MAS implementation

CHANGELOG.md

@@ -1393,56 +1393,3 @@
 * Add background job to clear unreferenced state groups. (#18254)
 * Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. (#18277, #18302, #18296)
 
-[1.110.0]
-* Update synapse to 1.129.0
-* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.129.0)
-
-[1.111.0]
-* Update synapse to 1.130.0
-* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.130.0)
-* Fix startup being blocked on creating a new index that was introduced in v1.130.0rc1. ([#​18439](https://github.com/element-hq/synapse/issues/18439))
-* Fix the ordering of local messages in rooms that were affected by [GHSA-v56r-hwv5-mxg6](https://github.com/advisories/GHSA-v56r-hwv5-mxg6). ([#​18447](https://github.com/element-hq/synapse/issues/18447))
-
-[1.112.0]
-* Update synapse to 1.131.0
-* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.131.0)
-
-[1.113.0]
-* Update synapse to 1.132.0
-* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.132.0)
-
-[1.114.0]
-* Update synapse to 1.133.0
-* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.133.0)
-* Pre-built wheels are now built using the manylinux\_2\_28 base, which is expected to be compatible with distros using glibc 2.28 or later, including:
-* Previously, wheels were built using the manylinux2014 base, which was expected to be compatible with distros using glibc 2.17 or later.
-* Bump `cibuildwheel` to 3.0.0 to fix the `manylinux` wheel builds. ([#​18615](https://github.com/element-hq/synapse/issues/18615))
-
-[1.115.0]
-* Update synapse to 1.134.0
-* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.134.0)
-
-[1.116.0]
-* Update synapse to 1.135.0
-* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.135.0)
-
-[1.116.1]
-* Update synapse to 1.135.2
-* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.135.2)
-* Fix invalidation of storage cache that was broken in 1.135.0. ([#​18786](https://github.com/element-hq/synapse/issues/18786))
-* Add a parameter to `upgrade_rooms(..)` to allow auto join local users. ([#​82](https://github.com/element-hq/synapse/issues/82))
-* Speed up upgrading a room with large numbers of banned users. ([#​18574](https://github.com/element-hq/synapse/issues/18574))
-
-[1.117.0]
-* Update synapse to 1.136.0
-* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.136.0)
-* Fix bug introduced in 1.135.2 and 1.136.0rc2 where the [Make Room Admin API](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#make-room-admin-api) would not treat a room v12's creator power level as the highest in room. ([#​18805](https://github.com/element-hq/synapse/issues/18805))
-
-[1.118.0]
-* Update synapse to 1.137.0
-* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.137.0)
-* Fix a bug which could corrupt auth chains making it impossible to perform state resolution. (#18746)
-* Fix error message in register_new_matrix_user utility script for empty registration_shared_secret. (#18780)
-* Allow enabling MSC4108 when the stable Matrix Authentication Service integration is enabled. (#18832)
-* Include IPv6 networks in denied-peer-ips of coturn setup. Contributed by @litetex. (#18781)
-

CloudronManifest.json

@@ -5,15 +5,23 @@
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG.md",
   "tagline": "Secure & decentralized communication",
-  "version": "1.118.0",
+  "version": "1.109.0",
-  "upstreamVersion": "1.137.0",
+  "upstreamVersion": "1.128.0",
   "healthCheckPath": "/",
   "httpPort": 8008,
+  "httpPorts": {
+    "MAS_DOMAIN": {
+      "title": "Matrix Authentication Service Domain",
+      "description": "Matrix Authentication Service domain",
+      "containerPort": 8080,
+      "defaultValue": "auth"
+    }
+  },
   "memoryLimit": 536870912,
   "addons": {
     "localstorage": {},
     "oidc": {
-      "loginRedirectUri": "/_synapse/client/oidc/callback"
+      "loginRedirectUri": "/_synapse/client/oidc/callback, /upstream/callback/000000000000000000C10WDR0N"
     },
     "postgresql": {},
     "sendmail": {
@@ -44,18 +52,9 @@
     "https://screenshots.cloudron.io/org.matrix.synapse/2.png",
     "https://screenshots.cloudron.io/org.matrix.synapse/3.png"
   ],
-  "checklist": {
-    "configure-federation": {
-      "message": "For federation to work, the delegation URI `https://$CLOUDRON-APP-DOMAIN/.well-known/matrix/server` must be configured. See the [docs](https://docs.cloudron.io/apps/synapse/#post-installation) on how to do this."
-    },
-    "registration-enabled-without-verification": {
-      "message": "Registration is enabled but verification is disabled. See [docs](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=registration_require#enable_registration) for more information",
-      "sso": false
-    }
-  },
   "postInstallMessage": "file://POSTINSTALL.md",
-  "minBoxVersion": "8.2.0",
+  "minBoxVersion": "7.5.1",
   "forumUrl": "https://forum.cloudron.io/category/50/matrix-synapse-riot",
-  "documentationUrl": "https://docs.cloudron.io/packages/synapse/",
+  "documentationUrl": "https://docs.cloudron.io/apps/synapse/",
   "optionalSso": true
 }

Dockerfile

@@ -8,11 +8,14 @@ WORKDIR /app/code
 RUN python3 -m venv /app/code/env
 
 # renovate: datasource=github-releases depName=element-hq/synapse versioning=semver extractVersion=^v(?<version>.+)$
-ARG SYNAPSE_VERSION=1.137.0
+ARG SYNAPSE_VERSION=1.128.0
 
 # renovate: datasource=github-releases depName=matrix-org/synapse-s3-storage-provider versioning=semver extractVersion=^v(?<version>.+)$
 ARG S3PROVIDER_VERSION=1.5.0
 
