Version 1.98.0

2024-10-15 18:43:36 +02:00
12 changed files with 1647 additions and 1083 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -0,0 +1,5 @@
 include:
  - project: devops/pipeline-components
    ref: main
    file: cloudron-app.gitlab-ci.yml
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1287,142 +1287,3 @@
 * Update Synapse to 1.118.0
 * [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
 [1.98.1]
 * Update S3 Storage Provider to 1.5.0
 [1.99.0]
 * Update synapse to 1.119.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
 * Support [MSC4151](https://github.com/matrix-org/matrix-spec-proposals/pull/4151)'s stable report room API. ([#&#8203;17374](https://github.com/element-hq/synapse/issues/17374))
 * Add experimental support for [MSC4222](https://github.com/matrix-org/matrix-spec-proposals/pull/4222) (Adding `state_after` to sync v2). ([#&#8203;17888](https://github.com/element-hq/synapse/issues/17888))
 * Fix bug with sliding sync where `$LAZY`-loading room members would not return `required_state` membership in incremental syncs. ([#&#8203;17809](https://github.com/element-hq/synapse/issues/17809))
 * Check if user has membership in a room before tagging it. Contributed by Lama Alosaimi. ([#&#8203;17839](https://github.com/element-hq/synapse/issues/17839))
 * Fix a bug in the admin redact endpoint where the background task would not run if a worker was specified in
 * Fix bug where some presence and typing timeouts can expire early. ([#&#8203;17850](https://github.com/element-hq/synapse/issues/17850))
 * Fix detection when the built Rust library was outdated when using source installations. ([#&#8203;17861](https://github.com/element-hq/synapse/issues/17861))
 * Fix a long-standing bug in Synapse which could cause one-time keys to be issued in the incorrect order, causing message decryption failures. ([#&#8203;17903](https://github.com/element-hq/synapse/pull/17903))
 * Fix experimental support for [MSC4222](https://github.com/matrix-org/matrix-spec-proposals/pull/4222) (Adding `state_after` to sync v2) where we would return the full state on incremental syncs when using lazy loaded members and there were no new events in the timeline. ([#&#8203;17915](https://github.com/element-hq/synapse/pull/17915))
 * Remove support for python 3.8. ([#&#8203;17908](https://github.com/element-hq/synapse/issues/17908))
 * Add a test for downloading and thumbnailing a CMYK JPEG. ([#&#8203;17786](https://github.com/element-hq/synapse/issues/17786))
 * Refactor database calls to remove `Generator` usage. ([#&#8203;17813](https://github.com/element-hq/synapse/issues/17813), [#&#8203;17814](https://github.com/element-hq/synapse/issues/17814), [#&#8203;17815](https://github.com/element-hq/synapse/issues/17815), [#&#8203;17816](https://github.com/element-hq/synapse/issues/17816), [#&#8203;17817](https://github.com/element-hq/synapse/issues/17817), [#&#8203;17818](https://github.com/element-hq/synapse/issues/17818), [#&#8203;17890](https://github.com/element-hq/synapse/issues/17890))
 * Include the destination in the error of 'Destination mismatch' on federation requests. ([#&#8203;17830](https://github.com/element-hq/synapse/issues/17830))
 * The nix flake inside the repository no longer tracks nixpkgs/master to not catch the latest bugs from a MR merged 5 minutes ago. ([#&#8203;17852](https://github.com/element-hq/synapse/issues/17852))
 * Minor speed-up of sliding sync by computing extensions results in parallel. ([#&#8203;17884](https://github.com/element-hq/synapse/issues/17884))
 * Bump the default Python version in the Synapse Dockerfile from 3.11 -> 3.12. ([#&#8203;17887](https://github.com/element-hq/synapse/issues/17887))
 * Remove usage of internal header encoding API. ([#&#8203;17894](https://github.com/element-hq/synapse/issues/17894))
 * Use unique name for each os.arch variant when uploading Wheel artifacts. ([#&#8203;17905](https://github.com/element-hq/synapse/issues/17905))
 * Fix tests to run with latest Twisted. ([#&#8203;17906](https://github.com/element-hq/synapse/pull/17906), [#&#8203;17907](https://github.com/element-hq/synapse/pull/17907), [#&#8203;17911](https://github.com/element-hq/synapse/pull/17911))
 * Update version constraint to allow the latest poetry-core 1.9.1. ([#&#8203;17902](https://github.com/element-hq/synapse/pull/17902))
 * Update the portdb CI to use Python 3.13 and Postgres 17 as latest dependencies. ([#&#8203;17909](https://github.com/element-hq/synapse/pull/17909))
 * Add an index to `current_state_delta_stream` table. ([#&#8203;17912](https://github.com/element-hq/synapse/issues/17912))
 * Fix building and attaching release artifacts during the release process. ([#&#8203;17921](https://github.com/element-hq/synapse/issues/17921))
 [1.100.0]
 * Update synapse to 1.120.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
