Update package version to 1.123.0

| datasource      | package            | from    | to      |
| --------------- | ------------------ | ------- | ------- |
| github-releases | element-hq/synapse | 1.141.0 | 1.142.0 |

CHANGELOG.md

@@ -1044,3 +1044,461 @@
 * [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.91.1)
 * Fix a performance regression introduced in Synapse 1.91.0 where event persistence would cause an excessive linear growth in CPU usage. (#16220)
 
+[1.75.2]
+* Update Synapse to 1.91.2
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.91.2)
+* Revert MSC3861 introspection cache, admin impersonation and account lock. (#16258)
+
+[1.76.0]
+* Update Synapse to 1.92.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.92.0)
+* Revert MSC3861 introspection cache, admin impersonation and account lock. (#16258)
+* Fix incorrect docstring for Ratelimiter. (#16255)
+
+[1.76.1]
+* Update Synapse to 1.92.2
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.92.2)
+
+[1.76.2]
+* Update Synapse to 1.92.3
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.92.3)
+* Pillow 10.0.1 is now mandatory because of libwebp CVE-2023-4863, since Pillow provides libwebp in the wheels. (#16347)
+
+[1.77.0]
+* Update Synapse to 1.93.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.93.0)
+* GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity  Temporary storage of plaintext passwords during password changes.
+* GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity Improper validation of receipts allows forged read receipts.
+* Add automatic purge after all users have forgotten a room. (#15488)
+* Restore room purge/shutdown after a Synapse restart. (#15488)
+* Support resolving homeservers using matrix-fed DNS SRV records from MSC4040. (#16137)
+* Add the ability to use G (GiB) and T (TiB) suffixes in configuration options that refer to numbers of bytes. (#16219)
+* Add span information to requests sent to appservices. Contributed by MTRNord. (#16227)
+* Add the ability to enable/disable registrations when using CAS. Contributed by Aurélien Grimpard. (#16262)
+* Allow the /notifications endpoint to be routed to workers. (#16265)
+
+[1.78.0]
+* Update base image to 4.2.0
+
+[1.79.0]
+* Update Synapse to 1.94.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.94.0)
+* Render plain, CSS, CSV, JSON and common image formats in the browser (inline) when requested through the /download endpoint. (#15988)
+* Add experimental support for MSC4028 to push all encrypted events to clients. (#16361)
+* Minor performance improvement when sending presence to federated servers. (#16385)
+* Minor performance improvement by caching server ACL checking. (#16360)
+
+[1.80.0]
+* Update Synapse to 1.95.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.95.0)
+* Remove legacy unspecced `knock_state_events` field returned in some responses. (#16403)
+* Fix a bug introduced in Synapse 1.81.0 where an AttributeError would be raised when `_matrix/client/v3/account/whoami` is called over a unix socket. Contributed by @Sir-Photch. (#16404)
+* Properly return inline media when content types have parameters. (#16440)
+* Prevent the purging of large rooms from timing out when Postgres is in use. The timeout which causes this issue was introduced in Synapse 1.88.0. (#16455)
+* Improve the performance of purging rooms, particularly encrypted rooms. (#16457)
+* Fix a bug introduced in Synapse 1.59.0 where servers could be incorrectly marked as available after an error response was received. (#16506)
+
+[1.80.1]
+* Update Synapse to 1.95.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.95.1)
+* GHSA-mp92-3jfm-3575 / CVE-2023-43796 — Moderate Severity
+
+[1.81.0]
+* Update Synapse to 1.96.1
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.96.1)
+* Add experimental support to allow multiple workers to write to receipts stream. (#16432)
+* Add a new module API for controller presence. (#16544)
+* Add a new module API callback that allows adding extra fields to events' unsigned section when sent down to clients. (#16549)
+* Improve the performance of claiming encryption keys. (#16565, #16570)
+
+[1.82.0]
+* Switch LDAP authentication to OIDC login
+
+[1.83.0]
+* Update Synapse to 1.97.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.97.0)
+* Add support for asynchronous uploads as defined by MSC2246. Contributed by @sumnerevans at @beeper. (#15503)
+* Improve the performance of some operations in multi-worker deployments. (#16613, #16616)
+* Fix a long-standing bug where some queries updated the same row twice. Introduced in Synapse 1.57.0. (#16609)
+* Fix a long-standing bug where Synapse would not unbind third-party identifiers for Application Service users when deactivated and would not emit a compliant response. (#16617)
+* Fix sending out of order POSITION over replication, causing additional database load. (#16639)
+
+[1.84.0]
+* Update Synapse to 1.98.0
+* [Full changelog](https://github.com/matrix-org/synapse/releases/tag/v1.98.0)
+* Synapse now declares support for Matrix v1.7, v1.8, and v1.9. (#16707)
+* Add `on_user_login` module API callback for when a user logs in. (#15207)
+* Support MSC4069: Inhibit profile propagation. (#16636)
+* Restore tracking of requests and monthly active users when delegating authentication via MSC3861 to an OIDC provider. (#16672)
+* Add an autojoin setting for server notices rooms, so users may be joined directly instead of receiving an invite. (#16699)
+* Follow redirects when downloading media over federation (per MSC3860). (#16701)
+
+[1.85.0]
+* Update public suffix list as part of the base image to get the latest domains
+
+[1.86.0]
+* Update Synapse to 1.99.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.99.0)
+* Add config options to set the avatar and the topic of the server notices room, as well as the avatar of the server notices user. (\https://github.com/element-hq/synapse/issues/16679)
+* Add config option email.notif_delay_before_mail to tweak the delay before an email is sent following a notification. (\https://github.com/element-hq/synapse/issues/16696)
+* Add new configuration option sentry.environment for improved system monitoring. Contributed by @zeeshanrafiqrana. (\https://github.com/element-hq/synapse/issues/16738)
+* Filter out rooms from the room directory being served to other homeservers when those rooms block that homeserver by their Access Control Lists. (\https://github.com/element-hq/synapse/pull/16759)
+* Fix a long-standing bug where the signing keys generated by Synapse were world-readable. Contributed by Fabian Klemp. (\https://github.com/element-hq/synapse/issues/16740)
+* Fix email verification redirection. Contributed by Fadhlan Ridhwanallah. (\https://github.com/element-hq/synapse/pull/16761)
+* Fixed a bug that prevented users from being queried by display name if it contains non-ASCII characters. (\https://github.com/element-hq/synapse/pull/16767)
+* Allow reactivate user without password with Admin API in some edge cases. (\https://github.com/element-hq/synapse/pull/16770)
+* Adds the recursion_depth parameter to the response of the /relations endpoint if MSC3981 recursion is being performed. (\https://github.com/element-hq/synapse/pull/16775)
+* Added version picker for Synapse documentation. Contributed by @Dmytro27Ind. (\https://github.com/element-hq/synapse/issues/16533)
+* Clarify that password_config.enabled: "only_for_reauth" does not allow new logins to be created using password auth. (\https://github.com/element-hq/synapse/issues/16737)
+* Remove value from header in configuration documentation for refresh_token_lifetime. (\https://github.com/element-hq/synapse/pull/16763)
+* Add another custom statistics collection server to the documentation. Contributed by @loelkes. (\https://github.com/element-hq/synapse/pull/16769)
+* Remove run-once workflow after adding the version picker to the documentation. (\https://github.com/element-hq/synapse/pull/9453)
+* Update the implementation of [MSC2965](matrix-org/matrix-spec-proposals#2965) (OIDC Provider discovery). (\https://github.com/element-hq/synapse/issues/16726)
+* Move the rust stubs inline for better IDE integration. (\https://github.com/element-hq/synapse/pull/16757)
+* Fix sample config doc CI. (\https://github.com/element-hq/synapse/pull/16758)
+* Simplify event internal metadata class. (\https://github.com/element-hq/synapse/pull/16762, \https://github.com/element-hq/synapse/pull/16780)
+* Sign the published docker image using cosign. (\https://github.com/element-hq/synapse/pull/16774)
+* Port EventInternalMetadata class to Rust. (\https://github.com/element-hq/synapse/pull/16782)
+* Bump actions/setup-go from 4 to 5. (\https://github.com/element-hq/synapse/issues/16749)
+* Bump actions/setup-python from 4 to 5. (\https://github.com/element-hq/synapse/issues/16748)
+* Bump immutabledict from 3.0.0 to 4.0.0. (\https://github.com/element-hq/synapse/issues/16743)
+* Bump isort from 5.12.0 to 5.13.0. (\https://github.com/element-hq/synapse/issues/16745)
+* Bump isort from 5.13.0 to 5.13.1. (\https://github.com/element-hq/synapse/issues/16752)
+* Bump pydantic from 2.5.1 to 2.5.2. (\https://github.com/element-hq/synapse/issues/16747)
+* Bump ruff from 0.1.6 to 0.1.7. (\https://github.com/element-hq/synapse/issues/16746)
+* Bump types-setuptools from 68.2.0.2 to 69.0.0.0. (\https://github.com/element-hq/synapse/issues/16744)
+
+[1.87.0]
+* Update Synapse to 1.100.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.100.0)
+* Fix database performance regression due to changing Postgres table statistics. Introduced in v1.100.0rc1. (#16849)
+* Advertise experimental support for MSC4028 through /matrix/clients/versions if enabled. Contributed by @hanadi92. (#16787)
+* Handle wildcard type filters properly for room messages endpoint. Contributed by Mo Balaa. (#14984)
+
+[1.88.0]
+* Update Synapse to 1.101.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.101.0)
+* Add support for stabilised MSC3981 that adds a recurse parameter on the /relations API. (#16842)
+* Fix performance regression when fetching auth chains from the DB. Introduced in v1.100.0. (#16893)
+
+[1.89.0]
+* Update Synapse to 1.102.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.102.0)