+# renovate: datasource=github-releases depName=element-hq/matrix-authentication-service versioning=semver extractVersion=^v(?<version>.+)$
+ARG MAS_VERSION=0.15.0
+
 # Synapse (https://github.com/matrix-org/synapse/blob/master/INSTALL.md)
 # lxml - required for previews
 RUN source /app/code/env/bin/activate && \
@@ -21,8 +24,19 @@ RUN source /app/code/env/bin/activate && \
 # Updated suffix list
 RUN curl -L https://publicsuffix.org/list/public_suffix_list.dat -o /app/code/env/lib/python3.12/site-packages/publicsuffix2/public_suffix_list.dat
 
+# matrix-authentication-service
+RUN mkdir -p /app/code/mas && \
+    curl -L https://github.com/element-hq/matrix-authentication-service/releases/download/v${MAS_VERSION}/mas-cli-x86_64-linux.tar.gz | tar zxf - --strip-components 1 -C /app/code/mas
+ENV PATH=$PATH:/app/code/mas
+
 RUN ln -sf /app/data/index.html /app/code/env/lib/python3.12/site-packages/synapse/static/index.html
 
+# Add supervisor configs
+COPY supervisor/* /etc/supervisor/conf.d/
+RUN ln -sf /run/synapse/supervisord.log /var/log/supervisor/supervisord.log
+
+RUN chown -R cloudron:cloudron /app/code
+
 ADD index.html homeserver.yaml.template start.sh /app/pkg/
 
 CMD [ "/app/pkg/start.sh" ]

POSTINSTALL.md

@@ -1,2 +1,6 @@
 Account ids are created with the username and the second level domain under which the
 app is installed e.g. `@$CLOUDRON-USERNAME:$CLOUDRON-APP-DOMAIN`.
+
+For federation to work, the delegation URI `https://$CLOUDRON-APP-DOMAIN/.well-known/matrix/server`
+must be configured. See the [docs](https://docs.cloudron.io/apps/synapse/#post-installation) on how to do this.
+

homeserver.yaml.template

@@ -1,4 +1,4 @@
-# https://github.com/element-hq/synapse/blob/master/docs/sample_config.yaml
+# https://github.com/matrix-org/synapse/blob/master/docs/sample_config.yaml
 
 # if you change this, change the auto_join_rooms below as well
 server_name: "example.com"
@@ -13,6 +13,7 @@ listeners:
     type: http
     x_forwarded: true
     bind_addresses: ['0.0.0.0']
+
     resources:
       - names: [client,federation]
         compress: false
@@ -20,6 +21,7 @@ listeners:
 database:
   name: "psycopg2"
   args:
+    # Path to the database
     user: ${POSTGRESQL_USERNAME}
     password: ${POSTGRESQL_PASSWORD}
     database: ${POSTGRESQL_DATABASE}
@@ -27,17 +29,6 @@ database:
     cp_min: 5
     cp_max: 10
 
-log_config: "/app/data/configs/log.config"
-media_store_path: "/app/data/data/media_store"
-registration_shared_secret: "some_shared_secret"
-report_stats: false
-macaroon_secret_key: "some_macaroon_secret"
-form_secret: "some_form_secret"
-signing_key_path: "/app/data/configs/signing.key"
-trusted_key_servers:
-  - server_name: "matrix.org"
-
-## Cloudron packaging
 email:
     smtp_host: mail.server
     smtp_port: 587
@@ -49,37 +40,74 @@ email:
     enable_notifs: true
     notif_for_new_users: true
 
+password_providers:
+    - module: "synapse.util.ldap_auth_provider.LdapAuthProvider"
+      config:
+        enabled: true
+        uri: "ldap://ldap.example.com:389"
+        start_tls: true
+        base: "ou=users,dc=example,dc=com"
+        attributes:
+           uid: "username"
+           mail: "mail"
+           name: "username"
+        bind_dn: "ou=users,dc=cloudron"
+        bind_password: "password"
+        filter: "(objectClass=posixAccount)"
+
 # turn
 turn_uris: []
 turn_shared_secret: "sharedsecret"
 turn_allow_guests: true
 
-# sso (https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#single-sign-on-integration)
+federation_ip_range_blacklist:
-enable_registration: false
+  - '127.0.0.0/8'
-# without this, registration requires one of email/captcha/token verification
+  - '10.0.0.0/8'
-enable_registration_without_verification: true
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '169.254.0.0/16'
+  - '::1/128'
+  - 'fe80::/64'
+  - 'fc00::/7'
 
