Bump version

when external registration is enabled, this means that we don't move
all of the external users as oidc accounts

CHANGELOG.md

@@ -713,7 +713,7 @@
 * Fix an issue with Docker images causing the Rust dependencies to not be pinned correctly. Introduced in v1.68.0 (#14129)
 * Fix a bug introduced in Synapse 1.69.0rc1 which would cause registration replication requests to fail if the worker sending the request is not running Synapse 1.69. (#14135)
 * Fix error in background update when rotating existing notifications. Introduced in v1.69.0rc2. (#14138)
-* Allow application services to set the origin_server_ts of a state event by providing the query parameter ts in PUT /_matrix/client/r0/rooms/{roomId}/state/{eventType}/{stateKey}, per MSC3316. Contributed by @lukasdenk. (#11866)
+* Allow application services to set the origin_server_ts of a state event by providing the query parameter ts in PUT `/_matrix/client/r0/rooms/{roomId}/state/{eventType}/{stateKey}`, per MSC3316. Contributed by @lukasdenk. (#11866)
 * Allow server admins to require a manual approval process before new accounts can be used (using MSC3866). (#13556)
 * Exponentially backoff from backfilling the same event over and over. (#13635, #13936)
 * Add cache invalidation across workers to module API. (#13667, #13947)
@@ -721,7 +721,7 @@
 * Experimental support for thread-specific receipts (MSC3771). (#13782, #13893, #13932, #13937, #13939)
 * Add experimental support for MSC3881: Remotely toggle push notifications for another client. (#13799, #13831, #13860)
 * Keep track when an event pulled over federation fails its signature check so we can intelligently back-off in the future. (#13815)
-* Improve validation for the unspecced, internal-only _matrix/client/unstable/add_threepid/msisdn/submit_token endpoint. (#13832)
+* Improve validation for the unspecced, internal-only `_matrix/client/unstable/add_threepid/msisdn/submit_token` endpoint. (#13832)
 * Faster remote room joins: record when we first partial-join to a room. (#13892)
 * Support a dir parameter on the /relations endpoint per MSC3715. (#13920)
 * Ask mail servers receiving emails from Synapse to not send automatic replies (e.g. out-of-office responses). (#13957)
@@ -735,10 +735,527 @@
 * Fix packaging to include Cargo.lock in sdist. (#13909)
 * Fix a long-standing bug where device updates could cause delays sending out to-device messages over federation. (#13922)
 * Fix a bug introduced in v1.68.0 where Synapse would require setuptools_rust at runtime, even though the package is only required at build time. (#13952)
-* Fix a long-standing bug where POST /_matrix/client/v3/keys/query requests could result in excessively large SQL queries. (#13956)
+* Fix a long-standing bug where POST `/_matrix/client/v3/keys/query` requests could result in excessively large SQL queries. (#13956)
 * Fix a performance regression in the get_users_in_room database query. Introduced in v1.67.0. (#13972)
 * Fix a bug introduced in v1.68.0 bug where Rust extension wasn't built in release mode when using poetry install. (#14009)
 * Do not return an unspecified original_event field when using the stable /relations endpoint. Introduced in Synapse v1.57.0. (#14025)
 * Correctly handle a race with device lists when a remote user leaves during a partial join. (#13885)
 * Correctly handle sending local device list updates to remote servers during a partial join. (#13934)
 