+* A metric was added for emails sent by Synapse, broken down by type: `synapse_emails_sent_total`. Contributed by Remi Rampin. (#16881)
+* Do not send multiple concurrent requests for keys for the same server. (#16894)
+* Fix performance issue when joining very large rooms that can cause the server to lock up. Introduced in v1.100.0. (#16903)
+* Always prefer unthreaded receipt when >1 exist (MSC4102). (#16927)
+
+[1.90.0]
+* Update Synapse to 1.103.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.103.0)
+* Add a new List Accounts v3 Admin API with improved deactivated user filtering capabilities. (#16874)
+* Include Retry-After header by default per MSC4041. Contributed by @clokep. (#16947)
+* Fix joining remote rooms when a module uses the `on_new_event` callback. This callback may now pass partial state events instead of the full state for remote rooms. Introduced in v1.76.0. (#16973)
+* Fix performance issue when joining very large rooms that can cause the server to lock up. Introduced in v1.100.0. Contributed by @ggogel. (#16968)
+
+[1.91.0]
+* Update Synapse to 1.104.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.104.0)
+* Fix regression when using OIDC provider. Introduced in v1.104.0rc1. (#17031)
+* Add an OIDC config to specify extra parameters for the authorization grant URL. IT can be useful to pass an ACR value for example. (#16971)
+* Add support for OIDC provider returning JWT. (#16972, #17031)
+* Fix a bug which meant that, under certain circumstances, we might never retry sending events or to-device messages over federation after a failure. (#16925)
+* Fix various long-standing bugs which could cause incorrect state to be returned from /sync in certain situations. (#16949)
+* Fix case in which m.fully_read marker would not get updated. Contributed by @SpiritCroc. (#16990)
+* Fix bug which did not retract a user's pending knocks at rooms when their account was deactivated. Contributed by @hanadi92. (#17010)
+
+[1.91.1]
+* Update Synapse to 1.105.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.105.0)
+* Stabilize support for MSC4010 which clarifies the interaction of push rules and account data. Contributed by @clokep. (#17022)
+* Stabilize support for MSC3981: /relations recursion. Contributed by @clokep. (#17023)
+* Add support for moving /pushrules off of main process. (#17037, #17038)
+* Fix various long-standing bugs which could cause incorrect state to be returned from /sync in certain situations. (#16930, #16932, #16942, #17064, #17065, #17066)
+* Fix server notice rooms not always being created as unencrypted rooms, even when encryption_enabled_by_default_for_room_type is in use (server notices are always unencrypted). (#17033)
+* Fix the .m.rule.encrypted_room_one_to_one and .m.rule.room_one_to_one default underride push rules being in the wrong order. Contributed by @Sumpy1. (#17043)
+
+[1.91.2]
+* Update Synapse to 1.105.1
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.105.1)
+* GHSA-3h7q-rfh9-xm4v / CVE-2024-31208 — High Severity . Weakness in auth chain indexing allows DoS from remote room members through disk fill and high CPU usage.
+
+[1.92.0]
+* Update Synapse to 1.106.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.106.0)
+* Send an email if the address is already bound to an user account. (#16819)
+* Implement the rendezvous mechanism described by MSC4108. (#17056)
+* Support delegating the rendezvous mechanism described MSC4108 to an external implementation. (#17086)
+* Add validation to ensure that the limit parameter on /publicRooms is non-negative. (#16920)
+* Return 400 M_NOT_JSON upon receiving invalid JSON in query parameters across various client and admin endpoints, rather than an internal server error. (#16923)
+* Make the CSAPI endpoint /keys/device_signing/upload idempotent. (#16943)
+* Redact membership events if the user requested erasure upon deactivating. (#17076)
+
+[1.93.0]
+* Update Synapse to 1.107.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.107.0)
+
+[1.94.0]
+* Update Synapse to 1.108.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.108.0)
+* Add a feature that allows clients to query the configured federation whitelist. Disabled by default. (#16848, #17199)
+* Add the ability to allow numeric user IDs with a specific prefix when in the CAS flow. Contributed by Aurélien Grimpard. (#17098)
+* Fix bug where push rules would be empty in /sync for some accounts. Introduced in v1.93.0. (#17142)
+* Add support for optional whitespace around the Federation API's Authorization header's parameter commas. (#17145)
+* Fix bug where disabling room publication prevented public rooms being created on workers. (#17177, #17184)
+
+[1.95.0]
+* Update Synapse to 1.109.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.109.0)
+
+[1.96.0]
+* Update Synapse to 1.110.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.110.0)
+
+[1.97.0]
+* Update Synapse to 1.111.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.111.0)
+
+[1.97.1]
+* Update Synapse to 1.111.1
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.111.1)
+
+[1.97.2]
+* Update Synapse to 1.112.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.112.0)
+
+[1.97.3]
+* Update Synapse to 1.113.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.113.0)
+
+[1.97.4]
+* Update Synapse to 1.114.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.114.0)
+
+[1.97.5]
+* Update Synapse to 1.115.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.115.0)
+
+[1.97.6]
+* Update Synapse to 1.116.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.116.0)
+
+[1.98.0]
+* Update Synapse to 1.118.0
+* [Full changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
+
+[1.98.1]
+* Update S3 Storage Provider to 1.5.0
+[1.99.0]
+* Update synapse to 1.119.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
+* Support [MSC4151](https://github.com/matrix-org/matrix-spec-proposals/pull/4151)'s stable report room API. ([#​17374](https://github.com/element-hq/synapse/issues/17374))
+* Add experimental support for [MSC4222](https://github.com/matrix-org/matrix-spec-proposals/pull/4222) (Adding `state_after` to sync v2). ([#​17888](https://github.com/element-hq/synapse/issues/17888))
+* Fix bug with sliding sync where `$LAZY`-loading room members would not return `required_state` membership in incremental syncs. ([#​17809](https://github.com/element-hq/synapse/issues/17809))
+* Check if user has membership in a room before tagging it. Contributed by Lama Alosaimi. ([#​17839](https://github.com/element-hq/synapse/issues/17839))
+* Fix a bug in the admin redact endpoint where the background task would not run if a worker was specified in
+* Fix bug where some presence and typing timeouts can expire early. ([#​17850](https://github.com/element-hq/synapse/issues/17850))
+* Fix detection when the built Rust library was outdated when using source installations. ([#​17861](https://github.com/element-hq/synapse/issues/17861))
+* Fix a long-standing bug in Synapse which could cause one-time keys to be issued in the incorrect order, causing message decryption failures. ([#​17903](https://github.com/element-hq/synapse/pull/17903))
+* Fix experimental support for [MSC4222](https://github.com/matrix-org/matrix-spec-proposals/pull/4222) (Adding `state_after` to sync v2) where we would return the full state on incremental syncs when using lazy loaded members and there were no new events in the timeline. ([#​17915](https://github.com/element-hq/synapse/pull/17915))
+* Remove support for python 3.8. ([#​17908](https://github.com/element-hq/synapse/issues/17908))
+* Add a test for downloading and thumbnailing a CMYK JPEG. ([#​17786](https://github.com/element-hq/synapse/issues/17786))
+* Refactor database calls to remove `Generator` usage. ([#​17813](https://github.com/element-hq/synapse/issues/17813), [#​17814](https://github.com/element-hq/synapse/issues/17814), [#​17815](https://github.com/element-hq/synapse/issues/17815), [#​17816](https://github.com/element-hq/synapse/issues/17816), [#​17817](https://github.com/element-hq/synapse/issues/17817), [#​17818](https://github.com/element-hq/synapse/issues/17818), [#​17890](https://github.com/element-hq/synapse/issues/17890))
+* Include the destination in the error of 'Destination mismatch' on federation requests. ([#​17830](https://github.com/element-hq/synapse/issues/17830))
+* The nix flake inside the repository no longer tracks nixpkgs/master to not catch the latest bugs from a MR merged 5 minutes ago. ([#​17852](https://github.com/element-hq/synapse/issues/17852))
+* Minor speed-up of sliding sync by computing extensions results in parallel. ([#​17884](https://github.com/element-hq/synapse/issues/17884))
+* Bump the default Python version in the Synapse Dockerfile from 3.11 -> 3.12. ([#​17887](https://github.com/element-hq/synapse/issues/17887))
+* Remove usage of internal header encoding API. ([#​17894](https://github.com/element-hq/synapse/issues/17894))
+* Use unique name for each os.arch variant when uploading Wheel artifacts. ([#​17905](https://github.com/element-hq/synapse/issues/17905))
+* Fix tests to run with latest Twisted. ([#​17906](https://github.com/element-hq/synapse/pull/17906), [#​17907](https://github.com/element-hq/synapse/pull/17907), [#​17911](https://github.com/element-hq/synapse/pull/17911))
+* Update version constraint to allow the latest poetry-core 1.9.1. ([#​17902](https://github.com/element-hq/synapse/pull/17902))
+* Update the portdb CI to use Python 3.13 and Postgres 17 as latest dependencies. ([#​17909](https://github.com/element-hq/synapse/pull/17909))
+* Add an index to `current_state_delta_stream` table. ([#​17912](https://github.com/element-hq/synapse/issues/17912))
+* Fix building and attaching release artifacts during the release process. ([#​17921](https://github.com/element-hq/synapse/issues/17921))
+
+[1.100.0]
+* Update synapse to 1.120.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
+* Fix a bug introduced in Synapse v1.120rc1 which would cause the newly-introduced `delete_old_otks` job to fail in worker-mode deployments. ([#​17960](https://github.com/element-hq/synapse/issues/17960))
+
+[1.100.1]
+* Update synapse to 1.120.2
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.118.0)
