v0.10.0

[sandhose]

Breaking changes

• Due to complexity in the build process and low demand, pre-built macOS binaries are not distributed anymore in releases. macOS is still supported when building from the sources
• Open password-based registration is disabled by default
• The basic password policy has been replaced
• Password-based logins and other actions are now rate-limited by default
• The GraphQL API is now internal-only by default, replaced by the new Admin API

Changes since 0.10.0-rc.0

• frontend: remove double separator when password auth is disabled in frontend: remove double separator when password auth is disabled #3105
• Small documentation fixes in Small documentation fixes #3123

New features

CAPTCHA protection on the registration form

Password-based registration can now be protected with a CAPTCHA challenge. MAS supports Google’s reCAPTCHA, hCAPTCHA, as well as Cloudflare Turnstile

Email-based password recovery

When enabled, this feature allows users to recover their account, by sending a link to their confirmed email addresses.

Self-service password change

In addition to password recovery, users can change​ their password themselves through the new password-change interface

Admin API

Need to build administrative or automation tools for MAS? Check out the new admin API!
This replaces the GraphQL API, which is now restricted for internal use by default. If you rely on the GraphQL API through an OAuth 2.0 token, you need to set the undocumented_oauth2_access setting on the graphql listener.

Proper password complexity calculation

To make sure your users have strong-enough passwords, MAS now calculates password complexity using the popular zxcvbn algorithm. This algorithm gives a score from 0 to 4, with suggestions on how to improve the password. By default, MAS will require new passwords to have at least 3, which has a good balance between security and convenience.
This means that the parameters to set a minimum password length and require some symbols are now removed.

Rate-limiting

Some operations are more sensitive than others. You wouldn’t want someone to be able to brute force your password, would you? MAS will now rate-limit such operations, both per-IP and per account to avoid that. See the configuration documentation to learn more.

Other improvements

• Upstream OAuth 2.0 providers removed from the configuration are now automatically disabled when the server starts up. This means that you no longer need to run mas-cli config sync --prune to apply the change. They will still be kept in the database, to avoid losing existing links.
• The account management UI is generally faster, with a smaller initial loading time and prefetching of other pages
• Optional configuration sections are now truly optional. In 0.9.0 we made most configuration sections optional, but the upstream_oauth2 and clients sections were still required to start up. If you kept those to work around the bug in 0.9.0, you can now remove them if you don’t use them.
• The syn2mas migration tool will now supports TLS certificates when connecting to the Synapse and the MAS PostgreSQL databases
• Administrators can choose whether their users are allowed to perform certain actions or not. In particular, self-service registration and email-based password recovery are disabled by default, and must be enabled in the account configuration section
• Administrators can also choose to disable the self-service password change functionality and prevent users from changing their display name or email address through the same configuration section
• Whenever a user logs in or logs out, the list of sessions is now fully synced with the homeserver, making it less likely for it to get out of sync
• A new CLI tool to help registering users:
  

Docker image

Regular image:

• Digest:

  ghcr.io/matrix-org/matrix-authentication-service@sha256:cdf3c4e39afa88297bfa72e317bbde929777bbb5ad1e01082ba74303c170333d
  

• Tags:

  ghcr.io/matrix-org/matrix-authentication-service:0.10.0
  ghcr.io/matrix-org/matrix-authentication-service:0.10
  ghcr.io/matrix-org/matrix-authentication-service:0
  ghcr.io/matrix-org/matrix-authentication-service:sha-d3eb5be
  ghcr.io/matrix-org/matrix-authentication-service:latest
  

Debug variant:

• Digest:

  ghcr.io/matrix-org/matrix-authentication-service@sha256:468fec0860182ec7e7f4282a766ba134794356701636384d9363ef8d0c9e5a07
  

• Tags:

  ghcr.io/matrix-org/matrix-authentication-service:0.10.0-debug
  ghcr.io/matrix-org/matrix-authentication-service:0.10-debug
  ghcr.io/matrix-org/matrix-authentication-service:0-debug
  ghcr.io/matrix-org/matrix-authentication-service:sha-d3eb5be-debug
  ghcr.io/matrix-org/matrix-authentication-service:latest-debug
  

syn2mas migration tool:

• Digest:

  ghcr.io/matrix-org/matrix-authentication-service/syn2mas@sha256:3c16bf6ea862152259294ab2317dbc296a8841688ecfce8688ae1f95c8485534
  

• Tags:

  ghcr.io/matrix-org/matrix-authentication-service/syn2mas:0.10.0
  ghcr.io/matrix-org/matrix-authentication-service/syn2mas:0.10
  ghcr.io/matrix-org/matrix-authentication-service/syn2mas:0
  ghcr.io/matrix-org/matrix-authentication-service/syn2mas:sha-d3eb5be
  ghcr.io/matrix-org/matrix-authentication-service/syn2mas:latest
  

Full list of changes (excluding dependency upgrades)

• Allow disabling registrations by @sandhose in Allow disabling registrations #2553
• Soft-delete upstream providers by @sandhose in Soft-delete upstream providers #2581
• Don't format within eslint, use prettier standalone instead by @sandhose in Don't format within eslint, use prettier standalone instead #2589
• User registration CLI tool by @sandhose in User registration CLI tool #2634
• Allow restricting some self-service capabilities by @sandhose in Allow restricting some self-service capabilities #2562
• Fix navigation links in the frontend by using absolute URLs by @sandhose in Fix navigation links in the frontend by using absolute URLs #2715
• Relax alphabet restrictions on device IDs by @sandhose in Relax alphabet restrictions on device IDs #2718
• Skip the device code form when using the full verification URI by @sandhose in Skip the device code form when using the full verification URI #2738
• Make the consent screens (almost completely) translatable by @sandhose in Make the consent screens (almost completely) translatable #2740
• Better organise the documentation, document the policy engine, the authorisation process and the scopes by @sandhose in Better organise the documentation, document the policy engine, the authorisation process and the scopes #2637
• Always show the primary email first by @sandhose in Always show the primary email first #2767
• CAPTCHA verification during registration by @sandhose in CAPTCHA verification during registration #2759
• Don't panic when the repository fails on the introspection endpoint by @sandhose in Don't panic when the repository fails on the introspection endpoint #2774
• Minor drive-by tweaks by @reivilibre in Minor drive-by tweaks #2779
• Merge the mas_graphql crate into the mas_handlers crate by @reivilibre in Merge the mas_graphql crate into the mas_handlers crate #2783
• Allow parameters in UserInfo endpoint's response's content-type by @zecakeh in Allow parameters in UserInfo endpoint's response's content-type #2808
• Add a setPassword GraphQL mutation for setting a user's password by @reivilibre in Add a setPassword GraphQL mutation for setting a user's password #2820
• Improve errors when MAS contacts the Synapse homeserver by @reivilibre in Improve errors when MAS contacts the Synapse homeserver #2794
• Inject custom Jinja2 environment when rendering the subject template by @sandhose in Inject custom Jinja2 environment when rendering the subject template #2847
• Fix param name in error messages on the compatibility SSO login errors by @sandhose in Fix param name in error messages on the compatibility SSO login errors #2846
• GraphQL API: Add password_change_allowed to SiteConfig by @reivilibre in GraphQL API: Add password_change_allowed to SiteConfig #2857
• Add Self-service Password Change by @reivilibre in Add Self-service Password Change #2863
• Remove the old password change page by @reivilibre in Remove the old password change page #2874
• Forgot password flow by @sandhose in Forgot password flow #2866
• Make the b64decode filter try multiple base64 encoding variants by @sandhose in Make the b64decode filter try multiple base64 encoding variants #2885
• Use a released version of opa-wasm by @sandhose in Use a released version of opa-wasm #2931
• Better support for secure database connections by @sandhose in Better support for secure database connections #2945
• Hyper 1.x by @sandhose in Hyper 1.x #2944
• fix class-b RFC1918 network by @ctr49 in fix class-b RFC1918 network #2908
• GraphQL API to list users with a few filters by @sandhose in GraphQL API to list users with a few filters #2955
• Backend work to support minimum password complexity by @reivilibre in Backend work to support minimum password complexity #2965
• Fully sync the devices with the homeserver by @sandhose in Fully sync the devices with the homeserver #2971