-oidc_providers:
+enable_registration: false
-  - idp_id: cloudron
+enable_registration_without_verification: true
-    idp_name: "CLOUDRON_OIDC_PROVIDER_NAME"
+registration_shared_secret: "somesecret"
-    issuer: "CLOUDRON_OIDC_ISSUER"
+allow_guest_access: false
-    client_id: "CLOUDRON_OIDC_CLIENT_ID"
+
-    client_secret: "CLOUDRON_OIDC_CLIENT_SECRET"
+enable_group_creation: true
-    scopes: ["openid", "profile", "email"]
+
-    authorization_endpoint: "CLOUDRON_OIDC_AUTH_ENDPOINT"
+report_stats: False
-    token_endpoint: "CLOUDRON_OIDC_TOKEN_ENDPOINT"
+
-    userinfo_endpoint: "CLOUDRON_OIDC_AUTH_ENDPOINT"
+signing_key_path: "/app/data/configs/signing.key"
-    allow_existing_users: true
+
-    enable_registration: true
+url_preview_enabled: true
-    backchannel_logout_enabled: false
+url_preview_ip_range_blacklist:
-    user_mapping_provider:
+  - '127.0.0.0/8'
-      config:
+  - '10.0.0.0/8'
-        localpart_template: "{{ user.sub }}"
+  - '172.16.0.0/12'
-        display_name_template: "{{ user.name }}"
+  - '192.168.0.0/16'
-        email_template: "{{ user.email }}"
+  - '100.64.0.0/10'
+  - '169.254.0.0/16'
+  - '::1/128'
+  - 'fe80::/64'
+  - 'fc00::/7'
+
+media_store_path: "/app/data/data/media_store"
+max_upload_size: 200M
+max_image_pixels: "32M"
+dynamic_thumbnails: false
+
+autocreate_auto_join_rooms: true
+auto_join_rooms:
+  - "#discuss:example.com"
+
+trusted_key_servers:
+  - server_name: "matrix.org"
+suppress_key_server_warning: true
 
 password_config:
-    enabled: false
+   enabled: true
-    localdb_enabled: false
+   localdb_enabled: false
-    pepper: "some_pepper_secret"
 

start.sh

@@ -2,10 +2,96 @@
 
 set -eu
 
-mkdir -p /app/data/data /app/data/configs /run/synapse
+mkdir -p /app/data/data /app/data/configs/policies /run/synapse
 
 source /app/code/env/bin/activate
 
+mas_client_id="0000000000000000000SYNAPSE"
+cloudron_client_id="000000000000000000C10WDR0N" # a valid ULID excludes I, L, O, and U
+mas_client_secret=$(openssl rand -hex 32)
+matrix_secret=$(openssl rand -hex 32)
+
+function mas_config() {
+    export MAS_CONFIG=/run/synapse/mas-config.yaml
+
+    echo "MAS configuration"
+    if [[ ! -f /app/data/configs/mas.yaml ]]; then
+        mas-cli config generate > /app/data/configs/mas.yaml
+
+        yq eval -i ".email.from=\"${CLOUDRON_MAIL_FROM_DISPLAY_NAME:-Matrix} <${CLOUDRON_MAIL_FROM}>\"" /app/data/configs/mas.yaml
+        yq eval -i ".email.reply_to=\"${CLOUDRON_MAIL_FROM_DISPLAY_NAME:-Matrix} <${CLOUDRON_MAIL_FROM}>\"" /app/data/configs/mas.yaml
+    fi
+
+    cat /app/data/configs/mas.yaml > ${MAS_CONFIG}
+
+    # http
+    yq eval -i ".http.public_base=\"https://${MAS_DOMAIN}\"" ${MAS_CONFIG}
+
+    # database
+    yq eval -i ".database.uri=\"${CLOUDRON_POSTGRESQL_URL}\"" ${MAS_CONFIG}
+#    yq eval -i ".database.user=\"${CLOUDRON_POSTGRESQL_USERNAME}\"" ${MAS_CONFIG}
+#    yq eval -i ".database.password=\"${CLOUDRON_POSTGRESQL_PASSWORD}\"" ${MAS_CONFIG}
+#    yq eval -i ".database.database=\"${CLOUDRON_POSTGRESQL_DATABASE}\"" ${MAS_CONFIG}
+#    yq eval -i ".database.host=\"${CLOUDRON_POSTGRESQL_HOST}\"" ${MAS_CONFIG}
+#    yq eval -i ".database.port=${CLOUDRON_POSTGRESQL_PORT}" ${MAS_CONFIG}
+
+    # email
+    yq eval -i ".email.transport=\"smtp\"" ${MAS_CONFIG}
+    yq eval -i ".email.mode=\"plain\"" ${MAS_CONFIG}
+    yq eval -i ".email.hostname=\"${CLOUDRON_MAIL_SMTP_SERVER}\"" ${MAS_CONFIG}
+    yq eval -i ".email.port=${CLOUDRON_MAIL_SMTP_PORT}" ${MAS_CONFIG}
+    yq eval -i ".email.username=\"${CLOUDRON_MAIL_SMTP_USERNAME}\"" ${MAS_CONFIG}
+    yq eval -i ".email.password=\"${CLOUDRON_MAIL_SMTP_PASSWORD}\"" ${MAS_CONFIG}
+
+    # provision client for the homeserver
+    yq eval -i ".clients[0].client_id=\"${mas_client_id}\"" ${MAS_CONFIG}
+    yq eval -i ".clients[0].client_auth_method=\"client_secret_basic\"" ${MAS_CONFIG}
+    yq eval -i ".clients[0].client_secret=\"${mas_client_secret}\"" ${MAS_CONFIG}
+
+    # connection to the homeserver
+    yq eval -i ".matrix.homeserver=\"localhost:8008\"" ${MAS_CONFIG}
+    yq eval -i ".matrix.secret=\"${matrix_secret}\"" ${MAS_CONFIG}
+    yq eval -i ".matrix.endpoint=\"http://localhost:8008\"" ${MAS_CONFIG}
+
+    # setup cloudron OIDC as upstrem SSO provider
+    if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+        yq eval -i ".upstream_oauth2.providers[0].id=\"${cloudron_client_id}\"" ${MAS_CONFIG}
+        yq eval -i ".upstream_oauth2.providers[0].human_name=\"${CLOUDRON_OIDC_PROVIDER_NAME:-Cloudron}\"" ${MAS_CONFIG}
+        yq eval -i ".upstream_oauth2.providers[0].issuer=\"${CLOUDRON_OIDC_ISSUER}\"" ${MAS_CONFIG}
+        yq eval -i ".upstream_oauth2.providers[0].client_id=\"${CLOUDRON_OIDC_CLIENT_ID}\"" ${MAS_CONFIG}
+        yq eval -i ".upstream_oauth2.providers[0].client_secret=\"${CLOUDRON_OIDC_CLIENT_SECRET}\"" ${MAS_CONFIG}
+
+        yq eval -i ".upstream_oauth2.providers[0].scope=\"openid, email, profile\"" ${MAS_CONFIG}
+
+        # How the provider configuration and endpoints should be discovered
+        # Possible values are:
+        #  - `oidc`: discover the provider through OIDC discovery,
+        #     with strict metadata validation (default)
+        #  - `insecure`: discover through OIDC discovery, but skip metadata validation
+        #  - `disabled`: don't discover the provider and use the endpoints below
+        yq eval -i ".upstream_oauth2.providers[0].discovery_mode=\"oidc\"" ${MAS_CONFIG}
+
+        yq eval -i ".upstream_oauth2.providers[0].authorization_endpoint=\"${CLOUDRON_OIDC_AUTH_ENDPOINT}\"" ${MAS_CONFIG}
+        yq eval -i ".upstream_oauth2.providers[0].token_endpoint=\"${CLOUDRON_OIDC_TOKEN_ENDPOINT}\"" ${MAS_CONFIG}
+        yq eval -i ".upstream_oauth2.providers[0].userinfo_endpoint=\"${CLOUDRON_OIDC_PROFILE_ENDPOINT}\"" ${MAS_CONFIG}
+        yq eval -i ".upstream_oauth2.providers[0].jwks_uri=\"${CLOUDRON_OIDC_KEYS_ENDPOINT}\"" ${MAS_CONFIG}
+        yq eval -i ".upstream_oauth2.providers[0].token_endpoint_auth_method=\"client_secret_post\"" ${MAS_CONFIG}
+        yq eval -i ".upstream_oauth2.providers[0].response_mode=\"query\"" ${MAS_CONFIG}
+
+        yq eval -i ".claims_imports.subject.template=\"{{ user.sub }}\"" ${MAS_CONFIG}
+        yq eval -i ".claims_imports.localpart.action=\"force\"" ${MAS_CONFIG}
+        yq eval -i ".claims_imports.localpart.template=\"{{ user.preferred_username }}\"" ${MAS_CONFIG}
+        yq eval -i ".claims_imports.displayname.action=\"suggest\"" ${MAS_CONFIG}
+        yq eval -i ".claims_imports.displayname.template=\"{{ user.name }}\"" ${MAS_CONFIG}
+        yq eval -i ".claims_imports.email.action=\"suggest\"" ${MAS_CONFIG}
+        yq eval -i ".claims_imports.email.template=\"{{ user.email }}\"" ${MAS_CONFIG}
+        yq eval -i ".claims_imports.set_email_verification=\"import\"" ${MAS_CONFIG}
+        yq eval -i ".claims_imports.account_name.template=\"@{{ user.preferred_username }}\"" ${MAS_CONFIG}
+    fi
+
+    mas-cli -c ${MAS_CONFIG} database migrate
+}
+
 if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
     echo "==> Detected first run"
 