+
+[1.101.0]
+* Update synapse to 1.121.1
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.121.0)
+* Support for MSC4190: device management for Application Services. (#17705)
+* Update MSC4186 Sliding Sync to include invite, ban, kick, targets when $LAZY-loading room members. (#17947)
+* Use stable M_USER_LOCKED error code for locked accounts, as per Matrix 1.12. (#17965)
+* MSC4076: Add disable_badge_count to pusher configuration. (#17975)
+
+
+[1.101.1]
+* CLOUDRON_OIDC_PROVIDER_NAME implemented
+
+[1.102.0]
+* Update synapse to 1.122.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.122.0)
+
+[1.103.0]
+* Update synapse to 1.123.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.123.0)
+
+[1.104.0]
+* Update synapse to 1.124.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.124.0)
+
+[1.105.0]
+* Update synapse to 1.125.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.125.0)
+* Add functionality to be able to use multiple values in SSO feature attribute_requirements. (#17949)
+* Add experimental config options admin_token_path and client_secret_path for MSC3861. (#18004)
+* Add get_current_time_msec() method to the module API for sound time comparisons with Synapse. (#18144)
+* Update the response when a client attempts to add an invalid email address to the user's account from a 500, to a 400 with error text. (#18125)
+* Fix user directory search when using a legacy module with a check_username_for_spam callback. Broke in v1.122.0. (#18135)
+
+[1.106.0]
+* Update synapse to 1.126.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.126.0)
+* Define ratelimit configuration for delayed event management. (#18019)
+* Add form_secret_path config option. (#18090)
+* Add the --no-secrets-in-config command line option. (#18092)
+* Add background job to clear unreferenced state groups. (#18154)
+* Add support for specifying/overriding id_token_signing_alg_values_supported for an OpenID identity provider. (#18177)
+* Add worker_replication_secret_path config option. (#18191)
+* Add support for specifying/overriding redirect_uri in the authorization and token requests against an OpenID identity provider. (#18197)
+
+[1.107.0]
+* Update base image to 5.0.0
+
+[1.108.0]
+* Update synapse to 1.127.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.127.0)
+* Update MSC4140 implementation to no longer cancel a user's own delayed state events with an event type & state key that match a more recent state event sent by that user. (#17810)
+* Fixed a minor typo in the Synapse documentation. Contributed by @karuto12. (#18224)
+* Remove undocumented SYNAPSE_USE_FROZEN_DICTS environment variable. (#18123)
+* Fix detection of workflow failures in the release script. (#18211)
+* Add caching support to media endpoints. (#18235)
+
+[1.108.1]
+* Update synapse to 1.127.1
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.127.1)
+* Fix CVE-2025-30355 / GHSA-v56r-hwv5-mxg6. High severity vulnerability affecting federation. The vulnerability has been exploited in the wild.
+
+[1.109.0]
+* Update synapse to 1.128.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.128.0)
+* Add an access token introspection cache to make Matrix Authentication Service integration (MSC3861) more efficient. (#18231)
+* Add background job to clear unreferenced state groups. (#18254)
+* Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. (#18277, #18302, #18296)
+
+[1.110.0]
+* Update synapse to 1.129.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.129.0)
+
+[1.111.0]
+* Update synapse to 1.130.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.130.0)
+* Fix startup being blocked on creating a new index that was introduced in v1.130.0rc1. ([#​18439](https://github.com/element-hq/synapse/issues/18439))
+* Fix the ordering of local messages in rooms that were affected by [GHSA-v56r-hwv5-mxg6](https://github.com/advisories/GHSA-v56r-hwv5-mxg6). ([#​18447](https://github.com/element-hq/synapse/issues/18447))
+
+[1.112.0]
+* Update synapse to 1.131.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.131.0)
+
+[1.113.0]
+* Update synapse to 1.132.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.132.0)
+
+[1.114.0]
+* Update synapse to 1.133.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.133.0)
+* Pre-built wheels are now built using the manylinux\_2\_28 base, which is expected to be compatible with distros using glibc 2.28 or later, including:
+* Previously, wheels were built using the manylinux2014 base, which was expected to be compatible with distros using glibc 2.17 or later.
+* Bump `cibuildwheel` to 3.0.0 to fix the `manylinux` wheel builds. ([#​18615](https://github.com/element-hq/synapse/issues/18615))
+
+[1.115.0]
+* Update synapse to 1.134.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.134.0)
+
+[1.116.0]
+* Update synapse to 1.135.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.135.0)
+
+[1.116.1]
+* Update synapse to 1.135.2
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.135.2)
+* Fix invalidation of storage cache that was broken in 1.135.0. ([#​18786](https://github.com/element-hq/synapse/issues/18786))
+* Add a parameter to `upgrade_rooms(..)` to allow auto join local users. ([#​82](https://github.com/element-hq/synapse/issues/82))
+* Speed up upgrading a room with large numbers of banned users. ([#​18574](https://github.com/element-hq/synapse/issues/18574))
+
+[1.117.0]
+* Update synapse to 1.136.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.136.0)
+* Fix bug introduced in 1.135.2 and 1.136.0rc2 where the [Make Room Admin API](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#make-room-admin-api) would not treat a room v12's creator power level as the highest in room. ([#​18805](https://github.com/element-hq/synapse/issues/18805))
+
+[1.118.0]
+* Update synapse to 1.137.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.137.0)
+* Fix a bug which could corrupt auth chains making it impossible to perform state resolution. (#18746)
+* Fix error message in register_new_matrix_user utility script for empty registration_shared_secret. (#18780)
+* Allow enabling MSC4108 when the stable Matrix Authentication Service integration is enabled. (#18832)
+* Include IPv6 networks in denied-peer-ips of coturn setup. Contributed by @litetex. (#18781)
+
+[1.119.0]
+* Update synapse to 1.138.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.138.0)
+* Support for the stable endpoint and scopes of [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) & co. ([\#18549](https://github.com/element-hq/synapse/issues/18549))
+* Improve database performance of [MSC4293](https://github.com/matrix-org/matrix-spec-proposals/pull/4293) - Redact on Kick/Ban. ([\#18851](https://github.com/element-hq/synapse/issues/18851))
+* Do not throw an error when fetching a rejected delayed state event on startup. ([\#18858](https://github.com/element-hq/synapse/issues/18858))
+* Fix worker documentation incorrectly indicating all room Admin API requests were capable of being handled by workers. ([\#18853](https://github.com/element-hq/synapse/issues/18853))
+* Instrument `_ByteProducer` with tracing to measure potential dead time while writing bytes to the request. ([\#18804](https://github.com/element-hq/synapse/issues/18804))
+* Switch to OpenTracing's `ContextVarsScopeManager` instead of our own custom `LogContextScopeManager`. ([\#18849](https://github.com/element-hq/synapse/issues/18849))
+* Trace how much work is being done while "recursively fetching redactions". ([\#18854](https://github.com/element-hq/synapse/issues/18854))
+* Link [upstream Twisted bug](https://github.com/twisted/twisted/issues/12498) tracking the problem that explains why we have to use a `Producer` to write bytes to the request. ([\#18855](https://github.com/element-hq/synapse/issues/18855))
+* Introduce `EventPersistencePair` type. ([\#18857](https://github.com/element-hq/synapse/issues/18857))
+
+[1.119.1]
+* Update synapse to 1.138.2
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.138.2)
+* Drop support for Ubuntu 24.10 Oracular Oriole, and add support for Ubuntu 25.04 Plucky Puffin. This change was applied on top of 1.138.1. ([#​18962](https://github.com/element-hq/synapse/issues/18962))
+
+[1.120.0]
+* Update synapse to 1.139.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.139.0)
+* /register requests from old application service implementations may break when using MAS
+
+[1.120.1]
+* Update synapse to 1.139.1
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.139.1)
+* Fix [CVE-2025-61672](https://www.cve.org/CVERecord?id=CVE-2025-61672) / [GHSA-fh66-fcv5-jjfr](https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr). Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. ([#17097](https://github.com/element-hq/synapse/issues/17097))
+* Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([#18996](https://github.com/element-hq/synapse/issues/18996))
+
+[1.120.2]
+* Update synapse to 1.139.2
+
+[1.120.3]
+* Update synapse-s3-storage-provider to 1.6.0
+
+[1.121.0]
+* Update synapse to 1.140.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.140.0)
+* Add a new Media Query by ID Admin API that allows server admins to query and investigate the metadata of local or cached remote media via the origin/media_id identifier found in a Matrix Content URI. (#18911)
+* Add a new Fetch Event Admin API to fetch an event by ID. (#18963)
+* Update MSC4284: Policy Servers implementation to support signatures when available. (#18934)
+* Add experimental implementation of the GET /_matrix/client/v1/rtc/transports endpoint for the latest draft of MSC4143: MatrixRTC. (#18967)
+* Expose a defer_to_threadpool function in the Synapse Module API that allows modules to run a function on a separate thread in a custom threadpool. (#19032)
+
+[1.122.0]
+* Update synapse to 1.141.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.141.0)
+
+[1.123.0]
+* Update synapse to 1.142.0
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.142.0)
+* Dropped support for Python 3.9
+* SQLite 3.40.0+ is now required
+* Deprecation of MacOS Python wheels
+* Properly stop building wheels for Python 3.9 and free-threaded CPython. ([#19154](https://github.com/element-hq/synapse/issues/19154))
+

