Service to verify details of a user based on a Open ID token.
Service to verify details of a user based on an Open ID Connect token.
Main features:
npm install
Copy the default .env.default to .env and modify as needed.
## REQUIRED# Homeserver client API admin token (synapse only)# Required for the service to verify room membershipUVS_ACCESS_TOKEN=foobar# Homeserver client API URLUVS_HOMESERVER_URL=https://matrix.org# Disable check for non private IP range of homeserver. E.g. set to `true` if your homeserver domain resolves to a private IP.UVS_DISABLE_IP_BLACKLIST=true## OPTIONAL# Auth token to protect the API# If this is set any calls to the provided API endpoints# need have the header "Authorization: Bearer changeme".UVS_AUTH_TOKEN=changeme# Matrix server name to verify OpenID tokens against. See below section.# Defaults to empty value which means verification is made against# whatever Matrix server name passed in with the token.UVS_OPENID_VERIFY_SERVER_NAME=matrix.org# Listen address of the botUVS_LISTEN_ADDRESS=127.0.0.1# Listen port of the botUVS_PORT=3000# Log level, defaults to 'info'# See choices here: https://github.com/winstonjs/winston#logging-levelsUVS_LOG_LEVEL=info
UVS can run in a single homeserver mode or be configured to trust any
homeserver OpenID token. Default is to trust the any Matrix server name
that is given with the OpenID token.
To disable this and ensure only OpenID tokens from a single Matrix homeserver
will be trusted, set the homeserver Matrix server name in the variableUVS_OPENID_VERIFY_SERVER_NAME. Note, this is the server name of the homeserver,
not the client or federation API’s domain.
In either mode, the UserInfo endpoint
is determined by resolving server names in the usual way
so a /.well-known/matrix/server file may be needed even if the homeserver
isn’t otherwise federating. If the homeserver config doesn’t have the federation
listener setup, the openid listener can be added on the same port as the client
listener.
Room membership is still currently limited to be verified from a single
configured homeserver client API via UVS_HOMESERVER_URL.
If UVS_AUTH_TOKEN is set, you’ll need to provide an authorization header as follows:
Authorization: Bearer <value of UVS_AUTH_TOKEN>
Verifies a user OpenID token.
POST /verify/userContent-Type: application/json
Request body:
{"matrix_server_name": "domain.tld","token": "secret OpenID token provided by the user"}
Successful validation response:
{"results": {"user": true},"user_id": "@user:domain.tld"}
Failed validation:
{"results": {"user": false},"user_id": null}
Verifies a user OpenID token and membership in a room.
POST /verify/user_in_roomContent-Type: application/json
Request body:
{"matrix_server_name": "domain.tld","room_id": "!foobar:domain.tld","token": "secret OpenID token provided by the user"}
Successful validation response:
{"results": {"room_membership": true,"user": true},"user_id": "@user:domain.tld","power_levels": {"room": {"ban": 50,"events": {"m.room.avatar": 50,"m.room.canonical_alias": 50,"m.room.history_visibility": 100,"m.room.name": 50,"m.room.power_levels": 100},"events_default": 0,"invite": 0,"kick": 50,"redact": 50,"state_default": 50,"users_default": 0},"user": 50}}
Failed validation, in case token is not valid:
{"results": {"room_membership": false,"user": false},"user_id": null,"power_levels": null}
In the token was validated but user is not in room, the failed response is:
{"results": {"room_membership": false,"user": true},"user_id": "@user:domain.tld","power_levels": null}
npm start
Run in watch mode.
npm run dev
Apache 2.0