+[1.53.0]
+* Update Synapse to 1.70.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.70.0)
+* Support for [MSC3856](https://github.com/matrix-org/matrix-spec-proposals/pull/3856): threads list API. ([\#13394](https://github.com/matrix-org/synapse/issues/13394), [\#14171](https://github.com/matrix-org/synapse/issues/14171), [\#14175](https://github.com/matrix-org/synapse/issues/14175))
+* Support for thread-specific notifications & receipts ([MSC3771](https://github.com/matrix-org/matrix-spec-proposals/pull/3771) and [MSC3773](https://github.com/matrix-org/matrix-spec-proposals/pull/3773)). ([\#13776](https://github.com/matrix-org/synapse/issues/13776), [\#13824](https://github.com/matrix-org/synapse/issues/13824), [\#13877](https://github.com/matrix-org/synapse/issues/13877), [\#13878](https://github.com/matrix-org/synapse/issues/13878), [\#14050](https://github.com/matrix-org/synapse/issues/14050), [\#14140](https://github.com/matrix-org/synapse/issues/14140), [\#14159](https://github.com/matrix-org/synapse/issues/14159), [\#14163](https://github.com/matrix-org/synapse/issues/14163), [\#14174](https://github.com/matrix-org/synapse/issues/14174), [\#14222](https://github.com/matrix-org/synapse/issues/14222))
+* Stop fetching missing `prev_events` after we already know their signature is invalid. ([\#13816](https://github.com/matrix-org/synapse/issues/13816))
+* Send application service access tokens as a header (and query parameter). Implements [MSC2832](https://github.com/matrix-org/matrix-spec-proposals/pull/2832). ([\#13996](https://github.com/matrix-org/synapse/issues/13996))
+* Ignore server ACL changes when generating pushes. Implements [MSC3786](https://github.com/matrix-org/matrix-spec-proposals/pull/3786). ([\#13997](https://github.com/matrix-org/synapse/issues/13997))
+* Experimental support for redirecting to an implementation of a [MSC3886](https://github.com/matrix-org/matrix-spec-proposals/pull/3886) HTTP rendezvous service. ([\#14018](https://github.com/matrix-org/synapse/issues/14018))
+* The `/relations` endpoint can now be used on workers. ([\#14028](https://github.com/matrix-org/synapse/issues/14028))
+* Advertise support for Matrix 1.3 and 1.4 on `/_matrix/client/versions`. ([\#14032](https://github.com/matrix-org/synapse/issues/14032), [\#14184](https://github.com/matrix-org/synapse/issues/14184))
+* Improve validation of request bodies for the [Device Management](https://spec.matrix.org/v1.4/client-server-api/#device-management) and [MSC2697 Device Dehyrdation](https://github.com/matrix-org/matrix-spec-proposals/pull/2697) client-server API endpoints. ([\#14054](https://github.com/matrix-org/synapse/issues/14054))
+* Experimental support for [MSC3874](https://github.com/matrix-org/matrix-spec-proposals/pull/3874): Filtering threads from the `/messages` endpoint. ([\#14148](https://github.com/matrix-org/synapse/issues/14148))
+* Improve the validation of the following PUT endpoints: [`/directory/room/{roomAlias}`](https://spec.matrix.org/v1.4/client-server-api/#put_matrixclientv3directoryroomroomalias), [`/directory/list/room/{roomId}`](https://spec.matrix.org/v1.4/client-server-api/#put_matrixclientv3directorylistroomroomid) and [`/directory/list/appservice/{networkId}/{roomId}`](https://spec.matrix.org/v1.4/application-service-api/#put_matrixclientv3directorylistappservicenetworkidroomid). ([\#14179](https://github.com/matrix-org/synapse/issues/14179))
+* Build and publish binary wheels for `aarch64` platforms. ([\#14212](https://github.com/matrix-org/synapse/issues/14212))
+
+[1.53.1]
+* Update Synapse to 1.70.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.70.1)
+* Fix a bug introduced in Synapse 1.70.0rc1 where the access tokens sent to application services as headers were malformed. Application services which were obtaining access tokens from query parameters were not affected. (#14301)
+* Fix room creation being rate limited too aggressively since Synapse v1.69.0. (#14314)
+
+[1.54.0]
+* Update Synapse to 1.71.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.71.0)
+
+[1.55.0]
+* Update Synapse to 1.72.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.72.0)
+* Add experimental support for MSC3912: Relation-based redactions. (#14260)
+* Add an Admin API endpoint for user lookup based on third-party ID (3PID). Contributed by @ashfame. (#14405)
+* Faster joins: include heroes' membership events in the partial join response, for rooms without a name or canonical alias. (#14442)
+
+[1.56.0]
+* Update Synapse to 1.73.0
+* Update Cloudron base image to 4.0.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.73.0)
+
+[1.57.0]
+* Update Synapse to 1.74.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.74.0)
+* Improve user search for international display names. ([\#14464](https://github.com/matrix-org/synapse/issues/14464))
+* Stop using deprecated `keyIds` parameter when calling `/_matrix/key/v2/server`. ([\#14490](https://github.com/matrix-org/synapse/issues/14490), [\#14525](https://github.com/matrix-org/synapse/issues/14525))
+* Add new `push.enabled` config option to allow opting out of push notification calculation. ([\#14551](https://github.com/matrix-org/synapse/issues/14551), [\#14619](https://github.com/matrix-org/synapse/issues/14619))
+* Advertise support for Matrix 1.5 on `/_matrix/client/versions`. ([\#14576](https://github.com/matrix-org/synapse/issues/14576))
+* Improve opentracing and logging for to-device message handling. ([\#14598](https://github.com/matrix-org/synapse/issues/14598))
+* Allow selecting "prejoin" events by state keys in addition to event types. ([\#14642](https://github.com/matrix-org/synapse/issues/14642))
+* Fix a long-standing bug where a device list update might not be sent to clients in certain circumstances. ([\#14435](https://github.com/matrix-org/synapse/issues/14435), [\#14592](https://github.com/matrix-org/synapse/issues/14592), [\#14604](https://github.com/matrix-org/synapse/issues/14604))
+* Suppress a spurious warning when `POST /rooms/<room_id>/<membership>/`, `POST /join/<room_id_or_alias`, or the unspecced `PUT /join/<room_id_or_alias>/<txn_id>` receive an empty HTTP request body. ([\#14600](https://github.com/matrix-org/synapse/issues/14600))
+* Return spec-compliant JSON errors when unknown endpoints are requested. ([\#14620](https://github.com/matrix-org/synapse/issues/14620), [\#14621](https://github.com/matrix-org/synapse/issues/14621))
+* Update html templates to load images over HTTPS. Contributed by @ashfame. ([\#14625](https://github.com/matrix-org/synapse/issues/14625))
+* Fix a long-standing bug where the user directory would return 1 more row than requested. ([\#14631](https://github.com/matrix-org/synapse/issues/14631))
+* Reject invalid read receipt requests with empty room or event IDs. Contributed by Nick @ Beeper (@fizzadar). ([\#14632](https://github.com/matrix-org/synapse/issues/14632))
+* Fix a bug introduced in Synapse 1.67.0 where not specifying a config file or a server URL would lead to the `register_new_matrix_user` script failing. ([\#14637](https://github.com/matrix-org/synapse/issues/14637))
+* Fix a long-standing bug where the user directory and room/user stats might be out of sync. ([\#14639](https://github.com/matrix-org/synapse/issues/14639), [\#14643](https://github.com/matrix-org/synapse/issues/14643))
+* Fix a bug introduced in Synapse 1.72.0 where the background updates to add non-thread unique indexes on receipts would fail if they were previously interrupted. ([\#14650](https://github.com/matrix-org/synapse/issues/14650))
+* Improve validation of field size limits in events. ([\#14664](https://github.com/matrix-org/synapse/issues/14664))
+* Fix bugs introduced in Synapse 1.55.0 and 1.69.0 where application services would not be notified of events in the correct rooms, due to stale caches. ([\#14670](https://github.com/matrix-org/synapse/issues/14670))
+
+[1.58.0]
+* Update Synapse to 1.75.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.75.0)
+* Fix race where calling /members or /state with an at parameter could fail for newly created rooms, when using multiple workers. (#14817)
+* Add a cached function to synapse.module_api that returns a decorator to cache return values of functions. (#14663)
+* Add experimental support for MSC3391 (removing account data). (#14714)
+* Support RFC7636 Proof Key for Code Exchange for OAuth single sign-on. (#14750)
+* Support non-OpenID compliant userinfo claims for subject and picture. (#14753)
+* Improve performance of /sync when filtering all rooms, message types, or senders. (#14786)
+* Improve performance of the /hierarchy endpoint. (#14263)
+* Fix the MAU Limits section of the Grafana dashboard relying on a specific job name for the workers of a Synapse deployment. (#14644)
+* Fix a bug introduced in Synapse 1.70.0 which could cause spurious UNIQUE constraint failed errors in the rotate_notifs background job. (#14669)
+* Ensure stream IDs are always updated after caches get invalidated with workers. Contributed by Nick @ Beeper (@Fizzadar). (#14723)
+* Remove the unspecced device field from /pushrules responses. (#14727)
+* Fix a bug introduced in Synapse 1.73.0 where the picture_claim configured under oidc_providers was unused (the default value of "picture" was used instead). (#14751)
+* Unescape HTML entities in URL preview titles making use of oEmbed responses. (#14781)
+* Disable sending confirmation email when 3pid is disabled. (#14725)
+
+[1.59.0]
+* Update Synapse to 1.76.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.76.0)
+* Faster joins: Fix a bug introduced in Synapse 1.69 where device list EDUs could fail to be handled after a restart when a faster join sync is in progress. (#14914)
+* Update the default room version to v10 (MSC 3904). Contributed by @FSG-Cat. (#14111)
+* Add a set_displayname() method to the module API for setting a user's display name. (#14629)
+* Add a dedicated listener configuration for health endpoint. (#14747)
+* Implement support for MSC3890: Remotely silence local notifications. (#14775)
+* Implement experimental support for MSC3930: Push rules for (MSC3381) Polls. (#14787)
+* Per MSC3925, bundle the whole of the replacement with any edited events, and optionally inhibit server-side replacement. (#14811)
+* Faster joins: always serve a partial join response to servers that request it with the stable query param. (#14839)
+* Faster joins: allow non-lazy-loading ("eager") syncs to complete after a partial join by omitting partial state rooms until they become fully stated. (#14870)
+* Faster joins: request partial joins by default. Admins can opt-out of this for the time being---see the upgrade notes. (#14905)
+
+[1.60.0]
+* Update Synapse to 1.77.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.77.0)
+* Fix bug where retried replication requests would return a failure. Introduced in v1.76.0. ([\#15024](https://github.com/matrix-org/synapse/issues/15024))
+
+[1.61.0]
+* Update Synapse to 1.78.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.78.0)
+* Implement the experimental `exact_event_match` push rule condition from MSC3758. (#14964)
+* Add account data to the command line user data export tool. (#14969)
+* Implement MSC3873 to disambiguate push rule keys with dots in them. (#15004)
+* Allow Synapse to use a specific Redis logical database in worker-mode deployments. (#15034)
+* Tag opentracing spans for federation requests with the name of the worker serving the request. (#15042)
+* Implement the experimental `exact_event_property_contains` push rule condition from MSC3966. (#15045)
+
+[1.62.0]
+* Update Synapse to 1.79.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.79.0)
+* Fix a bug introduced in Synapse 1.79.0rc1 where attempting to register a on_remove_user_third_party_identifier module API callback would be a no-op. (#15227)
+* Fix a rare bug introduced in Synapse 1.73 where events could remain unsent to other homeservers after a faster-join to a room. (#15248)
+* Add two new Third Party Rules module API callbacks: on_add_user_third_party_identifier and on_remove_user_third_party_identifier. (#15044)
+* Experimental support for MSC3967 to not require UIA for setting up cross-signing on first use. (#15077)
+* Add media information to the command line user data export tool. (#15107)
+* Add an admin API to delete a specific event report. (#15116)
+* Add support for knocking to workers. (#15133)
+* Allow use of the /filter Client-Server APIs on workers. (#15134)
+* Update support for MSC2677: remove support for server-side aggregation of reactions. (#15172)
+* Stabilise support for MSC3758: event_property_is push condition. (#15185)
+
+[1.62.1]
+* Update post installation message
+
+[1.63.0]
+* Update Synapse to 1.80.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.80.0)
+* Fix a bug in which the POST `/_matrix/client/v3/rooms/{roomId}/report/{eventId}` endpoint would return the wrong error if the user did not have permission to view the event. This aligns Synapse's implementation with MSC2249. (#15298, #15300)
+* Fix a bug introduced in Synapse 1.75.0rc1 where the SQLite port_db script
+* would fail to open the SQLite database. (#15301)
+* Stabilise support for MSC3966: event_property_contains push condition. (#15187)
+* Implement MSC2659: application service ping endpoint. Contributed by Tulir @ Beeper. (#15249)
+* Allow loading /register/available endpoint on workers. (#15268)
+* Improve performance of creating and authenticating events. (#15195)
+* Add topic and name events to group of events that are batch persisted when creating a room. (#15229)
+* Fix a long-standing bug in which the user directory would assume any remote membership state events represent a profile change. (#14755, #14756)
+* Implement MSC3873 to fix a long-standing bug where properties with dots were handled ambiguously in push rules. (#15190)
+* Faster joins: Fix a bug introduced in Synapse 1.66 where spurious "Failed to find memberships ..." errors would be logged. (#15232)
+* Fix a long-standing error when sending message into deleted room. (#15235)