CloudronManifest.json

@@ -5,33 +5,57 @@
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG.md",
   "tagline": "Secure & decentralized communication",
-  "version": "1.75.1",
-  "upstreamVersion": "1.91.1",
+  "version": "1.123.0",
+  "upstreamVersion": "1.142.0",
   "healthCheckPath": "/",
   "httpPort": 8008,
   "memoryLimit": 536870912,
   "addons": {
     "localstorage": {},
-    "ldap": {},
+    "oidc": {
+      "loginRedirectUri": "/_synapse/client/oidc/callback"
+    },
     "postgresql": {},
-    "sendmail": { "supportsDisplayName": true },
-    "turn": { "optional": true }
+    "sendmail": {
+      "supportsDisplayName": true
+    },
+    "turn": {
+      "optional": true
+    }
   },
   "manifestVersion": 2,
   "website": "https://matrix.org",
   "contactEmail": "support@cloudron.io",
   "icon": "file://logo.png",
   "tags": [
-    "im", "collaboration", "voip", "videochat", "chat", "slack", "zulip", "federated"
+    "im",
+    "collaboration",
+    "voip",
+    "videochat",
+    "chat",
+    "slack",
+    "zulip",
+    "federated",
+    "element",
+    "riot"
   ],
   "mediaLinks": [
     "https://screenshots.cloudron.io/org.matrix.synapse/1.png",
     "https://screenshots.cloudron.io/org.matrix.synapse/2.png",
     "https://screenshots.cloudron.io/org.matrix.synapse/3.png"
   ],
+  "checklist": {
+    "configure-federation": {
+      "message": "For federation to work, the delegation URI `https://$CLOUDRON-APP-DOMAIN/.well-known/matrix/server` must be configured. See the [docs](https://docs.cloudron.io/apps/synapse/#post-installation) on how to do this."
+    },
+    "registration-enabled-without-verification": {
+      "message": "Registration is enabled but verification is disabled. See [docs](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=registration_require#enable_registration) for more information",
+      "sso": false
+    }
+  },
   "postInstallMessage": "file://POSTINSTALL.md",
-  "minBoxVersion": "7.5.1",
+  "minBoxVersion": "8.2.0",
   "forumUrl": "https://forum.cloudron.io/category/50/matrix-synapse-riot",
-  "documentationUrl": "https://docs.cloudron.io/apps/synapse/",
+  "documentationUrl": "https://docs.cloudron.io/packages/synapse/",
   "optionalSso": true
 }

Dockerfile

@@ -1,31 +1,27 @@
-FROM cloudron/base:4.0.0@sha256:31b195ed0662bdb06a6e8a5ddbedb6f191ce92e8bee04c03fb02dd4e9d0286df
+FROM cloudron/base:5.0.0@sha256:04fd70dbd8ad6149c19de39e35718e024417c3e01dc9c6637eaf4a41ec4e596c
 
 RUN mkdir -p /app/pkg
 
 WORKDIR /app/code
 
-# https://pythonspeed.com/articles/activate-virtualenv-dockerfile/
-RUN virtualenv -p python3 /app/code/env
-ENV VIRTUAL_ENV=/app/code/env
-ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+# https://github.com/element-hq/synapse/blob/master/docs/setup/installation.md?plain=1#L202
+RUN python3 -m venv /app/code/env
 
-ARG VERSION=1.91.1
+# renovate: datasource=github-releases depName=element-hq/synapse versioning=semver extractVersion=^v(?<version>.+)$
+ARG SYNAPSE_VERSION=1.142.0
 
-# https://github.com/matrix-org/synapse-s3-storage-provider
-ARG STORAGE_PROVIDER_VERSION=1beb6af95e1f5caedb8e6e7e1cc176cdb2106d37
+# renovate: datasource=github-releases depName=matrix-org/synapse-s3-storage-provider versioning=semver extractVersion=^v(?<version>.+)$
+ARG S3PROVIDER_VERSION=1.6.0
 
 # Synapse (https://github.com/matrix-org/synapse/blob/master/INSTALL.md)
 # lxml - required for previews
-RUN pip install --upgrade pip && \
-    pip install --upgrade setuptools && \
-    pip install matrix-synapse==v${VERSION} psycopg2-binary python-ldap matrix-synapse-ldap3 lxml publicsuffix2 git+https://github.com/matrix-org/synapse-s3-storage-provider.git@${STORAGE_PROVIDER_VERSION} matrix-synapse[oidc]
+RUN source /app/code/env/bin/activate && \
+    pip3 install --no-cache-dir matrix-synapse==v${SYNAPSE_VERSION} psycopg2-binary python-ldap matrix-synapse-ldap3 lxml publicsuffix2 git+https://github.com/matrix-org/synapse-s3-storage-provider.git@v${S3PROVIDER_VERSION} matrix-synapse[oidc]
 
-# workaround (https://github.com/matrix-org/synapse/issues/15873) . remove after 1.87.0
-RUN sed -e "s/Image.ANTIALIAS/Image.LANCZOS/" -i /app/code/env/lib/python3.10/site-packages/synapse/media/thumbnailer.py
+# Updated suffix list
+RUN curl -L https://publicsuffix.org/list/public_suffix_list.dat -o /app/code/env/lib/python3.12/site-packages/publicsuffix2/public_suffix_list.dat
 
-RUN ln -sf /app/data/index.html /app/code/env/lib/python3.10/site-packages/synapse/static/index.html
-
-RUN chown -R cloudron.cloudron /app/code
+RUN ln -sf /app/data/index.html /app/code/env/lib/python3.12/site-packages/synapse/static/index.html
 
 ADD index.html homeserver.yaml.template start.sh /app/pkg/
 

POSTINSTALL.md

@@ -1,6 +1,2 @@
 Account ids are created with the username and the second level domain under which the
 app is installed e.g. `@$CLOUDRON-USERNAME:$CLOUDRON-APP-DOMAIN`.
-
-For federation to work, the delegation URI `https://$CLOUDRON-APP-DOMAIN/.well-known/matrix/server`
-must be configured. See the [docs](https://docs.cloudron.io/apps/synapse/#post-installation) on how to do this.
-

homeserver.yaml.template

@@ -1,4 +1,4 @@
-# https://github.com/matrix-org/synapse/blob/master/docs/sample_config.yaml
+# https://github.com/element-hq/synapse/blob/master/docs/sample_config.yaml
 