@@ -33,18 +119,19 @@ if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
 
     yq eval -i ".server_name=\"${server_name}\"" /app/data/configs/homeserver.yaml
     yq eval -i ".registration_shared_secret=\"$(pwgen -1s 64)\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".macaroon_secret_key=\"$(pwgen -1s 64)\"" /app/data/configs/homeserver.yaml
+
-    yq eval -i ".form_secret=\"$(pwgen -1s 64)\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".auto_join_rooms=[]" /app/data/configs/homeserver.yaml
+    yq eval -i ".auto_join_rooms[0]=\"#discuss:${server_name}\"" /app/data/configs/homeserver.yaml
 
     if [[ -z "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
         yq eval -i ".enable_registration=true" /app/data/configs/homeserver.yaml
-        yq eval -i ".password_config.enabled=true" /app/data/configs/homeserver.yaml
+        # just setting enabled to false is not enough. see https://github.com/matrix-org/matrix-synapse-ldap3/issues/123
-        yq eval -i ".password_config.localdb_enabled=true" /app/data/configs/homeserver.yaml
+        yq eval -i "del(.password_providers)" /app/data/configs/homeserver.yaml
-        yq eval -i "del(.oidc_providers)" /app/data/configs/homeserver.yaml
     fi
     yq eval -i ".password_config.pepper=\"$(pwgen -1s 12)\"" /app/data/configs/homeserver.yaml # always set this so that users can enable password login if needed
 fi
 
+
 echo "==> Ensure we log to console"
 yq eval -i ".root.handlers=[\"console\"]" /app/data/configs/log.config
 yq eval -i ".loggers.twisted.handlers=[\"console\"]" /app/data/configs/log.config
@@ -69,25 +156,28 @@ yq eval -i ".email.notif_from=\"${CLOUDRON_MAIL_FROM_DISPLAY_NAME:-Matrix} <${CL
 