 * Fix a bug introduced in Synapse v1.120rc1 which would cause the newly-introduced `delete_old_otks` job to fail in worker-mode deployments. ([#&#8203;17960](https://github.com/element-hq/synapse/issues/17960))
 [1.100.1]
 * Update synapse to 1.120.2
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
 [1.101.0]
 * Update synapse to 1.121.1
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.121.0)
 * Support for MSC4190: device management for Application Services. (#17705)
 * Update MSC4186 Sliding Sync to include invite, ban, kick, targets when $LAZY-loading room members. (#17947)
 * Use stable M_USER_LOCKED error code for locked accounts, as per Matrix 1.12. (#17965)
 * MSC4076: Add disable_badge_count to pusher configuration. (#17975)
 [1.101.1]
 * CLOUDRON_OIDC_PROVIDER_NAME implemented
 [1.102.0]
 * Update synapse to 1.122.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.122.0)
 [1.103.0]
 * Update synapse to 1.123.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.123.0)
 [1.104.0]
 * Update synapse to 1.124.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.124.0)
 [1.105.0]
 * Update synapse to 1.125.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.125.0)
 * Add functionality to be able to use multiple values in SSO feature attribute_requirements. (#17949)
 * Add experimental config options admin_token_path and client_secret_path for MSC3861. (#18004)
 * Add get_current_time_msec() method to the module API for sound time comparisons with Synapse. (#18144)
 * Update the response when a client attempts to add an invalid email address to the user's account from a 500, to a 400 with error text. (#18125)
 * Fix user directory search when using a legacy module with a check_username_for_spam callback. Broke in v1.122.0. (#18135)
 [1.106.0]
 * Update synapse to 1.126.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.126.0)
 * Define ratelimit configuration for delayed event management. (#18019)
 * Add form_secret_path config option. (#18090)
 * Add the --no-secrets-in-config command line option. (#18092)
 * Add background job to clear unreferenced state groups. (#18154)
 * Add support for specifying/overriding id_token_signing_alg_values_supported for an OpenID identity provider. (#18177)
 * Add worker_replication_secret_path config option. (#18191)
 * Add support for specifying/overriding redirect_uri in the authorization and token requests against an OpenID identity provider. (#18197)
 [1.107.0]
 * Update base image to 5.0.0
 [1.108.0]
 * Update synapse to 1.127.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.127.0)
 * Update MSC4140 implementation to no longer cancel a user's own delayed state events with an event type & state key that match a more recent state event sent by that user. (#17810)
 * Fixed a minor typo in the Synapse documentation. Contributed by @karuto12. (#18224)
 * Remove undocumented SYNAPSE_USE_FROZEN_DICTS environment variable. (#18123)
 * Fix detection of workflow failures in the release script. (#18211)
 * Add caching support to media endpoints. (#18235)
 [1.108.1]
 * Update synapse to 1.127.1
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.127.1)
 * Fix CVE-2025-30355 / GHSA-v56r-hwv5-mxg6. High severity vulnerability affecting federation. The vulnerability has been exploited in the wild.
 [1.109.0]
 * Update synapse to 1.128.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.128.0)
 * Add an access token introspection cache to make Matrix Authentication Service integration (MSC3861) more efficient. (#18231)
 * Add background job to clear unreferenced state groups. (#18254)
 * Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. (#18277, #18302, #18296)
 [1.110.0]
 * Update synapse to 1.129.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.129.0)
 [1.111.0]
 * Update synapse to 1.130.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.130.0)
 * Fix startup being blocked on creating a new index that was introduced in v1.130.0rc1. ([#&#8203;18439](https://github.com/element-hq/synapse/issues/18439))
 * Fix the ordering of local messages in rooms that were affected by [GHSA-v56r-hwv5-mxg6](https://github.com/advisories/GHSA-v56r-hwv5-mxg6). ([#&#8203;18447](https://github.com/element-hq/synapse/issues/18447))
 [1.112.0]
 * Update synapse to 1.131.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.131.0)
 [1.113.0]
 * Update synapse to 1.132.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.132.0)
 [1.114.0]
 * Update synapse to 1.133.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.133.0)
 * Pre-built wheels are now built using the manylinux\_2\_28 base, which is expected to be compatible with distros using glibc 2.28 or later, including:
 * Previously, wheels were built using the manylinux2014 base, which was expected to be compatible with distros using glibc 2.17 or later.