 # if you change this, change the auto_join_rooms below as well
 server_name: "example.com"
@@ -13,7 +13,6 @@ listeners:
     type: http
     x_forwarded: true
     bind_addresses: ['0.0.0.0']
-
     resources:
       - names: [client,federation]
         compress: false
@@ -21,7 +20,6 @@ listeners:
 database:
   name: "psycopg2"
   args:
-    # Path to the database
     user: ${POSTGRESQL_USERNAME}
     password: ${POSTGRESQL_PASSWORD}
     database: ${POSTGRESQL_DATABASE}
@@ -29,6 +27,17 @@ database:
     cp_min: 5
     cp_max: 10
 
+log_config: "/app/data/configs/log.config"
+media_store_path: "/app/data/data/media_store"
+registration_shared_secret: "some_shared_secret"
+report_stats: false
+macaroon_secret_key: "some_macaroon_secret"
+form_secret: "some_form_secret"
+signing_key_path: "/app/data/configs/signing.key"
+trusted_key_servers:
+  - server_name: "matrix.org"
+
+## Cloudron packaging
 email:
     smtp_host: mail.server
     smtp_port: 587
@@ -40,74 +49,37 @@ email:
     enable_notifs: true
     notif_for_new_users: true
 
-password_providers:
-    - module: "synapse.util.ldap_auth_provider.LdapAuthProvider"
-      config:
-        enabled: true
-        uri: "ldap://ldap.example.com:389"
-        start_tls: true
-        base: "ou=users,dc=example,dc=com"
-        attributes:
-           uid: "username"
-           mail: "mail"
-           name: "username"
-        bind_dn: "ou=users,dc=cloudron"
-        bind_password: "password"
-        filter: "(objectClass=posixAccount)"
-
 # turn
 turn_uris: []
 turn_shared_secret: "sharedsecret"
 turn_allow_guests: true
 
-federation_ip_range_blacklist:
-  - '127.0.0.0/8'
-  - '10.0.0.0/8'
-  - '172.16.0.0/12'
-  - '192.168.0.0/16'
-  - '100.64.0.0/10'
-  - '169.254.0.0/16'
-  - '::1/128'
-  - 'fe80::/64'
-  - 'fc00::/7'
-
+# sso (https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#single-sign-on-integration)
 enable_registration: false
+# without this, registration requires one of email/captcha/token verification
 enable_registration_without_verification: true
-registration_shared_secret: "somesecret"
-allow_guest_access: false
 
-enable_group_creation: true
-
-report_stats: False
-
-signing_key_path: "/app/data/configs/signing.key"
-
-url_preview_enabled: true
-url_preview_ip_range_blacklist:
-  - '127.0.0.0/8'
-  - '10.0.0.0/8'
-  - '172.16.0.0/12'
-  - '192.168.0.0/16'
-  - '100.64.0.0/10'
-  - '169.254.0.0/16'
-  - '::1/128'
-  - 'fe80::/64'
-  - 'fc00::/7'
-
-media_store_path: "/app/data/data/media_store"
-max_upload_size: 200M
-max_image_pixels: "32M"
-dynamic_thumbnails: false
-
-autocreate_auto_join_rooms: true
-auto_join_rooms:
-  - "#discuss:example.com"
-
-trusted_key_servers:
-  - server_name: "matrix.org"
-suppress_key_server_warning: true
+oidc_providers:
+  - idp_id: cloudron
+    idp_name: "CLOUDRON_OIDC_PROVIDER_NAME"
+    issuer: "CLOUDRON_OIDC_ISSUER"
+    client_id: "CLOUDRON_OIDC_CLIENT_ID"
+    client_secret: "CLOUDRON_OIDC_CLIENT_SECRET"
+    scopes: ["openid", "profile", "email"]
+    authorization_endpoint: "CLOUDRON_OIDC_AUTH_ENDPOINT"
+    token_endpoint: "CLOUDRON_OIDC_TOKEN_ENDPOINT"
+    userinfo_endpoint: "CLOUDRON_OIDC_AUTH_ENDPOINT"
+    allow_existing_users: true
+    enable_registration: true
+    backchannel_logout_enabled: false
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ user.sub }}"
+        display_name_template: "{{ user.name }}"
+        email_template: "{{ user.email }}"
 
 password_config:
-   enabled: true
-   localdb_enabled: false
+    enabled: false
+    localdb_enabled: false
+    pepper: "some_pepper_secret"
 