+
+[1.64.0]
+* Update Synapse to 1.81.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.81.0)
+* Fix the set_device_id_for_pushers_txn background update crash. (#15391)
+* Add the ability to enable/disable registrations when in the OIDC flow. (#14978)
+* Add a primitive helper script for listing worker endpoints. (#15243)
+* Experimental support for passing One Time Key and device key requests to application services (MSC3983 and MSC3984). (#15314, #15321)
+* Allow loading /password_policy endpoint on workers. (#15331)
+* Add experimental support for Unix sockets. Contributed by Jason Little. (#15353)
+* Build Debian packages for Ubuntu 23.04 (Lunar Lobster). (#15381)
+* Fix a long-standing bug where edits of non-m.room.message events would not be correctly bundled. (#15295)
+* Fix a bug introduced in Synapse v1.55.0 which could delay remote homeservers being able to decrypt encrypted messages sent by local users. (#15297)
+* Add a check to SQLite port_db script
+* to ensure that the sqlite database passed to the script exists before trying to port from it. (#15306)
+* Fix a bug introduced in Synapse 1.76.0 where responses from worker deployments could include an internal `_INT_STREAM_POS` key. (#15309)
+* Fix a long-standing bug that Synpase only used the legacy appservice routes. (#15317)
+* Fix a long-standing bug preventing users from rejoining rooms after being banned and unbanned over federation. Contributed by Nico. (#15323)
+* Fix bug in worker mode where on a rolling restart of workers the "typing" worker would consume 100% CPU until it got restarted. (#15332)
+* Fix a long-standing bug where some to_device messages could be dropped when using workers. (#15349)
+* Fix a bug introduced in Synapse 1.70.0 where the background sync from a faster join could spin for hours when one of the events involved had been marked for backoff. (#15351)
+* Fix missing app variable in mail subject for password resets. Contributed by Cyberes. (#15352)
+* Fix a rare bug introduced in Synapse 1.66.0 where initial syncs would fail when the user had been kicked from a faster joined room that had not finished syncing. (#15383)
+
+[1.65.0]
+* Update Synapse to 1.82.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.81.0)
+* Allow loading the `/directory/room/{roomAlias}` endpoint on workers. ([\#15333](https://github.com/matrix-org/synapse/issues/15333))
+* Add some validation to `instance_map` configuration loading. ([\#15431](https://github.com/matrix-org/synapse/issues/15431))
+* Allow loading the `/capabilities` endpoint on workers. ([\#15436](https://github.com/matrix-org/synapse/issues/15436))
+* Delete server-side backup keys when deactivating an account. ([\#15181](https://github.com/matrix-org/synapse/issues/15181))
+* Fix and document untold assumption that `on_logged_out` module hooks will be called before the deletion of pushers. ([\#15410](https://github.com/matrix-org/synapse/issues/15410))
+* Improve robustness when handling a perspective key response by deduplicating received server keys. ([\#15423](https://github.com/matrix-org/synapse/issues/15423))
+* Synapse now correctly fails to start if the config option `app_service_config_files` is not a list. ([\#15425](https://github.com/matrix-org/synapse/issues/15425))
+* Disable loading `RefreshTokenServlet` (`/_matrix/client/(r0|v3|unstable)/refresh`) on workers. ([\#15428](https://github.com/matrix-org/synapse/issues/15428))
+
+[1.66.0]
+* Update Synapse to 1.83.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.83.0)
+* Experimental support to recursively provide relations per [MSC3981](https://github.com/matrix-org/matrix-spec-proposals/pull/3981). ([\#15315](https://github.com/matrix-org/synapse/issues/15315))
+* Experimental support for [MSC3970](https://github.com/matrix-org/matrix-spec-proposals/pull/3970): Scope transaction IDs to devices. ([\#15318](https://github.com/matrix-org/synapse/issues/15318))
+* Add an [admin API endpoint](https://matrix-org.github.io/synapse/v1.83/admin_api/experimental_features.html) to support per-user feature flags. ([\#15344](https://github.com/matrix-org/synapse/issues/15344))
+* Add a module API to send an HTTP push notification. ([\#15387](https://github.com/matrix-org/synapse/issues/15387))
+* Add an [admin API endpoint](https://matrix-org.github.io/synapse/v1.83/admin_api/statistics.html#get-largest-rooms-by-size-in-database) to query the largest rooms by disk space used in the database. ([\#15482](https://github.com/matrix-org/synapse/issues/15482))
+* Disable push rule evaluation for rooms excluded from sync. ([\#15361](https://github.com/matrix-org/synapse/issues/15361))
+* Fix a long-standing bug where cached server key results which were directly fetched would not be properly re-used. ([\#15417](https://github.com/matrix-org/synapse/issues/15417))
+* Fix a bug introduced in Synapse 1.73.0 where some experimental push rules were returned by default. ([\#15494](https://github.com/matrix-org/synapse/issues/15494))
+
+[1.67.0]
+* Update Synapse to 1.84.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.84.0)
+* Fix a bug introduced in Synapse 1.84.0rc1 where errors during startup were not reported correctly on Python < 3.10. ([\#15599](https://github.com/matrix-org/synapse/issues/15599))
+* Add an option to prevent media downloads from configured domains. ([\#15197](https://github.com/matrix-org/synapse/issues/15197))
+* Add `forget_rooms_on_leave` config option to automatically forget rooms when users leave them or are removed from them. ([\#15224](https://github.com/matrix-org/synapse/issues/15224))
+* Add redis TLS configuration options. ([\#15312](https://github.com/matrix-org/synapse/issues/15312))
+* Add a config option to delay push notifications by a random amount, to discourage time-based profiling. ([\#15516](https://github.com/matrix-org/synapse/issues/15516))
+* Stabilize support for [MSC2659](https://github.com/matrix-org/matrix-spec-proposals/pull/2659): application service ping endpoint. Contributed by Tulir @ Beeper. ([\#15528](https://github.com/matrix-org/synapse/issues/15528))
+* Implement [MSC4009](https://github.com/matrix-org/matrix-spec-proposals/pull/4009) to expand the supported characters in Matrix IDs. ([\#15536](https://github.com/matrix-org/synapse/issues/15536))
+* Advertise support for Matrix 1.6 on `/_matrix/client/versions`. ([\#15559](https://github.com/matrix-org/synapse/issues/15559))
+* Print full error and stack-trace of any exception that occurs during startup/initialization. ([\#15569](https://github.com/matrix-org/synapse/issues/15569))
+* Don't fail on federation over TOR where SRV queries are not supported. Contributed by Zdzichu. ([\#15523](https://github.com/matrix-org/synapse/issues/15523))
+* Experimental support for [MSC4010](https://github.com/matrix-org/matrix-spec-proposals/pull/4010) which rejects setting the `"m.push_rules"` via account data. ([\#15554](https://github.com/matrix-org/synapse/issues/15554), [\#15555](https://github.com/matrix-org/synapse/issues/15555))
+* Fix a long-standing bug where an invalid membership event could cause an internal server error. ([\#15564](https://github.com/matrix-org/synapse/issues/15564))
+* Require at least poetry-core v1.1.0. ([\#15566](https://github.com/matrix-org/synapse/issues/15566), [\#15571](https://github.com/matrix-org/synapse/issues/15571))
+
+[1.67.1]
+* Update Synapse to 1.84.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.84.1)
+* Fix a bug introduced in Synapse v1.84.0 where workers do not start up when no `instance_map` was provided
+
+[1.68.0]
+* Update Synapse to 1.85.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.85.0)
+* GHSA-26c5-ppr8-f33p / CVE-2023-32682 — Low Severity
+* GHSA-98px-6486-j7qc / CVE-2023-32683 — Low Severity
+* Fix a performance issue introduced in Synapse v1.83.0 which meant that purging rooms was very slow and database-intensive. (#15693)
+* Improve performance of backfill requests by performing backfill of previously failed requests in the background. (#15585)
+* Add a new admin API to create a new device for a user. (#15611)
+
+[1.68.1]
+* Update Synapse to 1.85.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.85.1)
+* Fix bug in schema delta that broke upgrades for some deployments. Introduced in v1.85.0. (#15738, #15739)
+
+[1.68.2]
+* Update Synapse to 1.85.2
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.85.2)
+* Fix regression where using TLS for HTTP replication between workers did not work. Introduced in v1.85.0. (#15746)
+
+[1.69.0]
+* Update Synapse to 1.86.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.86.0)
+* Fix an error when having workers of different versions running. (#15774)
+* Stable support for MSC3882 to allow an existing device/session to generate a login token for use on a new device/session. (#15388)
+* Support resolving a room's canonical alias via the module API. (#15450)
+* Enable support for MSC3952: intentional mentions. (#15520)
+* Experimental MSC3861 support: delegate auth to an OIDC provider. (#15582)
+* Add Synapse version deploy annotations to Grafana dashboard which enables easy correlation between behavior changes witnessed in a graph to a certain Synapse version and nail down regressions. (#15674)
+* Add a catch-all * to the supported relation types when redacting an event and its related events. This is an update to MSC3912 implementation. (#15705)
+* Speed up /messages by backfilling in the background when there are no backward extremities where we are directly paginating. (#15710)
+* Expose a metric reporting the database background update status. (#15740)
+* Correctly clear caches when we delete a room. (#15609)
+* Check permissions for enabling encryption earlier during room creation to avoid creating broken rooms. (#15695)
+
+[1.70.0]
+* Update Synapse to 1.87.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.87.0)
+* Improve /messages response time by avoiding backfill when we already have messages to return. (#15737)
+* Add spam checker module API for logins. (#15838)
+* Fix a long-standing bug where media files were served in an unsafe manner. Contributed by @joshqou. (#15680)
+* Avoid invalidating a cache that was just prefilled. (#15758)
+* Fix requesting multiple keys at once over federation, related to MSC3983. (#15770)
+* Fix joining rooms through aliases where the alias server isn't a real homeserver. Contributed by @tulir @ Beeper. (#15776)
+
+[1.70.1]
+* Add workaround for broken thumbnailing
+* Update s3 storage provider
+
+[1.71.0]
+* Update Synapse to 1.88.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.88.0)
+* Add not_user_type param to the list accounts admin API. (#15844)
+* Pin pydantic to ^=1.7.4 to avoid backwards-incompatible API changes from the 2.0.0 release.
+* Contributed by @PaarthShah. (#15862)
+* Correctly resize thumbnails with pillow version >=10. (#15876)
+
+[1.72.0]
+* Update Synapse to 1.89.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.89.0)
+* Add Unix Socket support for HTTP Replication Listeners. Document and provide usage instructions for utilizing Unix sockets in Synapse. Contributed by Jason Little. (#15708, #15924)
+* Allow + in Matrix IDs, per MSC4009. (#15911)
+* Support room version 11 from MSC3820. (#15912)
+* Allow configuring the set of workers to proxy outbound federation traffic through via outbound_federation_restricted_to. (#15913, #15969)
+* Implement MSC3814, dehydrated devices v2/shrivelled sessions and move MSC2697 behind a config flag. Contributed by Nico from Famedly, H-Shay and poljar. (#15929)
+* Fix a long-standing bug where remote invites weren't correctly pushed. (#15820)
+* Fix background schema updates failing over a large upgrade gap. (#15887)
+* Fix a bug introduced in 1.86.0 where Synapse starting with an empty experimental_features configuration setting. (#15925)
+* Fixed deploy annotations in the provided Grafana dashboard config, so that it shows for any homeserver and not just matrix.org. Contributed by @wrjlewis. (#15957)
+* Ensure a long state res does not starve CPU by occasionally yielding to the reactor. (#15960)
+* Properly handle redactions of creation events. (#15973)
+* Fix a bug where resyncing stale device lists could block responding to federation transactions, and thus delay receiving new data from the remote server. (#15975)
+
+[1.73.0]
+* Update Synapse to 1.90.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.90.0)
+* Scope transaction IDs to devices (implement MSC3970). (#15629)
+* Remove old rows from the cache_invalidation_stream_by_instance table automatically (this table is unused in SQLite). (#15868)
+* Fix a long-standing bug where purging history and paginating simultaneously could lead to database corruption when using workers. (#15791)
+* Fix a long-standing bug where profile endpoint returned a 404 when the user's display name was empty. (#16012)
+* Fix a long-standing bug where the synapse_port_db failed to configure sequences for application services and partial stated rooms. (#16043)
+* Fix long-standing bug with deletion in dehydrated devices v2. (#16046)
+
+[1.74.0]
+* Turn addon can be optionally enabled/disabled
+
+[1.75.0]
+* Update Synapse to 1.91.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.91.0)
+
+[1.75.1]
+* Update Synapse to 1.91.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.91.1)
+* Fix a performance regression introduced in Synapse 1.91.0 where event persistence would cause an excessive linear growth in CPU usage. (#16220)
+
+[1.75.2]
+* Update Synapse to 1.91.2
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.91.2)
+* Revert MSC3861 introspection cache, admin impersonation and account lock. (#16258)
+
+[1.76.0]
+* Update Synapse to 1.92.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.92.0)
+* Revert MSC3861 introspection cache, admin impersonation and account lock. (#16258)
+* Fix incorrect docstring for Ratelimiter. (#16255)
+
+[1.76.1]
+* Update Synapse to 1.92.2
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.92.2)
+
+[1.76.2]
+* Update Synapse to 1.92.3
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.92.3)
+* Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels. (#16347)
+
+[1.77.0]
+* Update Synapse to 1.93.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.93.0)
+* GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity  Temporary storage of plaintext passwords during password changes.
+* GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity Improper validation of receipts allows forged read receipts.
+* Add automatic purge after all users have forgotten a room. (#15488)
+* Restore room purge/shutdown after a Synapse restart. (#15488)
+* Support resolving homeservers using matrix-fed DNS SRV records from MSC4040. (#16137)
+* Add the ability to use G (GiB) and T (TiB) suffixes in configuration options that refer to numbers of bytes. (#16219)
+* Add span information to requests sent to appservices. Contributed by MTRNord. (#16227)
+* Add the ability to enable/disable registrations when using CAS. Contributed by Aurélien Grimpard. (#16262)
+* Allow the /notifications endpoint to be routed to workers. (#16265)
+
+[1.78.0]
+* Update base image to 4.2.0
+
+[1.79.0]
+* Update Synapse to 1.94.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.94.0)
+* Render plain, CSS, CSV, JSON and common image formats in the browser (inline) when requested through the /download endpoint. (#15988)
+* Add experimental support for MSC4028 to push all encrypted events to clients. (#16361)
+* Minor performance improvement when sending presence to federated servers. (#16385)
+* Minor performance improvement by caching server ACL checking. (#16360)
+
+[1.80.0]
+* Update Synapse to 1.95.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.95.0)
+* Remove legacy unspecced `knock_state_events` field returned in some responses. (#16403)
+* Fix a bug introduced in Synapse 1.81.0 where an AttributeError would be raised when `_matrix/client/v3/account/whoami` is called over a unix socket. Contributed by @Sir-Photch. (#16404)
+* Properly return inline media when content types have parameters. (#16440)
+* Prevent the purging of large rooms from timing out when Postgres is in use. The timeout which causes this issue was introduced in Synapse 1.88.0. (#16455)
+* Improve the performance of purging rooms, particularly encrypted rooms. (#16457)
+* Fix a bug introduced in Synapse 1.59.0 where servers could be incorrectly marked as available after an error response was received. (#16506)
+
+[1.80.1]
+* Update Synapse to 1.95.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.95.1)
+* GHSA-mp92-3jfm-3575 / CVE-2023-43796 — Moderate Severity
+
+[1.81.0]
+* Update Synapse to 1.96.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.96.1)
+* Add experimental support to allow multiple workers to write to receipts stream. (#16432)
+* Add a new module API for controller presence. (#16544)
+* Add a new module API callback that allows adding extra fields to events' unsigned section when sent down to clients. (#16549)
+* Improve the performance of claiming encryption keys. (#16565, #16570)
+
+[1.82.0]
+* Switch LDAP authentication to OIDC login
+
+[1.83.0]
+* Update Synapse to 1.97.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.97.0)
+* Add support for asynchronous uploads as defined by MSC2246. Contributed by @sumnerevans at @beeper. (#15503)
+* Improve the performance of some operations in multi-worker deployments. (#16613, #16616)
+* Fix a long-standing bug where some queries updated the same row twice. Introduced in Synapse 1.57.0. (#16609)
+* Fix a long-standing bug where Synapse would not unbind third-party identifiers for Application Service users when deactivated and would not emit a compliant response. (#16617)
+* Fix sending out of order POSITION over replication, causing additional database load. (#16639)
+
+[1.84.0]
+* Update Synapse to 1.98.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.98.0)
+* Synapse now declares support for Matrix v1.7, v1.8, and v1.9. (#16707)
+* Add `on_user_login` module API callback for when a user logs in. (#15207)
+* Support MSC4069: Inhibit profile propagation. (#16636)
+* Restore tracking of requests and monthly active users when delegating authentication via MSC3861 to an OIDC provider. (#16672)
+* Add an autojoin setting for server notices rooms, so users may be joined directly instead of receiving an invite. (#16699)
+* Follow redirects when downloading media over federation (per MSC3860). (#16701)
+
+[1.85.0]
+* Update public suffix list as part of the base image to get the latest domains
+
+[1.86.0]
+* Update Synapse to 1.99.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.99.0)
+* Add config options to set the avatar and the topic of the server notices room, as well as the avatar of the server notices user. (\https://github.com/element-hq/synapse/issues/16679)
+* Add config option email.notif_delay_before_mail to tweak the delay before an email is sent following a notification. (\https://github.com/element-hq/synapse/issues/16696)
+* Add new configuration option sentry.environment for improved system monitoring. Contributed by @zeeshanrafiqrana. (\https://github.com/element-hq/synapse/issues/16738)
+* Filter out rooms from the room directory being served to other homeservers when those rooms block that homeserver by their Access Control Lists. (\https://github.com/element-hq/synapse/pull/16759)
+* Fix a long-standing bug where the signing keys generated by Synapse were world-readable. Contributed by Fabian Klemp. (\https://github.com/element-hq/synapse/issues/16740)
+* Fix email verification redirection. Contributed by Fadhlan Ridhwanallah. (\https://github.com/element-hq/synapse/pull/16761)
+* Fixed a bug that prevented users from being queried by display name if it contains non-ASCII characters. (\https://github.com/element-hq/synapse/pull/16767)
+* Allow reactivate user without password with Admin API in some edge cases. (\https://github.com/element-hq/synapse/pull/16770)
+* Adds the recursion_depth parameter to the response of the /relations endpoint if MSC3981 recursion is being performed. (\https://github.com/element-hq/synapse/pull/16775)
+* Added version picker for Synapse documentation. Contributed by @Dmytro27Ind. (\https://github.com/element-hq/synapse/issues/16533)
+* Clarify that password_config.enabled: "only_for_reauth" does not allow new logins to be created using password auth. (\https://github.com/element-hq/synapse/issues/16737)
+* Remove value from header in configuration documentation for refresh_token_lifetime. (\https://github.com/element-hq/synapse/pull/16763)
+* Add another custom statistics collection server to the documentation. Contributed by @loelkes. (\https://github.com/element-hq/synapse/pull/16769)
+* Remove run-once workflow after adding the version picker to the documentation. (\https://github.com/element-hq/synapse/pull/9453)
+* Update the implementation of [MSC2965](matrix-org/matrix-spec-proposals#2965) (OIDC Provider discovery). (\https://github.com/element-hq/synapse/issues/16726)
+* Move the rust stubs inline for better IDE integration. (\https://github.com/element-hq/synapse/pull/16757)
+* Fix sample config doc CI. (\https://github.com/element-hq/synapse/pull/16758)
+* Simplify event internal metadata class. (\https://github.com/element-hq/synapse/pull/16762, \https://github.com/element-hq/synapse/pull/16780)
+* Sign the published docker image using cosign. (\https://github.com/element-hq/synapse/pull/16774)
+* Port EventInternalMetadata class to Rust. (\https://github.com/element-hq/synapse/pull/16782)
+* Bump actions/setup-go from 4 to 5. (\https://github.com/element-hq/synapse/issues/16749)
+* Bump actions/setup-python from 4 to 5. (\https://github.com/element-hq/synapse/issues/16748)
+* Bump immutabledict from 3.0.0 to 4.0.0. (\https://github.com/element-hq/synapse/issues/16743)
+* Bump isort from 5.12.0 to 5.13.0. (\https://github.com/element-hq/synapse/issues/16745)
+* Bump isort from 5.13.0 to 5.13.1. (\https://github.com/element-hq/synapse/issues/16752)
+* Bump pydantic from 2.5.1 to 2.5.2. (\https://github.com/element-hq/synapse/issues/16747)
+* Bump ruff from 0.1.6 to 0.1.7. (\https://github.com/element-hq/synapse/issues/16746)
+* Bump types-setuptools from 68.2.0.2 to 69.0.0.0. (\https://github.com/element-hq/synapse/issues/16744)
+
+[1.87.0]
+* Update Synapse to 1.100.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.100.0)
+* Fix database performance regression due to changing Postgres table statistics. Introduced in v1.100.0rc1. (#16849)
+* Advertise experimental support for MSC4028 through /matrix/clients/versions if enabled. Contributed by @hanadi92. (#16787)
+* Handle wildcard type filters properly for room messages endpoint. Contributed by Mo Balaa. (#14984)
+
+[1.88.0]
+* Update Synapse to 1.101.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.101.0)
+* Add support for stabilised MSC3981 that adds a recurse parameter on the /relations API. (#16842)
+* Fix performance regression when fetching auth chains from the DB. Introduced in v1.100.0. (#16893)
+
+[1.89.0]
+* Update Synapse to 1.102.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.102.0)
+* A metric was added for emails sent by Synapse, broken down by type: `synapse_emails_sent_total`. Contributed by Remi Rampin. (#16881)
+* Do not send multiple concurrent requests for keys for the same server. (#16894)
+* Fix performance issue when joining very large rooms that can cause the server to lock up. Introduced in v1.100.0. (#16903)
+* Always prefer unthreaded receipt when >1 exist (MSC4102). (#16927)
+
+[1.90.0]
+* Update Synapse to 1.103.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.103.0)
+* Add a new List Accounts v3 Admin API with improved deactivated user filtering capabilities. (#16874)
+* Include Retry-After header by default per MSC4041. Contributed by @clokep. (#16947)
+* Fix joining remote rooms when a module uses the `on_new_event` callback. This callback may now pass partial state events instead of the full state for remote rooms. Introduced in v1.76.0. (#16973)
+* Fix performance issue when joining very large rooms that can cause the server to lock up. Introduced in v1.100.0. Contributed by @ggogel. (#16968)
+
+[1.91.0]
+* Update Synapse to 1.104.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.104.0)
+* Fix regression when using OIDC provider. Introduced in v1.104.0rc1. (#17031)
+* Add an OIDC config to specify extra parameters for the authorization grant URL. IT can be useful to pass an ACR value for example. (#16971)
+* Add support for OIDC provider returning JWT. (#16972, #17031)
+* Fix a bug which meant that, under certain circumstances, we might never retry sending events or to-device messages over federation after a failure. (#16925)
+* Fix various long-standing bugs which could cause incorrect state to be returned from /sync in certain situations. (#16949)
+* Fix case in which m.fully_read marker would not get updated. Contributed by @SpiritCroc. (#16990)
+* Fix bug which did not retract a user's pending knocks at rooms when their account was deactivated. Contributed by @hanadi92. (#17010)
+
+[1.91.1]
+* Update Synapse to 1.105.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.105.0)
+* Stabilize support for MSC4010 which clarifies the interaction of push rules and account data. Contributed by @clokep. (#17022)
+* Stabilize support for MSC3981: /relations recursion. Contributed by @clokep. (#17023)
+* Add support for moving /pushrules off of main process. (#17037, #17038)
+* Fix various long-standing bugs which could cause incorrect state to be returned from /sync in certain situations. (#16930, #16932, #16942, #17064, #17065, #17066)
+* Fix server notice rooms not always being created as unencrypted rooms, even when encryption_enabled_by_default_for_room_type is in use (server notices are always unencrypted). (#17033)
+* Fix the .m.rule.encrypted_room_one_to_one and .m.rule.room_one_to_one default underride push rules being in the wrong order. Contributed by @Sumpy1. (#17043)
+
+[1.91.2]
+* Update Synapse to 1.105.1
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.105.1)
+* GHSA-3h7q-rfh9-xm4v / CVE-2024-31208 — High Severity . Weakness in auth chain indexing allows DoS from remote room members through disk fill and high CPU usage.
+
+[1.92.0]
+* Update Synapse to 1.106.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.106.0)
+* Send an email if the address is already bound to an user account. (#16819)
+* Implement the rendezvous mechanism described by MSC4108. (#17056)
+* Support delegating the rendezvous mechanism described MSC4108 to an external implementation. (#17086)
+* Add validation to ensure that the limit parameter on /publicRooms is non-negative. (#16920)
+* Return 400 M_NOT_JSON upon receiving invalid JSON in query parameters across various client and admin endpoints, rather than an internal server error. (#16923)
+* Make the CSAPI endpoint /keys/device_signing/upload idempotent. (#16943)
+* Redact membership events if the user requested erasure upon deactivating. (#17076)
+
+[1.93.0]
+* Update Synapse to 1.107.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.107.0)
+
+[1.94.0]
+* Update Synapse to 1.108.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.108.0)
+* Add a feature that allows clients to query the configured federation whitelist. Disabled by default. (#16848, #17199)
+* Add the ability to allow numeric user IDs with a specific prefix when in the CAS flow. Contributed by Aurélien Grimpard. (#17098)
+* Fix bug where push rules would be empty in /sync for some accounts. Introduced in v1.93.0. (#17142)
+* Add support for optional whitespace around the Federation API's Authorization header's parameter commas. (#17145)
+* Fix bug where disabling room publication prevented public rooms being created on workers. (#17177, #17184)
+
+[1.95.0]
+* Update Synapse to 1.109.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.109.0)
+
+[1.96.0]
+* Update Synapse to 1.110.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.110.0)
+
+[1.97.0]
+* Update Synapse to 1.111.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.111.0)
+