• Allow reactivating users on the homeserver by @sandhose in Allow reactivating users on the homeserver #2970
• Mark sessions as finished in bulk by @sandhose in Mark sessions as finished in bulk #2977
• Remove OPA-based password policy enforcement by @reivilibre in Remove OPA-based password policy enforcement #2875
• Deduplicate the query bulding logic for all dynamic filters by @sandhose in Deduplicate the query bulding logic for all dynamic filters #2979
• frontend: Display and enforce password complexity on the change password screen by @reivilibre in frontend: Display and enforce password complexity on the change password screen #2972
• Code-split the password change route by @sandhose in Code-split the password change route #2981
• Add a filter for inactive sessions by @sandhose in Add a filter for inactive sessions #2983
• graphql: Add a SetPasswordByRecovery mutation to perform account recovery by @reivilibre in graphql: Add a SetPasswordByRecovery mutation to perform account recovery #2986
• frontend: refactor password change form to extract double-input password creation inputs as new component by @reivilibre in frontend: refactor password change form to extract double-input password creation inputs as new component #2994
• update contributing docs with DCO by @joshsimmons in update contributing docs with DCO #2996
• OTEL: remove custom Header{Injector,Extractor} implementations by @sandhose in OTEL: remove custom Header{Injector,Extractor} implementations #3007
• Rework assets loading to fix splitting CSS chunks by @sandhose in Rework assets loading to fix splitting CSS chunks #2985
• Account Recovery: replace the server-side rendered form with an interactive React-based form by @reivilibre in Account Recovery: replace the server-side rendered form with an interactive React-based form #3016
• Bootstrap a new REST-like admin API by @sandhose in Bootstrap a new REST-like admin API #2993
• Rate-limit password-based login attempts by @sandhose in Rate-limit password-based login attempts #3013
• graphql: Expose CAPTCHA config and whether password registration is enabled by @reivilibre in graphql: Expose CAPTCHA config and whether password registration is enabled #3017
• Lazy load all routes in the frontend by @sandhose in Lazy load all routes in the frontend #3033
• Stabilise and document the new account management options by @sandhose in Stabilise and document the new account management options #3034
• Make the optional configuration sections really optional by @sandhose in Make the optional configuration sections really optional #3035
• Host a Swagger UI both in the static documentation and by the server by @sandhose in Host a Swagger UI both in the static documentation and by the server #3018
• Add admin API to create users by @sandhose in Add admin API to create users #3019
• Remove macOS binaries build in CI and remove cargo-zigbuild from Docker image by @sandhose in Remove macOS binaries build in CI and remove cargo-zigbuild from Docker image #2966
• Deactivate user admin API by @sandhose in Deactivate user admin API #3030
• Unlock user admin API by @sandhose in Unlock user admin API #3023
• Lock user admin API by @sandhose in Lock user admin API #3022
• Set password admin API by @sandhose in Set password admin API #3021
• syn2mas: only set the SSL options if we set any of them by @sandhose in syn2mas: only set the SSL options if we set any of them #3089
• Localazy Download by @sandhose in Localazy Download #3091
• OAuth 2.0 sessions list and get admin APIs by @sandhose in OAuth 2.0 sessions list and get admin APIs #3031
• Document the admin API by @sandhose in Document the admin API #3038
• Disallow OAuth 2.0 use of the GraphQL API by default by @sandhose in Disallow OAuth 2.0 use of the GraphQL API by default #3092
• Add configuration for rate-limiting of logins, replacing hardcoded limits by @reivilibre in Add configuration for rate-limiting of logins, replacing hardcoded limits #3090
• Add rate-limiting for account recovery and registration by @reivilibre in Add rate-limiting for account recovery and registration #3093
• Set can_request_admin API by @sandhose in Set can_request_admin API #3082
• frontend: remove double separator when password auth is disabled by @sandhose in frontend: remove double separator when password auth is disabled #3105
• Small documentation fixes by @sandhose in Small documentation fixes #3123

Full Changelog: v0.9.0...v0.10.0

---

This discussion was created from the release v0.10.0.