 * Bump `cibuildwheel` to 3.0.0 to fix the `manylinux` wheel builds. ([#&#8203;18615](https://github.com/element-hq/synapse/issues/18615))
 [1.115.0]
 * Update synapse to 1.134.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.134.0)
 [1.116.0]
 * Update synapse to 1.135.0
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.135.0)
--- a/CloudronManifest.json
+++ b/CloudronManifest.json
@@ -5,8 +5,8 @@
  "description": "file://DESCRIPTION.md",
  "changelog": "file://CHANGELOG.md",
  "tagline": "Secure & decentralized communication",
-  "version": "1.116.0",
+  "version": "1.98.0",
-  "upstreamVersion": "1.135.0",
+  "upstreamVersion": "1.117.0",
  "healthCheckPath": "/",
  "httpPort": 8008,
  "memoryLimit": 536870912,
@@ -44,18 +44,9 @@
    "https://screenshots.cloudron.io/org.matrix.synapse/2.png",
    "https://screenshots.cloudron.io/org.matrix.synapse/3.png"
  ],
  "checklist": {
    "configure-federation": {
      "message": "For federation to work, the delegation URI `https://$CLOUDRON-APP-DOMAIN/.well-known/matrix/server` must be configured. See the [docs](https://docs.cloudron.io/apps/synapse/#post-installation) on how to do this."
    },
    "registration-enabled-without-verification": {
      "message": "Registration is enabled but verification is disabled. See [docs](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=registration_require#enable_registration) for more information",
      "sso": false
    }
  },
  "postInstallMessage": "file://POSTINSTALL.md",
-  "minBoxVersion": "8.2.0",
+  "minBoxVersion": "7.5.1",
  "forumUrl": "https://forum.cloudron.io/category/50/matrix-synapse-riot",
-  "documentationUrl": "https://docs.cloudron.io/packages/synapse/",
+  "documentationUrl": "https://docs.cloudron.io/apps/synapse/",
  "optionalSso": true
 }
--- a/23
+++ b/23
@@ -1,27 +1,32 @@
-FROM cloudron/base:5.0.0@sha256:04fd70dbd8ad6149c19de39e35718e024417c3e01dc9c6637eaf4a41ec4e596c
+FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4
 RUN mkdir -p /app/pkg
 WORKDIR /app/code
-# https://github.com/element-hq/synapse/blob/master/docs/setup/installation.md?plain=1#L202
+# https://pythonspeed.com/articles/activate-virtualenv-dockerfile/
-RUN python3 -m venv /app/code/env
+RUN virtualenv -p python3 /app/code/env
 ENV VIRTUAL_ENV=/app/code/env
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 # renovate: datasource=github-releases depName=element-hq/synapse versioning=semver extractVersion=^v(?<version>.+)$
-ARG SYNAPSE_VERSION=1.135.0
+ARG SYNAPSE_VERSION=1.117.0
 # renovate: datasource=github-releases depName=matrix-org/synapse-s3-storage-provider versioning=semver extractVersion=^v(?<version>.+)$
-ARG S3PROVIDER_VERSION=1.5.0
+ARG S3PROVIDER_VERSION=1.4.0
 # Synapse (https://github.com/matrix-org/synapse/blob/master/INSTALL.md)
 # lxml - required for previews
-RUN source /app/code/env/bin/activate && \
+RUN pip install --upgrade pip && \
-    pip3 install --no-cache-dir matrix-synapse==v${SYNAPSE_VERSION} psycopg2-binary python-ldap matrix-synapse-ldap3 lxml publicsuffix2 git+https://github.com/matrix-org/synapse-s3-storage-provider.git@v${S3PROVIDER_VERSION} matrix-synapse[oidc]
+    pip install --upgrade setuptools && \
    pip install matrix-synapse==v${SYNAPSE_VERSION} psycopg2-binary python-ldap matrix-synapse-ldap3 lxml publicsuffix2 git+https://github.com/matrix-org/synapse-s3-storage-provider.git@v${S3PROVIDER_VERSION} matrix-synapse[oidc]
 # Updated suffix list
-RUN curl -L https://publicsuffix.org/list/public_suffix_list.dat -o /app/code/env/lib/python3.12/site-packages/publicsuffix2/public_suffix_list.dat
+RUN curl -L https://publicsuffix.org/list/public_suffix_list.dat -o /app/code/env/lib/python3.10/site-packages/publicsuffix2/public_suffix_list.dat
-RUN ln -sf /app/data/index.html /app/code/env/lib/python3.12/site-packages/synapse/static/index.html
+RUN ln -sf /app/data/index.html /app/code/env/lib/python3.10/site-packages/synapse/static/index.html
 RUN chown -R cloudron.cloudron /app/code
 ADD index.html homeserver.yaml.template start.sh /app/pkg/
--- a/POSTINSTALL.md
+++ b/POSTINSTALL.md
@@ -1,2 +1,6 @@
 Account ids are created with the username and the second level domain under which the
 app is installed e.g. `@$CLOUDRON-USERNAME:$CLOUDRON-APP-DOMAIN`.