CloudronManifest.json

@@ -5,17 +5,17 @@
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG.md",
   "tagline": "Secure & decentralized communication",
-  "version": "1.52.0",
+  "version": "1.97.0",
-  "upstreamVersion": "1.69.0",
+  "upstreamVersion": "1.111.0",
   "healthCheckPath": "/",
   "httpPort": 8008,
   "memoryLimit": 536870912,
   "addons": {
     "localstorage": {},
-    "ldap": {},
+    "oidc": { "loginRedirectUri": "/_synapse/client/oidc/callback" },
     "postgresql": {},
     "sendmail": { "supportsDisplayName": true },
-    "turn": {}
+    "turn": { "optional": true }
   },
   "manifestVersion": 2,
   "website": "https://matrix.org",
@@ -30,7 +30,7 @@
     "https://screenshots.cloudron.io/org.matrix.synapse/3.png"
   ],
   "postInstallMessage": "file://POSTINSTALL.md",
-  "minBoxVersion": "7.2.0",
+  "minBoxVersion": "7.5.1",
   "forumUrl": "https://forum.cloudron.io/category/50/matrix-synapse-riot",
   "documentationUrl": "https://docs.cloudron.io/apps/synapse/",
   "optionalSso": true

Dockerfile

@@ -1,5 +1,5 @@
-FROM cloudron/base:3.2.0@sha256:ba1d566164a67c266782545ea9809dc611c4152e27686fd14060332dd88263ea
+FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4
- 
+
 RUN mkdir -p /app/pkg
 
 WORKDIR /app/code
@@ -9,15 +9,21 @@ RUN virtualenv -p python3 /app/code/env
 ENV VIRTUAL_ENV=/app/code/env
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 
-ARG VERSION=v1.69.0
+ARG VERSION=1.111.0
+
+# https://github.com/matrix-org/synapse-s3-storage-provider
+ARG STORAGE_PROVIDER_VERSION=1beb6af95e1f5caedb8e6e7e1cc176cdb2106d37
 
 # Synapse (https://github.com/matrix-org/synapse/blob/master/INSTALL.md)
 # lxml - required for previews
 RUN pip install --upgrade pip && \
     pip install --upgrade setuptools && \
-    pip install matrix-synapse==${VERSION} psycopg2-binary python-ldap matrix-synapse-ldap3 lxml publicsuffix2 git+https://github.com/matrix-org/synapse-s3-storage-provider.git@ffd3fa477321608e57d27644197e721965e0e858 matrix-synapse[oidc]
+    pip install matrix-synapse==v${VERSION} psycopg2-binary python-ldap matrix-synapse-ldap3 lxml publicsuffix2 git+https://github.com/matrix-org/synapse-s3-storage-provider.git@${STORAGE_PROVIDER_VERSION} matrix-synapse[oidc]
 
-RUN ln -sf /app/data/index.html /app/code/env/lib/python3.8/site-packages/synapse/static/index.html
+# Updated suffix list
+RUN curl -L https://publicsuffix.org/list/public_suffix_list.dat -o /app/code/env/lib/python3.10/site-packages/publicsuffix2/public_suffix_list.dat
+
+RUN ln -sf /app/data/index.html /app/code/env/lib/python3.10/site-packages/synapse/static/index.html
 
 RUN chown -R cloudron.cloudron /app/code
 

POSTINSTALL.md

@@ -1,5 +1,5 @@
 Account ids are created with the username and the second level domain under which the
-app is installed e.g. `@$CLOUDRON-USERNAME@$CLOUDRON-APP-DOMAIN`.
+app is installed e.g. `@$CLOUDRON-USERNAME:$CLOUDRON-APP-DOMAIN`.
 