 # oidc
 if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
-    echo " ==> Configuring OIDC auth"
+    yq eval -i "del(.password_providers)" /app/data/configs/homeserver.yaml # remove old ldap config
-    yq eval -i ".oidc_providers[0].idp_id=\"cloudron\"" /app/data/configs/homeserver.yaml
+    yq eval -i "del(.oidc_providers[0])" /app/data/configs/homeserver.yaml # remove old oidc config
-    yq eval -i ".oidc_providers[0].idp_name=\"${CLOUDRON_OIDC_PROVIDER_NAME:-Cloudron}\"" /app/data/configs/homeserver.yaml
+#    echo " ==> Configuring OIDC auth"
-    yq eval -i ".oidc_providers[0].issuer=\"${CLOUDRON_OIDC_ISSUER}\"" /app/data/configs/homeserver.yaml
+#    yq eval -i ".oidc_providers[0].idp_id=\"cloudron\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".oidc_providers[0].client_id=\"${CLOUDRON_OIDC_CLIENT_ID}\"" /app/data/configs/homeserver.yaml
+#    yq eval -i ".oidc_providers[0].idp_name=\"${CLOUDRON_OIDC_PROVIDER_NAME:-Cloudron}\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".oidc_providers[0].client_secret=\"${CLOUDRON_OIDC_CLIENT_SECRET}\"" /app/data/configs/homeserver.yaml
+#    yq eval -i ".oidc_providers[0].issuer=\"${CLOUDRON_OIDC_ISSUER}\"" /app/data/configs/homeserver.yaml
-
+#    yq eval -i ".oidc_providers[0].client_id=\"${CLOUDRON_OIDC_CLIENT_ID}\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".oidc_providers[0].scopes=[\"openid\", \"email\", \"profile\"]" /app/data/configs/homeserver.yaml
+#    yq eval -i ".oidc_providers[0].client_secret=\"${CLOUDRON_OIDC_CLIENT_SECRET}\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".oidc_providers[0].authorization_endpoint=\"${CLOUDRON_OIDC_AUTH_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+#
-    yq eval -i ".oidc_providers[0].token_endpoint=\"${CLOUDRON_OIDC_TOKEN_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+#    yq eval -i ".oidc_providers[0].scopes=[\"openid\", \"email\", \"profile\"]" /app/data/configs/homeserver.yaml
-    yq eval -i ".oidc_providers[0].userinfo_endpoint=\"${CLOUDRON_OIDC_PROFILE_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+#    yq eval -i ".oidc_providers[0].authorization_endpoint=\"${CLOUDRON_OIDC_AUTH_ENDPOINT}\"" /app/data/configs/homeserver.yaml
-    # https://s3lph.me/ldap-to-oidc-migration-3-matrix.html
+#    yq eval -i ".oidc_providers[0].token_endpoint=\"${CLOUDRON_OIDC_TOKEN_ENDPOINT}\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".oidc_providers[0].allow_existing_users=true" /app/data/configs/homeserver.yaml
+#    yq eval -i ".oidc_providers[0].userinfo_endpoint=\"${CLOUDRON_OIDC_PROFILE_ENDPOINT}\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".oidc_providers[0].skip_verification=true" /app/data/configs/homeserver.yaml
+#    # https://s3lph.me/ldap-to-oidc-migration-3-matrix.html
-    yq eval -i ".oidc_providers[0].user_mapping_provider.config.localpart_template=\"{{ user.sub }}\"" /app/data/configs/homeserver.yaml
+#    yq eval -i ".oidc_providers[0].allow_existing_users=true" /app/data/configs/homeserver.yaml
-    yq eval -i ".oidc_providers[0].user_mapping_provider.config.display_name_template=\"{{ user.name }}\"" /app/data/configs/homeserver.yaml
+#    yq eval -i ".oidc_providers[0].skip_verification=true" /app/data/configs/homeserver.yaml
-    yq eval -i ".oidc_providers[0].user_mapping_provider.config.email_template=\"{{ user.email }}\"" /app/data/configs/homeserver.yaml
+#    yq eval -i ".oidc_providers[0].user_mapping_provider.config.localpart_template=\"{{ user.sub }}\"" /app/data/configs/homeserver.yaml
+#    yq eval -i ".oidc_providers[0].user_mapping_provider.config.display_name_template=\"{{ user.name }}\"" /app/data/configs/homeserver.yaml
 else
     yq eval -i ".password_config.localdb_enabled=true" /app/data/configs/homeserver.yaml
+    # just setting enabled to false is not enough. see https://github.com/matrix-org/matrix-synapse-ldap3/issues/123
+    yq eval -i "del(.password_providers)" /app/data/configs/homeserver.yaml
 fi
 
 # turn (https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.md#synapse-setup)
@@ -98,9 +188,23 @@ if [[ -n "${CLOUDRON_TURN_SERVER:-}" ]]; then
     yq eval -i ".turn_shared_secret=\"${CLOUDRON_TURN_SECRET}\"" /app/data/configs/homeserver.yaml
 fi
 
+mas_config
+
+# Configure the homeserver to delegate authentication to the MAS
+# https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#configure-the-homeserver-to-delegate-authentication-to-the-service
+yq eval -i ".experimental_features.msc3861.enabled=true" /app/data/configs/homeserver.yaml
+yq eval -i ".experimental_features.msc3861.issuer=\"http://localhost:8080/\"" /app/data/configs/homeserver.yaml
+yq eval -i ".experimental_features.msc3861.client_id=\"${mas_client_id}\"" /app/data/configs/homeserver.yaml
+yq eval -i ".experimental_features.msc3861.client_auth_method=\"client_secret_basic\"" /app/data/configs/homeserver.yaml
+# Matches the `client_secret` in the auth service config
+yq eval -i ".experimental_features.msc3861.client_secret=\"${mas_client_secret}\"" /app/data/configs/homeserver.yaml
+# Matches the `matrix.secret` in the auth service config
+yq eval -i ".experimental_features.msc3861.admin_token=\"${matrix_secret}\"" /app/data/configs/homeserver.yaml
+
 # fix permissions
 echo "==> Fixing permissions"
 chown -R cloudron:cloudron /app/data /run/synapse
 