logo.svg

@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg:svg
+   width="92"
+   height="92"
+   viewBox="0 0 92 92"
+   version="1.1"
+   id="svg5"
+   sodipodi:docname="logo.svg"
+   inkscape:version="1.4.2 (ebf0e940d0, 2025-05-08)"
+   inkscape:export-filename="logo.png"
+   inkscape:export-xdpi="534.26086"
+   inkscape:export-ydpi="534.26086"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <svg:defs
+     id="defs5" />
+  <sodipodi:namedview
+     id="namedview5"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:zoom="3.5066667"
+     inkscape:cx="34.93346"
+     inkscape:cy="46.340304"
+     inkscape:window-width="1280"
+     inkscape:window-height="654"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="matrix-logo-white" />
+  <!-- Generator: Sketch 55 (78076) - https://sketchapp.com -->
+  <svg:title
+     id="title1">matrix logo white</svg:title>
+  <svg:desc
+     id="desc1">Created with Sketch.</svg:desc>
+  <svg:g
+     id="Page-1"
+     stroke="none"
+     stroke-width="1"
+     fill="none"
+     fill-rule="evenodd"
+     style="fill:#000000">
+    <svg:g
+       id="matrix-logo-white"
+       fill="#FFFFFF"
+       fill-rule="nonzero"
+       style="fill:#000000">
+      <svg:g
+         id="g5"
+         transform="matrix(1.1943286,0,0,1.1943286,1.1945584,26.901573)"
+         style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none">
+        <svg:polygon
+           id="Path"
+           points="0.93631479,31.249567 3.1294248,31.249567 3.1294248,31.981769 0.094721871,31.981769 0.094721871,9.495549e-05 3.1294248,9.495549e-05 3.1294248,0.73220178 0.93631479,0.73220178 "
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:path
+           d="m 9.3857143,10.406647 v 1.544356 h 0.0439 c 0.4113148,-0.587869 0.9067317,-1.04432 1.4871047,-1.367929 0.579994,-0.323038 1.244849,-0.485222 1.993711,-0.485222 0.719469,0 1.376833,0.140059 1.971523,0.419228 0.59488,0.279644 1.046587,0.772083 1.355025,1.478172 0.337548,-0.49994 0.796461,-0.941293 1.376834,-1.323679 0.579993,-0.382196 1.266561,-0.573721 2.059797,-0.573721 0.602181,0 1.159988,0.07369 1.674463,0.220771 0.513717,0.147086 0.95433,0.382386 1.321555,0.705899 0.366846,0.323799 0.653192,0.746635 0.859229,1.268321 0.205468,0.522635 0.308439,1.15105 0.308439,1.88667 v 7.633092 l -3.128382,-9.5e-5 v -6.464 c 0,-0.382196 -0.0146,-0.742551 -0.04409,-1.081068 -0.02968,-0.338041 -0.110082,-0.632024 -0.242257,-0.882421 -0.132269,-0.249828 -0.327117,-0.44857 -0.583786,-0.595751 -0.257048,-0.146516 -0.605973,-0.220487 -1.046492,-0.220487 -0.440518,0 -0.796744,0.08508 -1.068489,0.253626 -0.271934,0.169401 -0.484703,0.390173 -0.63878,0.661935 -0.154172,0.272427 -0.257048,0.581128 -0.308344,0.926956 -0.05167,0.345448 -0.07718,0.694884 -0.07718,1.047834 v 6.353471 h -3.128097 v -6.397626 c 0,-0.338231 -0.0077,-0.672949 -0.02181,-1.003679 -0.01498,-0.33111 -0.07718,-0.636202 -0.187547,-0.915846 -0.110177,-0.279169 -0.293837,-0.503644 -0.55079,-0.673045 -0.257048,-0.168545 -0.635177,-0.253626 -1.134482,-0.253626 -0.147061,0 -0.341625,0.03314 -0.583692,0.09951 -0.242351,0.06618 -0.477497,0.19143 -0.704962,0.374979 -0.227939,0.184024 -0.4223133,0.44876 -0.5838809,0.794113 -0.1616625,0.345828 -0.2423515,0.797816 -0.2423515,1.356629 v 6.618492 l -3.1280025,9.5e-5 V 10.406647 Z"
+           id="path1"
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:path
+           d="m 25.841719,12.083561 c 0.322851,-0.485508 0.734261,-0.875015 1.233755,-1.169472 0.499115,-0.294077 1.06062,-0.503549 1.684987,-0.6287 0.624084,-0.124867 1.252055,-0.187632 1.883534,-0.187632 0.572882,0 1.152781,0.04064 1.740265,0.121258 0.58739,0.08119 1.123578,0.239478 1.608281,0.474492 0.484608,0.235205 0.881037,0.562707 1.18957,0.98165 0.308439,0.419134 0.462611,0.974434 0.462611,1.665804 v 5.934149 c 0,0.515418 0.02939,1.007572 0.08827,1.478172 0.05831,0.470884 0.161283,0.823834 0.308249,1.059038 h -3.172092 c -0.05888,-0.176617 -0.106764,-0.356557 -0.143268,-0.540581 -0.03698,-0.183549 -0.06267,-0.371086 -0.07709,-0.562422 -0.4994,0.514849 -1.087073,0.875205 -1.762168,1.081164 -0.675759,0.205388 -1.366024,0.3087 -2.070986,0.3087 -0.543584,0 -1.050285,-0.06628 -1.520196,-0.198457 C 26.82534,21.768261 26.414309,21.562493 26.061876,21.282564 25.709347,21.003585 25.434,20.65054 25.235738,20.224095 25.037476,19.79765 24.938203,19.289733 24.938203,18.701674 c 0,-0.646932 0.113685,-1.180297 0.341719,-1.599051 0.227466,-0.419418 0.521018,-0.753851 0.881322,-1.004154 0.359639,-0.249923 0.770764,-0.43746 1.233565,-0.562421 0.462515,-0.124867 0.928729,-0.223906 1.398735,-0.297876 0.470007,-0.07331 0.932523,-0.132273 1.387927,-0.176332 0.455215,-0.04425 0.859229,-0.110528 1.211663,-0.198742 0.352528,-0.08821 0.631289,-0.216688 0.837136,-0.385994 0.205278,-0.169116 0.300759,-0.41543 0.286346,-0.739229 0,-0.338041 -0.05499,-0.60667 -0.16517,-0.805127 -0.110082,-0.198457 -0.257048,-0.35314 -0.440519,-0.463383 -0.183659,-0.110243 -0.396618,-0.183834 -0.63878,-0.220771 -0.242446,-0.03627 -0.503381,-0.05508 -0.782048,-0.05508 -0.616877,0 -1.101485,0.132463 -1.454013,0.397199 -0.352339,0.264736 -0.558376,0.706184 -0.616878,1.32368 h -3.128097 c 0.04381,-0.735146 0.227086,-1.345804 0.5506,-1.830837 z m 6.179109,4.423311 c -0.198167,0.06609 -0.41122,0.121069 -0.638685,0.165318 -0.22775,0.04415 -0.466309,0.081 -0.715961,0.110243 -0.249842,0.02972 -0.499494,0.06628 -0.748957,0.110433 -0.235145,0.04378 -0.466403,0.103122 -0.693774,0.176333 -0.227939,0.07397 -0.426201,0.173009 -0.59488,0.29797 -0.169152,0.125056 -0.30493,0.283442 -0.407711,0.474208 -0.102876,0.19124 -0.154172,0.434041 -0.154172,0.728118 0,0.27917 0.0513,0.514849 0.154172,0.705615 0.102781,0.191525 0.242541,0.342219 0.41871,0.452463 0.17617,0.110243 0.381637,0.187632 0.616972,0.231501 0.234672,0.04425 0.477023,0.06628 0.72677,0.06628 0.616783,0 1.0939,-0.102742 1.432017,-0.30889 0.337642,-0.205674 0.587105,-0.452178 0.748957,-0.739229 0.161378,-0.28667 0.260651,-0.576569 0.29744,-0.871121 0.03641,-0.294077 0.05499,-0.529472 0.05499,-0.705899 v -1.169472 c -0.132364,0.11803 -0.297534,0.209851 -0.495891,0.27613 z"
+           id="Shape"
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:path
+           d="m 43.883533,10.406647 v 2.095858 h -2.290866 v 5.647857 c 0,0.529187 0.08799,0.882326 0.264349,1.058659 0.17598,0.176522 0.528698,0.264736 1.057396,0.264736 0.176264,0 0.344943,-0.0072 0.506606,-0.02203 0.161472,-0.01443 0.315739,-0.03684 0.462515,-0.06609 v 2.426777 c -0.264348,0.04415 -0.558185,0.0734 -0.881131,0.0884 -0.32304,0.01415 -0.63878,0.02184 -0.947219,0.02184 -0.484608,0 -0.94371,-0.03323 -1.376833,-0.09951 C 40.244943,21.757154 39.863211,21.62877 39.53287,21.43734 39.202339,21.246385 38.941593,20.973957 38.750822,20.621008 38.559671,20.268343 38.46438,19.804865 38.46438,19.230954 v -6.72845 H 36.569943 V 10.406647 H 38.46438 V 6.9871098 h 3.128193 v 3.4195372 z"
+           id="path2"
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:path
+           d="m 48.355373,10.406647 v 2.117982 h 0.04409 c 0.146586,-0.353234 0.344753,-0.680166 0.59469,-0.981935 0.249747,-0.301199 0.535904,-0.558813 0.859039,-0.772083 0.322851,-0.21289 0.668173,-0.378397 1.035683,-0.496427 0.366751,-0.11746 0.748862,-0.176522 1.14548,-0.176522 0.205563,0 0.432933,0.03703 0.68287,0.110433 v 2.912285 c -0.147061,-0.02963 -0.323325,-0.05545 -0.528698,-0.07729 -0.205752,-0.02213 -0.403919,-0.03323 -0.59488,-0.03323 -0.572787,0 -1.057395,0.09591 -1.453729,0.28686 -0.396524,0.191241 -0.715866,0.452083 -0.958312,0.783098 -0.242257,0.33111 -0.415203,0.716914 -0.517889,1.158267 -0.102687,0.441068 -0.154077,0.919359 -0.154077,1.434018 V 21.81232 H 45.381542 V 10.406647 Z"
+           id="path3"
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:path
+           d="m 54.038875,8.6416142 v -2.581175 h 3.128382 v 2.581175 z m 3.128382,1.7650328 V 21.812415 H 54.038875 V 10.406647 Z"
+           id="path4"
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:polygon
+           id="polygon4"
+           points="61.94725,21.81251 58.444912,21.81251 62.542225,15.811988 58.79725,10.406647 62.365866,10.406647 64.37067,13.384926 66.353382,10.406647 69.811915,10.406647 66.067035,15.745614 70.274715,21.81251 66.705815,21.81251 64.32658,18.216546 "
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+        <svg:polygon
+           id="polygon5"
+           points="74.093837,0.73220178 71.900727,0.73220178 71.900727,9.495549e-05 74.93562,9.495549e-05 74.93562,31.981769 71.900727,31.981769 71.900727,31.249567 74.093837,31.249567 "
+           style="fill:#666666;stroke:none;stroke-opacity:1;stroke-width:0.99972487;stroke-dasharray:none" />
+      </svg:g>
+    </svg:g>
+  </svg:g>
+  <script />
+  <svg:metadata
+     id="metadata5">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:title>matrix logo white</dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </svg:metadata>
+</svg:svg>

renovate.json5

@@ -0,0 +1,4 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": ["local>devops/renovator//default.renovate.json5"]
+}

start.sh

@@ -4,6 +4,8 @@ set -eu
 
 mkdir -p /app/data/data /app/data/configs /run/synapse
 
+source /app/code/env/bin/activate
+
 if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
     echo "==> Detected first run"
 
@@ -31,16 +33,16 @@ if [[ ! -f /app/data/configs/homeserver.yaml ]]; then
 
     yq eval -i ".server_name=\"${server_name}\"" /app/data/configs/homeserver.yaml
     yq eval -i ".registration_shared_secret=\"$(pwgen -1s 64)\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".macaroon_secret_key=\"$(pwgen -1s 64)\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".form_secret=\"$(pwgen -1s 64)\"" /app/data/configs/homeserver.yaml
 
