@ type Account struct {
 	// TODO: Associations (e.g. with application services)
 }
 
-// OpenIDToken represents an OpenID token
-type OpenIDToken struct {
-	Token       string
-	UserID      string
-	ExpiresAtMS int64
-}
-
-// OpenIDTokenInfo represents the attributes associated with an issued OpenID token
-type OpenIDTokenAttributes struct {
-	UserID      string
-	ExpiresAtMS int64
-}
-
-// UserInfo is for returning information about the user an OpenID token was issued for
-type UserInfo struct {
-	Sub string // The Matrix user's ID who generated the token
-}
-
 // ErrorForbidden is an error indicating that the supplied access token is forbidden
 type ErrorForbidden struct {
 	Message string

diff --git a/userapi/consumers/roomserver_test.go b/userapi/consumers/roomserver_test.go
@@ -6,14 +6,14 @@ import (
 	"testing"
 	"time"
 
+	"github.com/matrix-org/gomatrixserverlib"
+	"github.com/matrix-org/gomatrixserverlib/spec"
 	"github.com/neilalexander/harmony/internal/caching"
 	"github.com/neilalexander/harmony/internal/sqlutil"
 	"github.com/neilalexander/harmony/roomserver"
 	"github.com/neilalexander/harmony/roomserver/types"
 	"github.com/neilalexander/harmony/setup/jetstream"
 	"github.com/neilalexander/harmony/test/testrig"
-	"github.com/matrix-org/gomatrixserverlib"
-	"github.com/matrix-org/gomatrixserverlib/spec"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/crypto/bcrypt"
 
@@ -30,7 +30,7 @@ func mustCreateDatabase(t *testing.T, dbType test.DBType) (storage.UserDatabase,
 	cm := sqlutil.NewConnectionManager(nil, config.DatabaseOptions{})
 	db, err := storage.NewUserDatabase(context.Background(), cm, &config.DatabaseOptions{
 		ConnectionString: config.DataSource(connStr),
-	}, "", 4, 0, 0, "")
+	}, "", 4, 0, "")
 	if err != nil {
 		t.Fatalf("failed to create new user db: %v", err)
 	}
@@ -158,7 +158,7 @@ func TestLocalRoomMembers(t *testing.T) {
 		caches := caching.NewRistrettoCache(8*1024*1024, time.Hour, caching.DisableMetrics)
 		rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, natsInstance, caches, caching.DisableMetrics)
 		rsAPI.SetFederationAPI(nil, nil)
-		db, err := storage.NewUserDatabase(processCtx.Context(), cm, &cfg.UserAPI.AccountDatabase, cfg.Global.ServerName, bcrypt.MinCost, 1000, 1000, "")
+		db, err := storage.NewUserDatabase(processCtx.Context(), cm, &cfg.UserAPI.AccountDatabase, cfg.Global.ServerName, bcrypt.MinCost, 1000, "")
 		assert.NoError(t, err)
 
 		err = rsapi.SendEvents(processCtx.Context(), rsAPI, rsapi.KindNew, room.Events(), "", "test", "test", nil, false)
@@ -184,7 +184,7 @@ func BenchmarkLocalRoomMembers(b *testing.B) {
 	caches := caching.NewRistrettoCache(8*1024*1024, time.Hour, caching.DisableMetrics)
 	rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, natsInstance, caches, caching.DisableMetrics)
 	rsAPI.SetFederationAPI(nil, nil)
-	db, err := storage.NewUserDatabase(processCtx.Context(), cm, &cfg.UserAPI.AccountDatabase, cfg.Global.ServerName, bcrypt.MinCost, 1000, 1000, "")
+	db, err := storage.NewUserDatabase(processCtx.Context(), cm, &cfg.UserAPI.AccountDatabase, cfg.Global.ServerName, bcrypt.MinCost, 1000, "")
 	assert.NoError(b, err)
 
 	consumer := OutputRoomEventConsumer{db: db, rsAPI: rsAPI, serverName: "test", cfg: &cfg.UserAPI}

diff --git a/userapi/internal/user_api.go b/userapi/internal/user_api.go
@@ -623,34 +623,6 @@ func (a *UserInternalAPI) PerformAccountDeactivation(ctx context.Context, req *a
 	return err
 }
 
-// PerformOpenIDTokenCreation creates a new token that a relying party uses to authenticate a user
-func (a *UserInternalAPI) PerformOpenIDTokenCreation(ctx context.Context, req *api.PerformOpenIDTokenCreationRequest, res *api.PerformOpenIDTokenCreationResponse) error {
-	token := util.RandomString(24)
-
-	exp, err := a.DB.CreateOpenIDToken(ctx, token, req.UserID)
-
-	res.Token = api.OpenIDToken{
-		Token:       token,
-		UserID:      req.UserID,
-		ExpiresAtMS: exp,
-	}
-
-	return err
-}
-
-// QueryOpenIDToken validates that the OpenID token was issued for the user, the replying party uses this for validation
-func (a *UserInternalAPI) QueryOpenIDToken(ctx context.Context, req *api.QueryOpenIDTokenRequest, res *api.QueryOpenIDTokenResponse) error {
-	openIDTokenAttrs, err := a.DB.GetOpenIDTokenAttributes(ctx, req.Token)
-	if err != nil {
-		return err
-	}
-
-	res.Sub = openIDTokenAttrs.UserID
-	res.ExpiresAtMS = openIDTokenAttrs.ExpiresAtMS
-
-	return nil
-}
-
 func (a *UserInternalAPI) DeleteKeyBackup(ctx context.Context, userID, version string) (bool, error) {
 	return a.DB.DeleteKeyBackup(ctx, userID, version)
 }