 echo "==> Starting synapse"
-exec gosu cloudron:cloudron python3 -m synapse.app.homeserver --config-path /app/data/configs/homeserver.yaml -n
+#exec gosu cloudron:cloudron python3 -m synapse.app.homeserver --config-path /app/data/configs/homeserver.yaml -n
+exec /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i Synapse

supervisor/homeserver.conf

@@ -0,0 +1,11 @@
+[program:homeserver]
+priority=10
+user=cloudron
+directory=/app/code
+command=bash -c "source /app/code/env/bin/activate && python3 -m synapse.app.homeserver --config-path /app/data/configs/homeserver.yaml -n"
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

supervisor/mas.conf

@@ -0,0 +1,11 @@
+[program:mas]
+priority=12
+directory=/app/code/mas
+user=cloudron
+command=mas-cli -c /run/synapse/mas-config.yaml server
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

test/package-lock.json

@@ -9,10 +9,10 @@
       "version": "1.0.0",
       "license": "ISC",
       "dependencies": {
-        "chromedriver": "^139.0.2",
+        "chromedriver": "^135.0.0",
         "expect.js": "^0.3.1",
-        "mocha": "^11.7.1",
+        "mocha": "^11.1.0",
-        "selenium-webdriver": "^4.35.0"
+        "selenium-webdriver": "^4.31.0"
       }
     },
     "node_modules/@bazel/runfiles": {
@@ -89,6 +89,15 @@
         "node": ">= 14"
       }
     },
+    "node_modules/ansi-colors": {
+      "version": "4.1.3",
+      "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-4.1.3.tgz",
+      "integrity": "sha512-/6w/C21Pm1A7aZitlI5Ni/2J6FFQN8i1Cvz3kHABAAbw93v/NlvKdVOqz7CCWz/3iv/JplRSEEZ83XION15ovw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/ansi-regex": {
       "version": "6.1.0",
       "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz",
@@ -116,6 +125,19 @@
         "url": "https://github.com/chalk/ansi-styles?sponsor=1"
       }
     },
+    "node_modules/anymatch": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz",
+      "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==",
+      "license": "ISC",
+      "dependencies": {
+        "normalize-path": "^3.0.0",
+        "picomatch": "^2.0.4"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
     "node_modules/argparse": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
@@ -166,6 +188,18 @@
         "node": ">=10.0.0"
       }
     },
+    "node_modules/binary-extensions": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
+      "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/brace-expansion": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
@@ -175,6 +209,18 @@
         "balanced-match": "^1.0.0"
       }
     },
+    "node_modules/braces": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
+      "license": "MIT",
+      "dependencies": {
+        "fill-range": "^7.1.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/browser-stdout": {
       "version": "1.3.1",
       "resolved": "https://registry.npmjs.org/browser-stdout/-/browser-stdout-1.3.1.tgz",
@@ -231,24 +277,33 @@
       }
     },
     "node_modules/chokidar": {
-      "version": "4.0.3",
+      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz",
-      "integrity": "sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==",
+      "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==",
       "license": "MIT",
       "dependencies": {
-        "readdirp": "^4.0.1"
+        "anymatch": "~3.1.2",
+        "braces": "~3.0.2",
+        "glob-parent": "~5.1.2",
+        "is-binary-path": "~2.1.0",
+        "is-glob": "~4.0.1",
+        "normalize-path": "~3.0.0",
+        "readdirp": "~3.6.0"
       },
       "engines": {
-        "node": ">= 14.16.0"
+        "node": ">= 8.10.0"
       },
       "funding": {
         "url": "https://paulmillr.com/funding/"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.2"
       }
     },
     "node_modules/chromedriver": {
-      "version": "139.0.2",
+      "version": "135.0.0",
-      "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-139.0.2.tgz",
+      "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-135.0.0.tgz",
-      "integrity": "sha512-GEq1PM9unQBQ79iNxlsJPvMFzcw/LKIusxC39RVD+8noh1JqURNTqbhPGU887VpGUsCFJ0SCSpr+6waK/yWHRA==",
+      "integrity": "sha512-ilE3cIrIieiRU/a6MNpt0CL0UZs2tu0lQAes+el5SV03MB1zYIEXy+dDeueid/g8AmT1loy7TB2fjWwcHLY8lg==",
       "hasInstallScript": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -264,7 +319,7 @@
         "chromedriver": "bin/chromedriver"
       },
       "engines": {
-        "node": ">=20"
+        "node": ">=18"
       }
     },
     "node_modules/cliui": {
@@ -463,9 +518,9 @@
       }
     },
     "node_modules/diff": {
-      "version": "7.0.0",
+      "version": "5.2.0",
-      "resolved": "https://registry.npmjs.org/diff/-/diff-7.0.0.tgz",
+      "resolved": "https://registry.npmjs.org/diff/-/diff-5.2.0.tgz",
-      "integrity": "sha512-PJWHUb1RFevKCwaFA9RlG5tCd+FO5iRh9A8HEtkmBH2Li03iJriB6m6JIN4rGz3K3JLawI7/veA1xzRKP6ISBw==",
+      "integrity": "sha512-uIFDxqpRZGZ6ThOk84hEfqWoHx2devRFvpTZcTHur85vImfaxUbTW9Ryh4CpCuDnToOP1CEtXKIgytHBPVff5A==",
       "license": "BSD-3-Clause",
       "engines": {
         "node": ">=0.3.1"
@@ -599,6 +654,18 @@
         "pend": "~1.2.0"
       }
     },
+    "node_modules/fill-range": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+      "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+      "license": "MIT",
+      "dependencies": {
+        "to-regex-range": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/find-up": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/find-up/-/find-up-5.0.0.tgz",
@@ -674,6 +741,20 @@
         "node": ">= 6"
       }
     },
+    "node_modules/fsevents": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
+      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
     "node_modules/get-caller-file": {
       "version": "2.0.5",
       "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
@@ -732,6 +813,33 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
+    "node_modules/glob-parent": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
+      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "license": "ISC",
+      "dependencies": {
+        "is-glob": "^4.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/glob/node_modules/minimatch": {
+      "version": "9.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "license": "ISC",
+      "dependencies": {
+        "brace-expansion": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
     "node_modules/has-flag": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
@@ -810,6 +918,27 @@
         "node": ">=8"
       }
     },
+    "node_modules/is-binary-path": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz",
+      "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==",