 For federation to work, the delegation URI `https://$CLOUDRON-APP-DOMAIN/.well-known/matrix/server`
 must be configured. See the [docs](https://docs.cloudron.io/apps/synapse/#post-installation) on how to do this.

start.sh

@@ -35,12 +35,12 @@ if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
     yq eval -i ".auto_join_rooms=[]" /app/data/configs/homeserver.yaml
     yq eval -i ".auto_join_rooms[0]=\"#discuss:${server_name}\"" /app/data/configs/homeserver.yaml
 
-    if [[ -z "${CLOUDRON_LDAP_SERVER:-}" ]]; then
+    if [[ -z "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
         yq eval -i ".enable_registration=true" /app/data/configs/homeserver.yaml
-        yq eval -i ".password_config.pepper=\"$(pwgen -1s 12)\"" /app/data/configs/homeserver.yaml
         # just setting enabled to false is not enough. see https://github.com/matrix-org/matrix-synapse-ldap3/issues/123
         yq eval -i "del(.password_providers)" /app/data/configs/homeserver.yaml
     fi
+    yq eval -i ".password_config.pepper=\"$(pwgen -1s 12)\"" /app/data/configs/homeserver.yaml # always set this so that users can enable password login if needed
 fi
 
 echo "==> Ensure we log to console"
@@ -65,15 +65,25 @@ yq eval -i ".email.smtp_user=\"${CLOUDRON_MAIL_SMTP_USERNAME}\"" /app/data/confi
 yq eval -i ".email.smtp_pass=\"${CLOUDRON_MAIL_SMTP_PASSWORD}\"" /app/data/configs/homeserver.yaml
 yq eval -i ".email.notif_from=\"${CLOUDRON_MAIL_FROM_DISPLAY_NAME:-Matrix} <${CLOUDRON_MAIL_FROM}>\"" /app/data/configs/homeserver.yaml
 
-# ldap
+# oidc
-if [[ -n "${CLOUDRON_LDAP_SERVER:-}" ]]; then
+if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
-    yq eval -i ".password_providers[0].config.uri=\"${CLOUDRON_LDAP_URL}\"" /app/data/configs/homeserver.yaml
+    yq eval -i "del(.password_providers)" /app/data/configs/homeserver.yaml # remove old ldap config
-    yq eval -i ".password_providers[0].config.start_tls=false" /app/data/configs/homeserver.yaml
+    echo " ==> Configuring OIDC auth"
-    yq eval -i ".password_providers[0].config.base=\"${CLOUDRON_LDAP_USERS_BASE_DN}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].idp_id=\"cloudron\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".password_providers[0].config.bind_dn=\"${CLOUDRON_LDAP_BIND_DN}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].idp_name=\"Cloudron\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".password_providers[0].config.bind_password=\"${CLOUDRON_LDAP_BIND_PASSWORD}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].issuer=\"${CLOUDRON_OIDC_ISSUER}\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".password_providers[0].config.filter=\"(objectClass=user)\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].client_id=\"${CLOUDRON_OIDC_CLIENT_ID}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].client_secret=\"${CLOUDRON_OIDC_CLIENT_SECRET}\"" /app/data/configs/homeserver.yaml
 
+    yq eval -i ".oidc_providers[0].scopes=[\"openid\", \"email\", \"profile\"]" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].authorization_endpoint=\"${CLOUDRON_OIDC_AUTH_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].token_endpoint=\"${CLOUDRON_OIDC_TOKEN_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].userinfo_endpoint=\"${CLOUDRON_OIDC_PROFILE_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+    # https://s3lph.me/ldap-to-oidc-migration-3-matrix.html
+    yq eval -i ".oidc_providers[0].allow_existing_users=true" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].skip_verification=true" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].user_mapping_provider.config.localpart_template=\"{{ user.sub }}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].user_mapping_provider.config.display_name_template=\"{{ user.name }}\"" /app/data/configs/homeserver.yaml
 else
     yq eval -i ".password_config.localdb_enabled=true" /app/data/configs/homeserver.yaml
     # just setting enabled to false is not enough. see https://github.com/matrix-org/matrix-synapse-ldap3/issues/123
@@ -81,10 +91,12 @@ else
 fi
 
 # turn (https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.md#synapse-setup)
-yq eval -i ".turn_uris=[]" /app/data/configs/homeserver.yaml
+if [[ -n "${CLOUDRON_TURN_SERVER:-}" ]]; then
-yq eval -i ".turn_uris[0]=\"turn:${CLOUDRON_TURN_SERVER}:${CLOUDRON_TURN_TLS_PORT}?transport=udp\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".turn_uris=[]" /app/data/configs/homeserver.yaml
-yq eval -i ".turn_uris[1]=\"turn:${CLOUDRON_TURN_SERVER}:${CLOUDRON_TURN_TLS_PORT}?transport=tcp\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".turn_uris[0]=\"turn:${CLOUDRON_TURN_SERVER}:${CLOUDRON_TURN_TLS_PORT}?transport=udp\"" /app/data/configs/homeserver.yaml
-yq eval -i ".turn_shared_secret=\"${CLOUDRON_TURN_SECRET}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".turn_uris[1]=\"turn:${CLOUDRON_TURN_SERVER}:${CLOUDRON_TURN_TLS_PORT}?transport=tcp\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".turn_shared_secret=\"${CLOUDRON_TURN_SECRET}\"" /app/data/configs/homeserver.yaml
+fi
 
 # fix permissions
 echo "==> Fixing permissions"

test/package.json

@@ -9,11 +9,9 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "chromedriver": "^106.0.1",
+    "chromedriver": "^126.0.4",
     "expect.js": "^0.3.1",
-    "mocha": "^10.1.0",
+    "mocha": "^10.6.0",
-    "selenium-server-standalone-jar": "^3.141.59",
+    "selenium-webdriver": "^4.22.0"
-    "selenium-webdriver": "^4.5.0",
-    "superagent": "^8.0.0"
   }
 }

test/test.js

@@ -1,214 +1,360 @@
 #!/usr/bin/env node
 
 /* jshint esversion: 8 */
-/* global describe */
+/* global it:false */
-/* global before */
+/* global xit:false */
-/* global after */
+/* global describe:false */
-/* global it */
+/* global before:false */
-/* global xit */
+/* global after:false */
 
 'use strict';
 
 require('chromedriver');
 
-var execSync = require('child_process').execSync,
+const execSync = require('child_process').execSync,
     expect = require('expect.js'),
     path = require('path'),
-    superagent = require('superagent'),
     { Builder, By, Key, until } = require('selenium-webdriver'),
     { Options } = require('selenium-webdriver/chrome');
 
+
+if (!process.env.USERNAME || !process.env.PASSWORD) {
+    console.log('USERNAME and PASSWORD env vars need to be set');
+    process.exit(1);
+}
+
 describe('Application life cycle test', function () {
     this.timeout(0);
 
+    const ELEMENT_LOCATION = 'element-test';
     const LOCATION = 'test';
-    const TEST_TIMEOUT = 10000;
+    const TEST_TIMEOUT = parseInt(process.env.TIMEOUT, 10) || 10000;
     const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
+    const USERNAME = process.env.USERNAME;
+    const PASSWORD = process.env.PASSWORD;
+    const ROOM_ID = Math.floor((Math.random() * 100) + 1);
+    const ROOM_NAME = 'Test room ' + ROOM_ID;
+    const MSG_TEXT = 'Test message ';
 
-    const username = process.env.USERNAME;
+    let browser, app;
-    const password = process.env.PASSWORD;
+    let athenticated_by_oidc = false;
-
-    var app, browser;
-    var token, roomId;
 
     before(function () {
-        if (!process.env.USERNAME) throw new Error('USERNAME env var not set');
+        const options = new Options().windowSize({ width: 1280, height: 1024 });
-        if (!process.env.PASSWORD) throw new Error('PASSWORD env var not set');
+        if (process.env.HEADLESS) options.addArguments('headless');
 
-        browser = new Builder().forBrowser('chrome').setChromeOptions(new Options().windowSize({ width: 1280, height: 1024 })).build();
+        browser = new Builder().forBrowser('chrome').setChromeOptions(options).build();
     });
 
     after(function () {
         browser.quit();
     });
 