 For federation to work, the delegation URI `https://$CLOUDRON-APP-DOMAIN/.well-known/matrix/server`
 must be configured. See the [docs](https://docs.cloudron.io/apps/synapse/#post-installation) on how to do this.
--- a/homeserver.yaml.template
+++ b/homeserver.yaml.template
@@ -1,4 +1,4 @@
-# https://github.com/element-hq/synapse/blob/master/docs/sample_config.yaml
+# https://github.com/matrix-org/synapse/blob/master/docs/sample_config.yaml
 # if you change this, change the auto_join_rooms below as well
 server_name: "example.com"
@@ -13,6 +13,7 @@ listeners:
    type: http
    x_forwarded: true
    bind_addresses: ['0.0.0.0']
    resources:
      - names: [client,federation]
        compress: false
@@ -20,6 +21,7 @@ listeners:
 database:
  name: "psycopg2"
  args:
    # Path to the database
    user: ${POSTGRESQL_USERNAME}
    password: ${POSTGRESQL_PASSWORD}
    database: ${POSTGRESQL_DATABASE}
@@ -27,17 +29,6 @@ database:
    cp_min: 5
    cp_max: 10
 log_config: "/app/data/configs/log.config"
 media_store_path: "/app/data/data/media_store"
 registration_shared_secret: "some_shared_secret"
 report_stats: false
 macaroon_secret_key: "some_macaroon_secret"
 form_secret: "some_form_secret"
 signing_key_path: "/app/data/configs/signing.key"
 trusted_key_servers:
  - server_name: "matrix.org"
 ## Cloudron packaging
 email:
    smtp_host: mail.server
    smtp_port: 587
@@ -49,37 +40,74 @@ email:
    enable_notifs: true
    notif_for_new_users: true
 password_providers:
    - module: "synapse.util.ldap_auth_provider.LdapAuthProvider"
      config:
        enabled: true
        uri: "ldap://ldap.example.com:389"
        start_tls: true
        base: "ou=users,dc=example,dc=com"
        attributes:
           uid: "username"
           mail: "mail"
           name: "username"
        bind_dn: "ou=users,dc=cloudron"
        bind_password: "password"
        filter: "(objectClass=posixAccount)"
 # turn
 turn_uris: []
 turn_shared_secret: "sharedsecret"
 turn_allow_guests: true
-# sso (https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#single-sign-on-integration)
+federation_ip_range_blacklist:
-enable_registration: false
+  - '127.0.0.0/8'
-# without this, registration requires one of email/captcha/token verification
+  - '10.0.0.0/8'
-enable_registration_without_verification: true
+  - '172.16.0.0/12'
  - '192.168.0.0/16'
  - '100.64.0.0/10'
  - '169.254.0.0/16'
  - '::1/128'
  - 'fe80::/64'
  - 'fc00::/7'
-oidc_providers:
+enable_registration: false
-  - idp_id: cloudron
+enable_registration_without_verification: true
-    idp_name: "CLOUDRON_OIDC_PROVIDER_NAME"
+registration_shared_secret: "somesecret"
-    issuer: "CLOUDRON_OIDC_ISSUER"
+allow_guest_access: false
-    client_id: "CLOUDRON_OIDC_CLIENT_ID"
+
-    client_secret: "CLOUDRON_OIDC_CLIENT_SECRET"
+enable_group_creation: true
-    scopes: ["openid", "profile", "email"]
+
-    authorization_endpoint: "CLOUDRON_OIDC_AUTH_ENDPOINT"
+report_stats: False
-    token_endpoint: "CLOUDRON_OIDC_TOKEN_ENDPOINT"
+
-    userinfo_endpoint: "CLOUDRON_OIDC_AUTH_ENDPOINT"
+signing_key_path: "/app/data/configs/signing.key"
-    allow_existing_users: true
+
-    enable_registration: true
+url_preview_enabled: true
-    backchannel_logout_enabled: false
+url_preview_ip_range_blacklist:
-    user_mapping_provider:
+  - '127.0.0.0/8'
-      config:
+  - '10.0.0.0/8'
-        localpart_template: "{{ user.sub }}"
+  - '172.16.0.0/12'
-        display_name_template: "{{ user.name }}"
+  - '192.168.0.0/16'
-        email_template: "{{ user.email }}"
+  - '100.64.0.0/10'
  - '169.254.0.0/16'
  - '::1/128'
  - 'fe80::/64'
  - 'fc00::/7'
 media_store_path: "/app/data/data/media_store"
 max_upload_size: 200M
 max_image_pixels: "32M"
 dynamic_thumbnails: false
 autocreate_auto_join_rooms: true
 auto_join_rooms:
  - "#discuss:example.com"
 trusted_key_servers:
  - server_name: "matrix.org"
 suppress_key_server_warning: true
 password_config:
-    enabled: false
+   enabled: true
-    localdb_enabled: false
+   localdb_enabled: false
    pepper: "some_pepper_secret"
--- a/renovate.json
+++ b/renovate.json
@@ -0,0 +1,6 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "local>devops/renovator//config/app/default.json5"