+      "license": "MIT",
+      "dependencies": {
+        "binary-extensions": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-extglob": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
+      "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/is-fullwidth-code-point": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
@@ -819,6 +948,27 @@
         "node": ">=8"
       }
     },
+    "node_modules/is-glob": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
+      "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+      "license": "MIT",
+      "dependencies": {
+        "is-extglob": "^2.1.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-number": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
+      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.12.0"
+      }
+    },
     "node_modules/is-plain-obj": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-2.1.0.tgz",
@@ -985,18 +1135,15 @@
       }
     },
     "node_modules/minimatch": {
-      "version": "9.0.5",
+      "version": "5.1.6",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
       "license": "ISC",
       "dependencies": {
         "brace-expansion": "^2.0.1"
       },
       "engines": {
-        "node": ">=16 || 14 >=14.17"
+        "node": ">=10"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
       }
     },
     "node_modules/minipass": {
@@ -1009,28 +1156,28 @@
       }
     },
     "node_modules/mocha": {
-      "version": "11.7.1",
+      "version": "11.1.0",
-      "resolved": "https://registry.npmjs.org/mocha/-/mocha-11.7.1.tgz",
+      "resolved": "https://registry.npmjs.org/mocha/-/mocha-11.1.0.tgz",
-      "integrity": "sha512-5EK+Cty6KheMS/YLPPMJC64g5V61gIR25KsRItHw6x4hEKT6Njp1n9LOlH4gpevuwMVS66SXaBBpg+RWZkza4A==",
+      "integrity": "sha512-8uJR5RTC2NgpY3GrYcgpZrsEd9zKbPDpob1RezyR2upGHRQtHWofmzTMzTMSV6dru3tj5Ukt0+Vnq1qhFEEwAg==",
       "license": "MIT",
       "dependencies": {
+        "ansi-colors": "^4.1.3",
         "browser-stdout": "^1.3.1",
-        "chokidar": "^4.0.1",
+        "chokidar": "^3.5.3",
         "debug": "^4.3.5",
-        "diff": "^7.0.0",
+        "diff": "^5.2.0",
         "escape-string-regexp": "^4.0.0",
         "find-up": "^5.0.0",
         "glob": "^10.4.5",
         "he": "^1.2.0",
         "js-yaml": "^4.1.0",
         "log-symbols": "^4.1.0",
-        "minimatch": "^9.0.5",
+        "minimatch": "^5.1.6",
         "ms": "^2.1.3",
-        "picocolors": "^1.1.1",
         "serialize-javascript": "^6.0.2",
         "strip-json-comments": "^3.1.1",
         "supports-color": "^8.1.1",
-        "workerpool": "^9.2.0",
+        "workerpool": "^6.5.1",
         "yargs": "^17.7.2",
         "yargs-parser": "^21.1.1",
         "yargs-unparser": "^2.0.0"
@@ -1058,6 +1205,15 @@
         "node": ">= 0.4.0"
       }
     },
+    "node_modules/normalize-path": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
+      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/once": {
       "version": "1.4.0",
       "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
@@ -1181,11 +1337,17 @@
       "integrity": "sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg==",
       "license": "MIT"
     },
-    "node_modules/picocolors": {
+    "node_modules/picomatch": {
-      "version": "1.1.1",
+      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
+      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
-      "license": "ISC"
+      "license": "MIT",
+      "engines": {
+        "node": ">=8.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
     },
     "node_modules/process-nextick-args": {
       "version": "2.0.1",
@@ -1262,16 +1424,15 @@
       }
     },
     "node_modules/readdirp": {
-      "version": "4.1.2",
+      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.1.2.tgz",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
-      "integrity": "sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==",
+      "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==",
       "license": "MIT",
-      "engines": {
+      "dependencies": {
-        "node": ">= 14.18.0"
+        "picomatch": "^2.2.1"
       },
-      "funding": {
+      "engines": {
-        "type": "individual",
+        "node": ">=8.10.0"
-        "url": "https://paulmillr.com/funding/"
       }
     },
     "node_modules/require-directory": {
@@ -1290,9 +1451,9 @@
       "license": "MIT"
     },
     "node_modules/selenium-webdriver": {
-      "version": "4.35.0",
+      "version": "4.31.0",
-      "resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.35.0.tgz",
+      "resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.31.0.tgz",
-      "integrity": "sha512-Baaeiuyu7BIIsSYf0SI7Mi55gsNmdI00KM0Hcofw1RnAY+0QEVpdh5yAxueDxgTZS8vcbGZFU0NJ6Qc1riIrLg==",
+      "integrity": "sha512-0MWEwypM0+c1NnZ87UEMxZdwphKoaK2UJ2qXzKWrJiM0gazFjgNVimxlHTOO90G2cOhphZqwpqSCJy62NTEzyA==",
       "funding": [
         {
           "type": "github",
@@ -1308,10 +1469,10 @@
         "@bazel/runfiles": "^6.3.1",
         "jszip": "^3.10.1",
         "tmp": "^0.2.3",
-        "ws": "^8.18.2"
+        "ws": "^8.18.0"
       },
       "engines": {
-        "node": ">= 20.0.0"
+        "node": ">= 18.20.5"
       }
     },
     "node_modules/serialize-javascript": {
@@ -1590,6 +1751,18 @@
         "node": ">=14.14"
       }
     },
+    "node_modules/to-regex-range": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "license": "MIT",
+      "dependencies": {
+        "is-number": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=8.0"
+      }
+    },
     "node_modules/tslib": {
       "version": "2.8.1",
       "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
@@ -1625,9 +1798,9 @@
       }
     },
     "node_modules/workerpool": {
-      "version": "9.3.2",
+      "version": "6.5.1",
-      "resolved": "https://registry.npmjs.org/workerpool/-/workerpool-9.3.2.tgz",
+      "resolved": "https://registry.npmjs.org/workerpool/-/workerpool-6.5.1.tgz",
-      "integrity": "sha512-Xz4Nm9c+LiBHhDR5bDLnNzmj6+5F+cyEAWPMkbs2awq/dYazR/efelZzUAjB/y3kNHL+uzkHvxVVpaOfGCPV7A==",
+      "integrity": "sha512-Fs4dNYcsdpYSAfVxhnl1L5zTksjvOJxtC5hzMNl+1t9B8hTJTdKDyZ5ju7ztgPy+ft9tBFXoOlDNiOT9WUXZlA==",
       "license": "Apache-2.0"
     },
     "node_modules/wrap-ansi": {
@@ -1725,9 +1898,9 @@
       "license": "ISC"
     },
     "node_modules/ws": {
-      "version": "8.18.3",
+      "version": "8.18.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.3.tgz",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.0.tgz",
-      "integrity": "sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==",
+      "integrity": "sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==",
       "license": "MIT",
       "engines": {
         "node": ">=10.0.0"