+    function sleep(millis) {
+        return new Promise(resolve => setTimeout(resolve, millis));
+    }
+
+    async function waitForElement(elem) {
+        await browser.wait(until.elementLocated(elem), TEST_TIMEOUT);
+        await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT);
+    }
+
     function getAppInfo() {
-        var inspect = JSON.parse(execSync('cloudron inspect'));
+        const inspect = JSON.parse(execSync('cloudron inspect'));
         app = inspect.apps.filter(function (a) { return a.location.indexOf(LOCATION) === 0; })[0];
         expect(app).to.be.an('object');
     }
 
+    function getElementAppInfo() {
+        const inspect = JSON.parse(execSync('cloudron inspect'));
+        app = inspect.apps.filter(function (a) { return a.location.indexOf(ELEMENT_LOCATION) === 0; })[0];
+        expect(app).to.be.an('object');
+    }
+
+    function getMessage() {
+        return MSG_TEXT + Math.floor((Math.random() * 100) + 1);
+    }
+
+    async function updateSynapseConfig() {
+        console.log(`Setting Synapse Matrix server location to "https://${app.fqdn}"`);
+        execSync(`cloudron exec --app ${ELEMENT_LOCATION} -- bash -c "jq '.default_server_config[\\"m.homeserver\\"].base_url = \\"https://${app.fqdn}\\"' /app/data/config.json | sponge /app/data/config.json"`);
+        execSync(`cloudron restart --app ${ELEMENT_LOCATION}`);
+        // wait when all services are up and running
+        await sleep(15000);
+    }
+
     async function checkLandingPage() {
         await browser.get(`https://${app.fqdn}`);
         await browser.wait(until.elementLocated(By.xpath('//h1[contains(text(),"Synapse is running")]')), TEST_TIMEOUT);
     }
 
-    // https://matrix.org/docs/spec/client_server/latest#user-interactive-api-in-the-rest-api
+    async function registerUser() {
-    function registerUser(done) {
+        await browser.get(`https://${app.fqdn}/#/register`);
-        superagent.post('https://' + app.fqdn + '/_matrix/client/r0/register?kind=user').send({
+        await waitForElement(By.xpath('//input[@label="Username"]'));
-            username: username,
+        await browser.findElement(By.xpath('//input[@label="Username"]')).sendKeys(USERNAME);
-            password: password,
+        await browser.sleep(2000);
-            inhibit_login: false
+        await browser.findElement(By.xpath('//input[@label="Password"]')).sendKeys(PASSWORD);
-        }).end(function (error, result) {
+        await browser.sleep(2000);
-            // we will first get a 401
+        await browser.findElement(By.xpath('//input[@label="Confirm password"]')).sendKeys(PASSWORD);
-            let session = result.body.session;
+        await browser.sleep(2000);
-            console.log('session is', session);
+        await browser.findElement(By.xpath('//input[@value="Register"]')).click();
-            if (result.statusCode !== 401) return done(new Error('Expecting a 401 ' + result.statusCode));
+        await browser.sleep(2000);
-
+        await waitForElement(By.xpath('//h1[text()="You\'re in"]'));
-            superagent.post('https://' + app.fqdn + '/_matrix/client/r0/register?kind=user').send({
+        await browser.sleep(2000);
-                auth: {
+        await browser.findElement(By.xpath('//div[@role="button" and text()="Skip"]')).click();
-                    type: 'm.login.dummy',
+        await browser.sleep(2000);
-                    session: session
+        await waitForElement(By.xpath(`//h1[contains(., "Welcome")]`));
-                },
-                username: username,
-                password: password,
-                inhibit_login: false
-            }).end(function (error, result) {
-                if (error) return done(error);
-                if (result.statusCode !== 200) return done(new Error('Login failed with status ' + result.statusCode));
-
-                console.log('registered user with id', result.body.user_id);
-
-                done();
-            });
-        });
     }
 
-    // https://matrix.org/docs/spec/client_server/latest
+    async function loginOIDC(username, password) {
-    function checkLogin(done) {
+        browser.manage().deleteAllCookies();
-        superagent.post('https://' + app.fqdn + '/_matrix/client/r0/login').send({
+        await browser.get(`https://${app.fqdn}/#/login`);
-            type: 'm.login.password',
+        await browser.sleep(6000);
-            user: username,
-            password: password
-        }).end(function (error, result) {
-            if (error) return done(error);
-            if (result.statusCode !== 200) return done(new Error('Login failed with status ' + result.statusCode));
 
-            token = result.body.access_token;
+        await waitForElement(By.xpath('//div[@role="button" and contains(., "Continue with Cloudron")]'));
-            if (!token) return done(new Error('No token'));
+        await browser.findElement(By.xpath('//div[@role="button" and contains(., "Continue with Cloudron")]')).click();
+        await browser.sleep(2000);
 
-            done();
+        if (!athenticated_by_oidc) {
-        });
+            await waitForElement(By.xpath('//input[@name="username"]'));
+            await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
+            await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
+            await browser.sleep(2000);
+            await browser.findElement(By.id('loginSubmitButton')).click();
+            await browser.sleep(2000);
+
+            athenticated_by_oidc = true;
+        }
+
+        await waitForElement(By.xpath('//p[@class="confirm-trust" and contains(., "Continuing will grant ")]'));
+        await browser.findElement(By.xpath('//a[contains(., "Continue")]')).click();
+        await browser.sleep(2000);
+
+        //if (await browser.findElements(By.xpath('//div[@aria-label="Skip verification for now"]')).then(found => !!found.length)) {
+//            await skipVerification();
+        //}
+
+        await browser.sleep(3000);
+        await waitForElement(By.xpath(`//h1[contains(., "Welcome")]`));
     }
 
-    function checkAutoJoinRoom(done) {
+    async function login() {
-        superagent.get('https://' + app.fqdn + '/_matrix/client/r0/joined_rooms?access_token=' + token).end(function (error, result) {
+        await browser.get('https://' + app.fqdn + '/#/login');
-            if (error) return done(error);
+        await browser.wait(until.elementLocated(By.xpath('//input[@value="Sign in"]')), TEST_TIMEOUT);
-            if (result.statusCode !== 200) return done(new Error('Room listing failed with status ' + result.statusCode));
+        await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(USERNAME);
+        await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(PASSWORD);
+        await browser.findElement(By.xpath('//input[@value="Sign in"]')).click();
+        await browser.sleep(5000);
 
-            if (result.body.joined_rooms.length !== 1) return done(new Error('User must have auto-joined discuss channel:' + result.statusCode));
+        if (await browser.findElements(By.xpath('//div[@aria-label="Skip verification for now"]')).then(found => !!found.length)) {
-            done();
+            await skipVerification();
-        });
+        }
+
+        await browser.wait(until.elementLocated(By.xpath('//span[text()="Rooms"]')), TEST_TIMEOUT);
     }
 
-    function createRoom(done) {
+    async function skipVerification() {
-        superagent.post('https://' + app.fqdn + '/_matrix/client/r0/createRoom?access_token=' + token).send({
+        await browser.wait(until.elementLocated(By.xpath('//div[@aria-label="Skip verification for now"]')), TEST_TIMEOUT);
-            room_alias_name: 'general'
+        await browser.sleep(5000);
-        }).end(function (error, result) {
+        await browser.findElement(By.xpath('//div[@aria-label="Skip verification for now"]')).click();
-            if (error) return done(error);
+        await browser.wait(until.elementLocated(By.xpath('//div[contains(text(), "verify later")]')), TEST_TIMEOUT);
-            if (result.statusCode !== 200) return done(new Error('Room creation failed with status ' + result.statusCode));
+        await browser.sleep(5000);
-
+        await browser.findElement(By.xpath('//div[contains(text(), "verify later")]')).click();
-            roomId = result.body.room_id;
+        await browser.sleep(5000);
-            if (!roomId) return done(new Error('No room id'));
-
-            done();
-        });
     }
 
-    function checkRoom(done) {
+    async function logout() {
-        superagent.get('https://' + app.fqdn + '/_matrix/client/r0/joined_rooms?access_token=' + token).end(function (error, result) {
+        await browser.get('https://' + app.fqdn + '/#/home');
-            if (error) return done(error);
+        await browser.sleep(5000);
-            if (result.statusCode !== 200) return done(new Error('Room listing failed with status ' + result.statusCode));
+        await waitForElement(By.xpath('//div[@role="button" and @aria-label="User menu"]'));
 
-            if (!result.body.joined_rooms.includes(roomId)) return done(new Error('No room in list: ' + JSON.stringify(result.body)));
+        await browser.findElement(By.xpath('//div[@role="button" and @aria-label="User menu"]')).click();
+        await browser.sleep(2000);
 