  ]
 }
--- a/renovate.json5
+++ b/renovate.json5
@@ -1,4 +0,0 @@
 {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "extends": ["local>devops/renovator//default.renovate.json5"]
 }
--- a/start.sh
+++ b/start.sh
@@ -4,8 +4,6 @@ set -eu
 mkdir -p /app/data/data /app/data/configs /run/synapse
 source /app/code/env/bin/activate
 if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
    echo "==> Detected first run"
@@ -33,14 +31,14 @@ if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
    yq eval -i ".server_name=\"${server_name}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".registration_shared_secret=\"$(pwgen -1s 64)\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".macaroon_secret_key=\"$(pwgen -1s 64)\"" /app/data/configs/homeserver.yaml
+
-    yq eval -i ".form_secret=\"$(pwgen -1s 64)\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".auto_join_rooms=[]" /app/data/configs/homeserver.yaml
    yq eval -i ".auto_join_rooms[0]=\"#discuss:${server_name}\"" /app/data/configs/homeserver.yaml
    if [[ -z "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
        yq eval -i ".enable_registration=true" /app/data/configs/homeserver.yaml
-        yq eval -i ".password_config.enabled=true" /app/data/configs/homeserver.yaml
+        # just setting enabled to false is not enough. see https://github.com/matrix-org/matrix-synapse-ldap3/issues/123
-        yq eval -i ".password_config.localdb_enabled=true" /app/data/configs/homeserver.yaml
+        yq eval -i "del(.password_providers)" /app/data/configs/homeserver.yaml
        yq eval -i "del(.oidc_providers)" /app/data/configs/homeserver.yaml
    fi
    yq eval -i ".password_config.pepper=\"$(pwgen -1s 12)\"" /app/data/configs/homeserver.yaml # always set this so that users can enable password login if needed
 fi
@@ -69,9 +67,10 @@ yq eval -i ".email.notif_from=\"${CLOUDRON_MAIL_FROM_DISPLAY_NAME:-Matrix} <${CL
 # oidc
 if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
    yq eval -i "del(.password_providers)" /app/data/configs/homeserver.yaml # remove old ldap config
    echo " ==> Configuring OIDC auth"
    yq eval -i ".oidc_providers[0].idp_id=\"cloudron\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".oidc_providers[0].idp_name=\"${CLOUDRON_OIDC_PROVIDER_NAME:-Cloudron}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].idp_name=\"Cloudron\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].issuer=\"${CLOUDRON_OIDC_ISSUER}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].client_id=\"${CLOUDRON_OIDC_CLIENT_ID}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].client_secret=\"${CLOUDRON_OIDC_CLIENT_SECRET}\"" /app/data/configs/homeserver.yaml
@@ -85,9 +84,10 @@ if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
    yq eval -i ".oidc_providers[0].skip_verification=true" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].user_mapping_provider.config.localpart_template=\"{{ user.sub }}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].user_mapping_provider.config.display_name_template=\"{{ user.name }}\"" /app/data/configs/homeserver.yaml
    yq eval -i ".oidc_providers[0].user_mapping_provider.config.email_template=\"{{ user.email }}\"" /app/data/configs/homeserver.yaml
 else
    yq eval -i ".password_config.localdb_enabled=true" /app/data/configs/homeserver.yaml
    # just setting enabled to false is not enough. see https://github.com/matrix-org/matrix-synapse-ldap3/issues/123
    yq eval -i "del(.password_providers)" /app/data/configs/homeserver.yaml
 fi
 # turn (https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.md#synapse-setup)
@@ -100,7 +100,7 @@ fi
 # fix permissions
 echo "==> Fixing permissions"
-chown -R cloudron:cloudron /app/data /run/synapse
+chown -R cloudron.cloudron /app/data /run/synapse
 echo "==> Starting synapse"
-exec gosu cloudron:cloudron python3 -m synapse.app.homeserver --config-path /app/data/configs/homeserver.yaml -n
+gosu cloudron:cloudron python3 -m synapse.app.homeserver --config-path /app/data/configs/homeserver.yaml -n
--- a/test/package-lock.json
+++ b/test/package-lock.json
--- a/test/package.json
+++ b/test/package.json
@@ -9,9 +9,9 @@
  "author": "",