test/package.json

@@ -9,9 +9,9 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "chromedriver": "^139.0.2",
+    "chromedriver": "^135.0.0",
     "expect.js": "^0.3.1",
-    "mocha": "^11.7.1",
+    "mocha": "^11.1.0",
-    "selenium-webdriver": "^4.35.0"
+    "selenium-webdriver": "^4.31.0"
   }
 }

test/test.js

@@ -120,6 +120,7 @@ describe('Application life cycle test', function () {
     }
 
     async function loginOIDC(username, password, alreadyAuthenticated, proceedWithReset) {
+        browser.manage().deleteAllCookies();
         await browser.get(`https://${elementApp.fqdn}/#/login`);
         await browser.sleep(2000);
 
@@ -132,9 +133,9 @@ describe('Application life cycle test', function () {
         await waitForElement(By.xpath('//div[@role="button" and contains(., "Continue with")]'));
         await browser.findElement(By.xpath('//div[@role="button" and contains(., "Continue with")]')).click();
         if (!alreadyAuthenticated) {
-            await waitForElement(By.id('inputUsername'));
+            await waitForElement(By.xpath('//input[@name="username"]'));
-            await browser.findElement(By.id('inputUsername')).sendKeys(username);
+            await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
-            await browser.findElement(By.id('inputPassword')).sendKeys(password);
+            await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
             await browser.findElement(By.id('loginSubmitButton')).click();
         }
 
@@ -151,11 +152,14 @@ describe('Application life cycle test', function () {
             await waitForElement(By.xpath('//div[text()="Proceed with reset"]'));
             await browser.findElement(By.xpath('//div[text()="Proceed with reset"]')).click();
 
-            await waitForElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]'));
+            await waitForElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"]'));
-            await browser.findElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]')).click();
+            await browser.findElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"]')).click();
 
-            await waitForElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]'));
+            await waitForElement(By.xpath('//div[text()="Copy"]'));
-            await browser.findElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]')).click();
+            await browser.findElement(By.xpath('//div[text()="Copy"]')).click();
+
+            await waitForElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"]'));
+            await browser.findElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"]')).click();
             await waitForElement(By.xpath('//button[text()="Done"] | //div[text()="Single Sign On"]'));
 
             if (await browser.findElements(By.xpath('//div[text()="Single Sign On"]')).then(found => !!found.length)) {
@@ -181,6 +185,9 @@ describe('Application life cycle test', function () {
                 await browser.findElement(By.xpath('//div[text()="Confirm"]')).click();
             }
 
+            await waitForElement(By.xpath('//button[text()="Done"]'));
+            await browser.findElement(By.xpath('//button[text()="Done"]')).click();
+
             await waitForElement(By.xpath('//div[text()="Cancel"] | //h1[contains(., "Welcome")]'));
             if (await browser.findElements(By.xpath('//div[text()="Cancel"]')).then(found => !!found.length)) {
                 await browser.findElement(By.xpath('//div[text()="Cancel"]')).click();
@@ -398,6 +405,7 @@ describe('Application life cycle test', function () {
     it('check room', checkRoom);
 
     it('can send message', sendMessage);
+    it('can get app info', getAppInfo);
 
     it('uninstall app', async function () {
         await browser.get('about:blank');