-            done();
+        await browser.findElement(By.xpath('//li[@role="menuitem" and @aria-label="Sign out"]')).click();
-        });
+        await browser.sleep(2000);
+
+//        if (await browser.findElements(By.xpath('//button[contains(text(), "I don\'t want my encrypted messages")]')).then(found => !!found.length)) {
+            await browser.findElement(By.xpath('//button[contains(text(), "I don\'t want my encrypted messages")]')).click();
+            await browser.sleep(3000);
+//        }
+
+        await waitForElement(By.xpath('//h1[text()="Sign in"]'));
+    }
+
+    async function isLoggedIn() {
+        await browser.get('https://' + app.fqdn + '/#/home');
+        await browser.wait(until.elementLocated(By.xpath('//span[text()="Rooms"]')), TEST_TIMEOUT);
+    }
+
+    async function createRoom() {
+        await browser.get('https://' + app.fqdn + '/#/home');
+        await browser.sleep(4000);
+        await waitForElement(By.xpath('//div[@role="button" and @aria-label="Add room"]'));
+        await browser.findElement(By.xpath('//div[@role="button" and @aria-label="Add room"]')).click();
+        await browser.sleep(2000);
+        await browser.findElement(By.xpath('//li[@role="menuitem" and @aria-label="New room"]')).click();
+        await browser.sleep(2000);
+
+        await browser.findElement(By.xpath('//input[@label="Name"]')).sendKeys(ROOM_NAME);
+        await browser.sleep(2000);
+
+        await browser.findElement(By.xpath('//button[text()="Create room"]')).click();
+        await browser.sleep(2000);
+
+        await waitForElement(By.xpath('//div[@role="button" and @aria-label="Add room"]'));
+
+        await waitForElement(By.xpath('//div[@class="mx_RoomTile_titleContainer"]/div[@title="' + ROOM_NAME + '"]'));
+    }
+
+    async function checkRoom() {
+        await browser.get('https://' + app.fqdn + '/#/home');
+        await browser.sleep(4000);
+        await waitForElement(By.xpath('//div[@role="treeitem" and @aria-label="' + ROOM_NAME + '"]'));
+        await browser.findElement(By.xpath('//div[@role="treeitem" and @aria-label="' + ROOM_NAME + '"]')).click();
+        await browser.sleep(2000);
+        await waitForElement(By.xpath('//h2[text()="' + ROOM_NAME + '"]'));
+    }
+
+    async function sendMessage() {
+        await checkRoom();
+
+        await browser.findElement(By.xpath('//div[contains(@class, "mx_BasicMessageComposer_input")]')).sendKeys(getMessage());
+        await browser.sleep(2000);
+
+        await browser.findElement(By.xpath('//div[@role="button" and @aria-label="Send message"]')).click();
+        await browser.sleep(2000);
     }
 
     xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
 
-    // No SSO
+    // // No SSO
-    it('install app (no sso)', function () { execSync('cloudron install --no-sso --location ' + LOCATION, EXEC_ARGS); });
+    // it('install app (no sso)', function () { execSync('cloudron install --no-sso --location ' + LOCATION, EXEC_ARGS); });
+    // it('can get app information', getAppInfo);
+    // it('check landing page', checkLandingPage);
 
-    it('can get app information', getAppInfo);
+    // it('can install element-web app (no sso)', function () { execSync('cloudron install --appstore-id im.riot.cloudronapp --location ' + ELEMENT_LOCATION, EXEC_ARGS); });
+    // it('update element-app config', updateSynapseConfig);
 
-    it('check landing page', checkLandingPage);
+    // it('can get Element app info', getElementAppInfo);
-    it('can register new user', registerUser);
+    // it('can register new user', registerUser);
-    it('can login', checkLogin);
+    // it('create room', createRoom);
-    it('check autojoin', checkAutoJoinRoom);
+    // it('can send message', sendMessage);
-    it('create room', createRoom);
-    it('check room', checkRoom);
 
-    it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
+    // it('can logout', logout);
+
+    // it('can login', login);
+    // it('check room', checkRoom);
+    // it('can logout', logout);
+
+    // it('can get app info', getAppInfo);
+
+    // it('uninstall element-web app', async function () {
+    //     await browser.get('about:blank');
+    //     execSync(`cloudron uninstall --app ${ELEMENT_LOCATION}`, EXEC_ARGS);
+    // });
+    // it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
 
     // SSO
-    it('install app', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); });
+    it('install app (sso)', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); });
+    it('can get app info', getAppInfo);
 
-    it('can get app information', getAppInfo);
+    it('can install element-web app (sso)', function () { execSync('cloudron install --appstore-id im.riot.cloudronapp --location ' + ELEMENT_LOCATION, EXEC_ARGS); });
+    it('update element-app config', updateSynapseConfig);
 
-    it('check landing page', checkLandingPage);
+    it('can get Element app info', getElementAppInfo);
-    it('can login', checkLogin);
+    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
-    it('check autojoin', checkAutoJoinRoom);
     it('create room', createRoom);
+    it('can send message', sendMessage);
+    it('can get app info', getAppInfo);
+
+    // it('can restart app', function () { execSync(`cloudron restart ${app.id}`); });
+
+    // it('backup app', function () { execSync(`cloudron backup create --app ${app.id}`, EXEC_ARGS); });
+
+    // it('can get Element app info', getElementAppInfo);
+    // it('is logged in', isLoggedIn);
+    // it('check room', checkRoom);
+    // it('can get app info', getAppInfo);
+
+    // it('restore app', async function () {
+    //     const backups = JSON.parse(execSync(`cloudron backup list --raw --app ${app.id}`));
+
+    //     await browser.get('about:blank');
+    //     execSync(`cloudron uninstall --app ${app.id}`, EXEC_ARGS);
+    //     execSync(`cloudron install --location ${LOCATION}`, EXEC_ARGS);
+
+    //     getAppInfo();
+
+    //     execSync(`cloudron restore --backup ${backups[0].id} --app ${app.id}`, EXEC_ARGS);
+    // });
+
+    it('can get Element app info', getElementAppInfo);
+    it('is logged in', isLoggedIn);
     it('check room', checkRoom);
+    it('can send message', sendMessage);
+    it('can logout', logout);
+    it('can get app info', getAppInfo);
 
-    it('can restart app', function () { execSync('cloudron restart'); });
+    it('move to different location', async function () {
-
-    it('check landing page', checkLandingPage);
-    it('check room', checkRoom);
-
-    it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
-
-    it('check landing page', checkLandingPage);
-    it('check room', checkRoom);
-
-    it('restore app', function () {
-        const backups = JSON.parse(execSync('cloudron backup list --raw'));
-        execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS);
-        execSync('cloudron install --location ' + LOCATION, EXEC_ARGS);
-        getAppInfo();
-        execSync(`cloudron restore --backup ${backups[0].id} --app ${app.id}`, EXEC_ARGS);
-    });
-
-    it('check landing page', checkLandingPage);
-    it('check room', checkRoom);
-
-    it('move to different location', function () {
         browser.manage().deleteAllCookies();
-        execSync('cloudron configure --location ' + LOCATION + '2', EXEC_ARGS);
+        await browser.get('about:blank');
+
+        execSync(`cloudron configure --location ${LOCATION}2`, EXEC_ARGS);
         getAppInfo();
+        // wait when all services are up and running
+        await sleep(15000);
     });
 
-    it('check landing page', checkLandingPage);
+    it('update element-app config', updateSynapseConfig);
-    it('check room', checkRoom);
 
-    it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
+    it('can get Element app info', getElementAppInfo);
+    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
+    it('check room', checkRoom);
+    it('can send message', sendMessage);
+
+    it('can logout', logout);
+    it('can get app info', getAppInfo);
+
+    it('uninstall app', async function () {
+        await browser.get('about:blank');
+        execSync(`cloudron uninstall --app ${app.id}`, EXEC_ARGS);
+    });
 
     // test update
-    it('can install app', function () { execSync('cloudron install --appstore-id org.matrix.synapse --location ' + LOCATION, EXEC_ARGS); });
+    it('can install app for update', function () { execSync('cloudron install --appstore-id org.matrix.synapse --location ' + LOCATION, EXEC_ARGS); });
+    it('can get app info', getAppInfo);
+    it('update element-app config', updateSynapseConfig);
 
-    it('can get app information', getAppInfo);
+    it('can get Element app info', getElementAppInfo);
 
-    it('check landing page', checkLandingPage);
+    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
-    it('can login', checkLogin);
+    it('is logged in', isLoggedIn);
     it('create room', createRoom);
+    it('can send message', sendMessage);
+    it('can logout', logout);
+    it('can get app info', getAppInfo);
+
+    it('can update', async function () {
+        await browser.get('about:blank');
+        execSync(`cloudron update --app ${app.id}`, EXEC_ARGS);
+        // wait when all services are up and running
+        await sleep(15000);
+    });
+
+    it('can get Element app info', getElementAppInfo);
+    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
+    it('is logged in', isLoggedIn);
     it('check room', checkRoom);
+    it('can send message', sendMessage);
+    it('can get app info', getAppInfo);
 
-    it('can update', function () { execSync('cloudron update --app ' + LOCATION, EXEC_ARGS); });
+    it('uninstall app', async function () {
+        await browser.get('about:blank');
+        execSync(`cloudron uninstall --app ${app.id}`, EXEC_ARGS);
+    });
 
-    it('check landing page', checkLandingPage);
+    it('uninstall element-web app', function () {
-    it('check room', checkRoom);
+        execSync(`cloudron uninstall --app ${ELEMENT_LOCATION}`, EXEC_ARGS);
-
+    });
-    it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
 });