-    yq eval -i ".auto_join_rooms=[]" /app/data/configs/homeserver.yaml
-    yq eval -i ".auto_join_rooms[0]=\"#discuss:${server_name}\"" /app/data/configs/homeserver.yaml
-
-    if [[ -z "${CLOUDRON_LDAP_SERVER:-}" ]]; then
+    if [[ -z "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
         yq eval -i ".enable_registration=true" /app/data/configs/homeserver.yaml
-        yq eval -i ".password_config.pepper=\"$(pwgen -1s 12)\"" /app/data/configs/homeserver.yaml
-        # just setting enabled to false is not enough. see https://github.com/matrix-org/matrix-synapse-ldap3/issues/123
-        yq eval -i "del(.password_providers)" /app/data/configs/homeserver.yaml
+        yq eval -i ".password_config.enabled=true" /app/data/configs/homeserver.yaml
+        yq eval -i ".password_config.localdb_enabled=true" /app/data/configs/homeserver.yaml
+        yq eval -i "del(.oidc_providers)" /app/data/configs/homeserver.yaml
     fi
+    yq eval -i ".password_config.pepper=\"$(pwgen -1s 12)\"" /app/data/configs/homeserver.yaml # always set this so that users can enable password login if needed
 fi
 
 echo "==> Ensure we log to console"
@@ -65,19 +67,27 @@ yq eval -i ".email.smtp_user=\"${CLOUDRON_MAIL_SMTP_USERNAME}\"" /app/data/confi
 yq eval -i ".email.smtp_pass=\"${CLOUDRON_MAIL_SMTP_PASSWORD}\"" /app/data/configs/homeserver.yaml
 yq eval -i ".email.notif_from=\"${CLOUDRON_MAIL_FROM_DISPLAY_NAME:-Matrix} <${CLOUDRON_MAIL_FROM}>\"" /app/data/configs/homeserver.yaml
 
-# ldap
-if [[ -n "${CLOUDRON_LDAP_SERVER:-}" ]]; then
-    yq eval -i ".password_providers[0].config.uri=\"${CLOUDRON_LDAP_URL}\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".password_providers[0].config.start_tls=false" /app/data/configs/homeserver.yaml
-    yq eval -i ".password_providers[0].config.base=\"${CLOUDRON_LDAP_USERS_BASE_DN}\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".password_providers[0].config.bind_dn=\"${CLOUDRON_LDAP_BIND_DN}\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".password_providers[0].config.bind_password=\"${CLOUDRON_LDAP_BIND_PASSWORD}\"" /app/data/configs/homeserver.yaml
-    yq eval -i ".password_providers[0].config.filter=\"(objectClass=user)\"" /app/data/configs/homeserver.yaml
+# oidc
+if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+    echo " ==> Configuring OIDC auth"
+    yq eval -i ".oidc_providers[0].idp_id=\"cloudron\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].idp_name=\"${CLOUDRON_OIDC_PROVIDER_NAME:-Cloudron}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].issuer=\"${CLOUDRON_OIDC_ISSUER}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].client_id=\"${CLOUDRON_OIDC_CLIENT_ID}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].client_secret=\"${CLOUDRON_OIDC_CLIENT_SECRET}\"" /app/data/configs/homeserver.yaml
 
+    yq eval -i ".oidc_providers[0].scopes=[\"openid\", \"email\", \"profile\"]" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].authorization_endpoint=\"${CLOUDRON_OIDC_AUTH_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].token_endpoint=\"${CLOUDRON_OIDC_TOKEN_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].userinfo_endpoint=\"${CLOUDRON_OIDC_PROFILE_ENDPOINT}\"" /app/data/configs/homeserver.yaml
+    # https://s3lph.me/ldap-to-oidc-migration-3-matrix.html
+    yq eval -i ".oidc_providers[0].allow_existing_users=true" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].skip_verification=true" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].user_mapping_provider.config.localpart_template=\"{{ user.sub }}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].user_mapping_provider.config.display_name_template=\"{{ user.name }}\"" /app/data/configs/homeserver.yaml
+    yq eval -i ".oidc_providers[0].user_mapping_provider.config.email_template=\"{{ user.email }}\"" /app/data/configs/homeserver.yaml
 else
     yq eval -i ".password_config.localdb_enabled=true" /app/data/configs/homeserver.yaml
-    # just setting enabled to false is not enough. see https://github.com/matrix-org/matrix-synapse-ldap3/issues/123
-    yq eval -i "del(.password_providers)" /app/data/configs/homeserver.yaml
 fi
 
 # turn (https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.md#synapse-setup)
@@ -90,7 +100,7 @@ fi
 
 # fix permissions
 echo "==> Fixing permissions"
-chown -R cloudron.cloudron /app/data /run/synapse
+chown -R cloudron:cloudron /app/data /run/synapse
 
 echo "==> Starting synapse"
-gosu cloudron:cloudron python3 -m synapse.app.homeserver --config-path /app/data/configs/homeserver.yaml -n
+exec gosu cloudron:cloudron python3 -m synapse.app.homeserver --config-path /app/data/configs/homeserver.yaml -n

test/package.json

@@ -9,10 +9,9 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "chromedriver": "^116.0.0",
+    "chromedriver": "^142.0.1",
     "expect.js": "^0.3.1",
-    "mocha": "^10.2.0",
-    "selenium-webdriver": "^4.12.0",
-    "superagent": "^8.1.2"
+    "mocha": "^11.7.5",
+    "selenium-webdriver": "^4.38.0"
   }
 }

test/test.js

@@ -1,214 +1,417 @@
 #!/usr/bin/env node
 
 /* jshint esversion: 8 */
-/* global describe */
-/* global before */
-/* global after */
-/* global it */
-/* global xit */
+/* global it, xit, describe, before, after, afterEach */
 
 'use strict';
 
 require('chromedriver');
 
-var execSync = require('child_process').execSync,
+const execSync = require('child_process').execSync,
     expect = require('expect.js'),
+    fs = require('fs'),
     path = require('path'),
-    superagent = require('superagent'),
     { Builder, By, Key, until } = require('selenium-webdriver'),
     { Options } = require('selenium-webdriver/chrome');
 
+if (!process.env.USERNAME || !process.env.PASSWORD) {
+    console.log('USERNAME and PASSWORD env vars need to be set');
+    process.exit(1);
+}
+
 describe('Application life cycle test', function () {
     this.timeout(0);
 
-    const LOCATION = 'test';
-    const TEST_TIMEOUT = 10000;
+    const ELEMENT_LOCATION = 'element-test';
+    const LOCATION = process.env.LOCATION || 'test';
+    const TEST_TIMEOUT = parseInt(process.env.TIMEOUT, 10) || 10000;
     const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
+    const USERNAME = process.env.USERNAME;
+    const PASSWORD = process.env.PASSWORD;
+    const ROOM_ID = Math.floor((Math.random() * 100) + 1);
+    const ROOM_NAME = 'Test room ' + ROOM_ID;
+    const MSG_TEXT = 'Test message ';
 
-    const username = process.env.USERNAME;
-    const password = process.env.PASSWORD;
-
-    var app, browser;
-    var token, roomId;
+    let browser, app, elementApp;
 
     before(function () {
-        if (!process.env.USERNAME) throw new Error('USERNAME env var not set');
-        if (!process.env.PASSWORD) throw new Error('PASSWORD env var not set');
+        const chromeOptions = new Options().windowSize({ width: 1280, height: 1024 });
+        if (process.env.CI) chromeOptions.addArguments('no-sandbox', 'disable-dev-shm-usage', 'headless');
+        browser = new Builder().forBrowser('chrome').setChromeOptions(chromeOptions).build();
+        if (!fs.existsSync('./screenshots')) fs.mkdirSync('./screenshots');
 
-        browser = new Builder().forBrowser('chrome').setChromeOptions(new Options().windowSize({ width: 1280, height: 1024 })).build();
+        if (process.env.CI) execSync(`cloudron uninstall --app ${ELEMENT_LOCATION} || true`, EXEC_ARGS);
     });
 
     after(function () {
         browser.quit();
     });
 
+    afterEach(async function () {
+        if (!process.env.CI || !app) return;
+
+        const currentUrl = await browser.getCurrentUrl();
+        if (!currentUrl.includes(app.domain)) return;
+        expect(this.currentTest.title).to.be.a('string');
+
+        const screenshotData = await browser.takeScreenshot();
+        fs.writeFileSync(`./screenshots/${new Date().getTime()}-${this.currentTest.title.replaceAll(' ', '_')}.png`, screenshotData, 'base64');
+    });
+
+    async function clearCache() {
+        await browser.manage().deleteAllCookies();
+        await browser.quit();
+        browser = null;
+        const chromeOptions = new Options().windowSize({ width: 1280, height: 1024 });
+        if (process.env.CI) chromeOptions.addArguments('no-sandbox', 'disable-dev-shm-usage', 'headless');
+        chromeOptions.addArguments(`--user-data-dir=${await fs.promises.mkdtemp('/tmp/test-')}`); // --profile-directory=Default
+        browser = new Builder().forBrowser('chrome').setChromeOptions(chromeOptions).build();
+    }
+
+    async function waitForElement(elem) {
+        await browser.wait(until.elementLocated(elem), TEST_TIMEOUT);
+        await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT);
+    }
+
     function getAppInfo() {
-        var inspect = JSON.parse(execSync('cloudron inspect'));
+        const inspect = JSON.parse(execSync('cloudron inspect'));
         app = inspect.apps.filter(function (a) { return a.location.indexOf(LOCATION) === 0; })[0];
         expect(app).to.be.an('object');
     }
 
