From 690b3a4fcce3a58b2b09533c3e3173f5ecfffbc4 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Mon, 13 Oct 2025 16:07:11 +0300 Subject: [PATCH] Allow using MSC4190 features without opt-in (#19031) --- changelog.d/19031.feature | 1 + synapse/rest/client/devices.py | 6 +++--- synapse/rest/client/keys.py | 8 ++------ tests/rest/client/test_devices.py | 10 ---------- 4 files changed, 6 insertions(+), 19 deletions(-) create mode 100644 changelog.d/19031.feature diff --git a/changelog.d/19031.feature b/changelog.d/19031.feature new file mode 100644 index 0000000000..711664499b --- /dev/null +++ b/changelog.d/19031.feature @@ -0,0 +1 @@ +Allow using [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) behavior without the opt-in registration flag. Contributed by @tulir @ Beeper. diff --git a/synapse/rest/client/devices.py b/synapse/rest/client/devices.py index 0777abde7f..37bc9ae513 100644 --- a/synapse/rest/client/devices.py +++ b/synapse/rest/client/devices.py @@ -112,7 +112,7 @@ class DeleteDevicesRestServlet(RestServlet): else: raise e - if requester.app_service and requester.app_service.msc4190_device_management: + if requester.app_service: # MSC4190 can skip UIA for this endpoint pass else: @@ -192,7 +192,7 @@ class DeviceRestServlet(RestServlet): else: raise - if requester.app_service and requester.app_service.msc4190_device_management: + if requester.app_service: # MSC4190 allows appservices to delete devices through this endpoint without UIA # It's also allowed with MSC3861 enabled pass @@ -227,7 +227,7 @@ class DeviceRestServlet(RestServlet): body = parse_and_validate_json_object_from_request(request, self.PutBody) # MSC4190 allows appservices to create devices through this endpoint - if requester.app_service and requester.app_service.msc4190_device_management: + if requester.app_service: created = await self.device_handler.upsert_device( user_id=requester.user.to_string(), device_id=device_id, diff --git a/synapse/rest/client/keys.py b/synapse/rest/client/keys.py index 55922b97d4..f8974e34a8 100644 --- a/synapse/rest/client/keys.py +++ b/synapse/rest/client/keys.py @@ -543,15 +543,11 @@ class SigningKeyUploadServlet(RestServlet): if not keys_are_different: return 200, {} - # MSC4190 can skip UIA for replacing cross-signing keys as well. - is_appservice_with_msc4190 = ( - requester.app_service and requester.app_service.msc4190_device_management - ) - # The keys are different; is x-signing set up? If no, then this is first-time # setup, and that is allowed without UIA, per MSC3967. # If yes, then we need to authenticate the change. - if is_cross_signing_setup and not is_appservice_with_msc4190: + # MSC4190 can skip UIA for replacing cross-signing keys as well. + if is_cross_signing_setup and not requester.app_service: # With MSC3861, UIA is not possible. Instead, the auth service has to # explicitly mark the master key as replaceable. if self.hs.config.mas.enabled: diff --git a/tests/rest/client/test_devices.py b/tests/rest/client/test_devices.py index de80b7c186..93dff77d80 100644 --- a/tests/rest/client/test_devices.py +++ b/tests/rest/client/test_devices.py @@ -533,16 +533,6 @@ class MSC4190AppserviceDevicesTestCase(unittest.HomeserverTestCase): ) self.assertEqual(channel.code, 200, channel.json_body) - # On the regular service, that API should not allow for the - # creation of new devices. - channel = self.make_request( - "PUT", - "/_matrix/client/v3/devices/AABBCCDD?user_id=@bob:test", - content={"display_name": "Bob's device"}, - access_token=self.pre_msc_service.token, - ) - self.assertEqual(channel.code, 404, channel.json_body) - def test_DELETE_device(self) -> None: self.register_appservice_user( "alice", self.msc4190_service.token, inhibit_login=True