  "license": "ISC",
  "dependencies": {
-    "chromedriver": "^138.0.5",
+    "chromedriver": "^129.0.2",
    "expect.js": "^0.3.1",
-    "mocha": "^11.7.1",
+    "mocha": "^10.7.3",
-    "selenium-webdriver": "^4.34.0"
+    "selenium-webdriver": "^4.25.0"
  }
 }
--- a/test/test.js
+++ b/test/test.js
@@ -91,7 +91,6 @@ describe('Application life cycle test', function () {
    async function updateSynapseConfig() {
        console.log(`Setting Synapse Matrix server location to "https://${app.fqdn}"`);
        execSync(`cloudron exec --app ${ELEMENT_LOCATION} -- bash -c "jq '.default_server_config[\\"m.homeserver\\"].base_url = \\"https://${app.fqdn}\\"' /app/data/config.json | sponge /app/data/config.json"`);
        execSync(`cloudron restart --app ${ELEMENT_LOCATION}`);
        // wait when all services are up and running
@@ -107,84 +106,61 @@ describe('Application life cycle test', function () {
        await browser.get(`https://${elementApp.fqdn}/#/register`);
        await waitForElement(By.xpath('//input[@label="Username"]'));
        await browser.findElement(By.xpath('//input[@label="Username"]')).sendKeys(USERNAME);
        await browser.sleep(2000);
        await browser.findElement(By.xpath('//input[@label="Password"]')).sendKeys(PASSWORD);
        await browser.sleep(2000);
        await browser.findElement(By.xpath('//input[@label="Confirm password"]')).sendKeys(PASSWORD);
        await browser.sleep(2000);
        await browser.findElement(By.xpath('//input[@value="Register"]')).click();
-
+        await browser.sleep(2000);
-        await waitForElement(By.xpath('//h1[text()="You\'re in"] | //h1[contains(., "Welcome")]'));
+        await waitForElement(By.xpath('//h1[text()="You\'re in"]'));
-        if (await browser.findElements(By.xpath('//div[@role="button" and text()="Skip"]')).then(found => !!found.length)) {
+        await browser.sleep(2000);
-            await browser.findElement(By.xpath('//div[@role="button" and text()="Skip"]')).click();
+        await browser.findElement(By.xpath('//div[@role="button" and text()="Skip"]')).click();
-        }
+        await browser.sleep(2000);
        await waitForElement(By.xpath(`//h1[contains(., "Welcome")]`));
    }
-    async function loginOIDC(username, password, alreadyAuthenticated, proceedWithReset) {
+    async function loginOIDC(username, password, hasSession, proceedWithReset) {
        browser.manage().deleteAllCookies();
        await browser.get(`https://${elementApp.fqdn}/#/login`);
        await browser.sleep(6000);
        await waitForElement(By.xpath('//div[@role="button" and contains(., "Continue with Cloudron")]'));
        await browser.findElement(By.xpath('//div[@role="button" and contains(., "Continue with Cloudron")]')).click();
        await browser.sleep(2000);
-        await waitForElement(By.css('.mx_Dropdown_arrow'));
+        if (!hasSession) {
-        await browser.findElement(By.css('.mx_Dropdown_arrow')).click();
+            await waitForElement(By.xpath('//input[@name="username"]'));
-        await waitForElement(By.id('mx_LanguageDropdown__en'));
+            await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
-        await browser.findElement(By.id('mx_LanguageDropdown__en')).click();
+            await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
-        await browser.sleep(3000);
+            await browser.sleep(2000);
        await waitForElement(By.xpath('//div[@role="button" and contains(., "Continue with")]'));
        await browser.findElement(By.xpath('//div[@role="button" and contains(., "Continue with")]')).click();
        if (!alreadyAuthenticated) {
            await waitForElement(By.id('inputUsername'));
            await browser.findElement(By.id('inputUsername')).sendKeys(username);
            await browser.findElement(By.id('inputPassword')).sendKeys(password);
            await browser.findElement(By.id('loginSubmitButton')).click();
            await browser.sleep(2000);
        }
        await waitForElement(By.xpath('//p[@class="confirm-trust" and contains(., "Continuing will grant ")]'));
        await browser.findElement(By.xpath('//a[contains(., "Continue")]')).click();
        await browser.sleep(2000);
        if (proceedWithReset) {
            await waitForElement(By.xpath('//div[text()="Proceed with reset" or text()="Reset all"]'));
            if (await browser.findElements(By.xpath('//div[text()="Reset all"]')).then(found => !!found.length)) {
                await browser.findElement(By.xpath('//div[text()="Reset all"]')).click();
            }
            await waitForElement(By.xpath('//div[text()="Proceed with reset"]'));
            await browser.findElement(By.xpath('//div[text()="Proceed with reset"]')).click();
-            await waitForElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]'));
+            await waitForElement(By.xpath('//button[text()="Continue"]'));
-            await browser.findElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]')).click();
+            await browser.findElement(By.xpath('//button[text()="Continue"]')).click();
-            await waitForElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]'));
+            await waitForElement(By.xpath('//div[text()="Copy"]'));
-            await browser.findElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]')).click();
+            await browser.findElement(By.xpath('//div[text()="Copy"]')).click();
            await waitForElement(By.xpath('//button[text()="Done"] | //div[text()="Single Sign On"]'));
-            if (await browser.findElements(By.xpath('//div[text()="Single Sign On"]')).then(found => !!found.length)) {
+            await browser.sleep(1000);
-                await browser.findElement(By.xpath('//div[text()="Single Sign On"]')).click();
+            await waitForElement(By.xpath('//button[text()="Continue"]'));
            await browser.findElement(By.xpath('//button[text()="Continue"]')).click();
-                const originalWindowHandle = await browser.getWindowHandle();
+            await waitForElement(By.xpath('//button[text()="Done"]'));
-                await browser.wait(async () => (await browser.getAllWindowHandles()).length === 2, 10000);
+            await browser.findElement(By.xpath('//button[text()="Done"]')).click();
                //Loop through until we find a new window handle
                const windows = await browser.getAllWindowHandles();
                windows.forEach(async handle => {
                    if (handle !== originalWindowHandle) {
                        await browser.switchTo().window(handle);
                    }
                });
                await waitForElement(By.xpath('//a[contains(., "Continue with")]'));
                await browser.findElement(By.xpath('//a[contains(., "Continue with")]')).click();
-                // switch back to the main window
+            await waitForElement(By.xpath('//div[text()="Cancel"]'));
-                await browser.switchTo().window(originalWindowHandle);
+            await browser.findElement(By.xpath('//div[text()="Cancel"]')).click();
                await waitForElement(By.xpath('//div[text()="Confirm"]'));
                await browser.findElement(By.xpath('//div[text()="Confirm"]')).click();
            }
            await waitForElement(By.xpath('//div[text()="Cancel"] | //h1[contains(., "Welcome")]'));
            if (await browser.findElements(By.xpath('//div[text()="Cancel"]')).then(found => !!found.length)) {
                await browser.findElement(By.xpath('//div[text()="Cancel"]')).click();
            }
        }
        await browser.sleep(3000);
@@ -238,23 +214,18 @@ describe('Application life cycle test', function () {
    async function createRoom() {
        await browser.get(`https://${elementApp.fqdn}/#/home`);
-        await browser.sleep(2000);
+        await browser.sleep(4000);
        await waitForElement(By.xpath('//div[@role="button" and @aria-label="Add room"]'));
        await browser.findElement(By.xpath('//div[@role="button" and @aria-label="Add room"]')).click();
-        await browser.sleep(1000);
+        await browser.sleep(2000);
        await waitForElement(By.xpath('//li[@role="menuitem" and @aria-label="New room"]'));
        await browser.findElement(By.xpath('//li[@role="menuitem" and @aria-label="New room"]')).click();
-        await browser.sleep(1000);
+        await browser.sleep(2000);
        await waitForElement(By.xpath('//input[@label="Name"]'));
        await browser.findElement(By.xpath('//input[@label="Name"]')).sendKeys(ROOM_NAME);
        await browser.sleep(2000);
        await browser.sleep(1000);
        await waitForElement(By.xpath('//button[text()="Create room"]'));
        await browser.findElement(By.xpath('//button[text()="Create room"]')).click();
-
+        await browser.sleep(2000);
        await browser.sleep(1000);
        await waitForElement(By.xpath('//div[@role="button" and @aria-label="Add room"]'));
@@ -292,7 +263,6 @@ describe('Application life cycle test', function () {
    it('can get Element app info', getElementAppInfo);
    it('can register new user', registerUser);
    it('create room', createRoom);
    it('can send message', sendMessage);
    it('can logout', logout); // from auto-login
@@ -315,12 +285,12 @@ describe('Application life cycle test', function () {
    it('can get Element app info', getElementAppInfo);
    it('update element-app config', updateSynapseConfig);
-    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD, false, false));
+    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD, false, false /* proceedWithReset */));
    it('create room', createRoom);
    it('can send message', sendMessage);
    it('can get app info', getAppInfo);
-    it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`); });
+    it('can restart app', function () { execSync(`cloudron restart ${app.id}`); });
    it('backup app', function () { execSync(`cloudron backup create --app ${app.id}`, EXEC_ARGS); });
@@ -345,8 +315,7 @@ describe('Application life cycle test', function () {
    it('can logout', logout);
    it('can get app info', getAppInfo);
-    // web ui also throws random errors after changing domain
+    it('move to different location', async function () {
    xit('move to different location (skipped since no matrix support)', async function () {
        browser.manage().deleteAllCookies();
        await browser.get('about:blank');
@@ -354,11 +323,13 @@ describe('Application life cycle test', function () {
        getAppInfo();
        await browser.sleep(15000);
    });
-    xit('update element-app config', updateSynapseConfig);
+
-    xit('can get Element app info', getElementAppInfo);
+    it('update element-app config', updateSynapseConfig);
-    xit('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD, true, true));
+
-    xit('check room', checkRoom);
+    it('can get Element app info', getElementAppInfo);
-    xit('can send message', sendMessage);
+    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD, true, true /* proceedWithReset */));
    it('check room', checkRoom);
    it('can send message', sendMessage);
    it('uninstall app', async function () {
        await browser.get('about:blank');
@@ -376,14 +347,14 @@ describe('Application life cycle test', function () {
    it('can install element-web app (update)', function () { execSync('cloudron install --appstore-id im.riot.cloudronapp --location ' + ELEMENT_LOCATION, EXEC_ARGS); });
    it('can get Element app info', getElementAppInfo);
    it('update element-app config', updateSynapseConfig);
-    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD, false, false));
+    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD, false, false /* proceedWithReset */));
    it('is logged in', isLoggedIn);
    it('create room', createRoom);
    it('can send message', sendMessage);
    it('can logout', logout);
    it('clear cache', clearCache);
    it('can update', async function () {
        await browser.get('about:blank');
@@ -392,12 +363,11 @@ describe('Application life cycle test', function () {
    });
    it('can get Element app info', getElementAppInfo);
-    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD, false, true));
+    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD, true, true /* proceedWithReset */));
    it('is logged in', isLoggedIn);
    it('check room', checkRoom);
    it('can send message', sendMessage);
    it('can get app info', getAppInfo);
    it('uninstall app', async function () {
        await browser.get('about:blank');