+    function getElementAppInfo() {
+        const inspect = JSON.parse(execSync('cloudron inspect'));
+        elementApp = inspect.apps.filter(function (a) { return a.location.indexOf(ELEMENT_LOCATION) === 0; })[0];
+        expect(elementApp).to.be.an('object');
+    }
+
+    function getMessage() {
+        return MSG_TEXT + Math.floor((Math.random() * 100) + 1);
+    }
+
+    async function updateSynapseConfig() {
+        console.log(`Setting Synapse Matrix server location to "https://${app.fqdn}"`);
+
+        execSync(`cloudron exec --app ${ELEMENT_LOCATION} -- bash -c "jq '.default_server_config[\\"m.homeserver\\"].base_url = \\"https://${app.fqdn}\\"' /app/data/config.json | sponge /app/data/config.json"`);
+        execSync(`cloudron restart --app ${ELEMENT_LOCATION}`);
+        // wait when all services are up and running
+        await browser.sleep(15000);
+    }
+
     async function checkLandingPage() {
         await browser.get(`https://${app.fqdn}`);
         await browser.wait(until.elementLocated(By.xpath('//h1[contains(text(),"Synapse is running")]')), TEST_TIMEOUT);
     }
 
-    // https://matrix.org/docs/spec/client_server/latest#user-interactive-api-in-the-rest-api
-    function registerUser(done) {
-        superagent.post('https://' + app.fqdn + '/_matrix/client/r0/register?kind=user').send({
-            username: username,
-            password: password,
-            inhibit_login: false
-        }).end(function (error, result) {
-            // we will first get a 401
-            let session = result.body.session;
-            console.log('session is', session);
-            if (result.statusCode !== 401) return done(new Error('Expecting a 401 ' + result.statusCode));
+    async function registerUser() {
+        await browser.get(`https://${elementApp.fqdn}/#/register`);
+        await waitForElement(By.xpath('//input[@label="Username"]'));
+        await browser.findElement(By.xpath('//input[@label="Username"]')).sendKeys(USERNAME);
+        await browser.findElement(By.xpath('//input[@label="Password"]')).sendKeys(PASSWORD);
+        await browser.findElement(By.xpath('//input[@label="Confirm password"]')).sendKeys(PASSWORD);
+        await browser.findElement(By.xpath('//input[@value="Register"]')).click();
 
-            superagent.post('https://' + app.fqdn + '/_matrix/client/r0/register?kind=user').send({
-                auth: {
-                    type: 'm.login.dummy',
-                    session: session
-                },
-                username: username,
-                password: password,
-                inhibit_login: false
-            }).end(function (error, result) {
-                if (error) return done(error);
-                if (result.statusCode !== 200) return done(new Error('Login failed with status ' + result.statusCode));
+        await waitForElement(By.xpath('//h1[text()="You\'re in"] | //h1[contains(., "Welcome")]'));
+        if (await browser.findElements(By.xpath('//div[@role="button" and text()="Skip"]')).then(found => !!found.length)) {
+            await browser.findElement(By.xpath('//div[@role="button" and text()="Skip"]')).click();
+        }
 
-                console.log('registered user with id', result.body.user_id);
-
-                done();
-            });
-        });
+        await waitForElement(By.xpath(`//h1[contains(., "Welcome")]`));
     }
 
-    // https://matrix.org/docs/spec/client_server/latest
-    function checkLogin(done) {
-        superagent.post('https://' + app.fqdn + '/_matrix/client/r0/login').send({
-            type: 'm.login.password',
-            user: username,
-            password: password
-        }).end(function (error, result) {
-            if (error) return done(error);
-            if (result.statusCode !== 200) return done(new Error('Login failed with status ' + result.statusCode));
+    async function loginOIDCOld(username, password, alreadyAuthenticated, proceedWithReset) {
+        await browser.get(`https://${elementApp.fqdn}/#/login`);
+        await browser.sleep(2000);
 
-            token = result.body.access_token;
-            if (!token) return done(new Error('No token'));
+        await waitForElement(By.css('.mx_Dropdown_arrow'));
+        await browser.findElement(By.css('.mx_Dropdown_arrow')).click();
+        await waitForElement(By.id('mx_LanguageDropdown__en'));
+        await browser.findElement(By.id('mx_LanguageDropdown__en')).click();
+        await browser.sleep(3000);
 
-            done();
-        });
+        await waitForElement(By.xpath('//div[@role="button" and contains(., "Continue with")]'));
+        await browser.findElement(By.xpath('//div[@role="button" and contains(., "Continue with")]')).click();
+        if (!alreadyAuthenticated) {
+            await waitForElement(By.id('inputUsername'));
+            await browser.findElement(By.id('inputUsername')).sendKeys(username);
+            await browser.findElement(By.id('inputPassword')).sendKeys(password);
+            await browser.findElement(By.id('loginSubmitButton')).click();
+        }
+
+        await waitForElement(By.xpath('//p[@class="confirm-trust" and contains(., "Continuing will grant ")]'));
+        await browser.findElement(By.xpath('//a[contains(., "Continue")]')).click();
+
+        if (proceedWithReset) {
+            await waitForElement(By.xpath('//div[text()="Proceed with reset" or text()="Reset all"]'));
+
+            if (await browser.findElements(By.xpath('//div[text()="Reset all"]')).then(found => !!found.length)) {
+                await browser.findElement(By.xpath('//div[text()="Reset all"]')).click();
+            }
+
+            await waitForElement(By.xpath('//div[text()="Proceed with reset"]'));
+            await browser.findElement(By.xpath('//div[text()="Proceed with reset"]')).click();
+
+            await waitForElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]'));
+            await browser.findElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]')).click();
+
+            await waitForElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]'));
+            await browser.findElement(By.xpath('//button[@class="mx_Dialog_primary" and text()="Continue"] | //div[@class="mx_EncryptionCard_buttons"]/button[@data-kind="primary"]')).click();
+            await waitForElement(By.xpath('//button[text()="Done"] | //div[text()="Single Sign On"]'));
+
+            if (await browser.findElements(By.xpath('//div[text()="Single Sign On"]')).then(found => !!found.length)) {
+
+                await browser.findElement(By.xpath('//div[text()="Single Sign On"]')).click();
+
+                const originalWindowHandle = await browser.getWindowHandle();
+                await browser.wait(async () => (await browser.getAllWindowHandles()).length === 2, 10000);
+                //Loop through until we find a new window handle
+                const windows = await browser.getAllWindowHandles();
+                windows.forEach(async handle => {
+                    if (handle !== originalWindowHandle) {
+                        await browser.switchTo().window(handle);
+                    }
+                });
+                await waitForElement(By.xpath('//a[contains(., "Continue with")]'));
+                await browser.findElement(By.xpath('//a[contains(., "Continue with")]')).click();
+
+                // switch back to the main window
+                await browser.switchTo().window(originalWindowHandle);
+
+                await waitForElement(By.xpath('//div[text()="Confirm"]'));
+                await browser.findElement(By.xpath('//div[text()="Confirm"]')).click();
+            }
+
+            await waitForElement(By.xpath('//div[text()="Cancel"] | //h1[contains(., "Welcome")]'));
+            if (await browser.findElements(By.xpath('//div[text()="Cancel"]')).then(found => !!found.length)) {
+                await browser.findElement(By.xpath('//div[text()="Cancel"]')).click();
+            }
+        }
+
+        await browser.sleep(3000);
+        await waitForElement(By.xpath(`//h1[contains(., "Welcome")]`));
     }
 
-    function checkAutoJoinRoom(done) {
-        superagent.get('https://' + app.fqdn + '/_matrix/client/r0/joined_rooms?access_token=' + token).end(function (error, result) {
-            if (error) return done(error);
-            if (result.statusCode !== 200) return done(new Error('Room listing failed with status ' + result.statusCode));
+    async function loginOIDC(username, password, alreadyAuthenticated, proceedWithReset) {
+        await browser.get(`https://${elementApp.fqdn}/#/login`);
+        await browser.sleep(2000);
 
-            if (result.body.joined_rooms.length !== 1) return done(new Error('User must have auto-joined discuss channel:' + result.statusCode));
-            done();
-        });
+        await waitForElement(By.css('.mx_Dropdown_arrow'));
+        await browser.findElement(By.css('.mx_Dropdown_arrow')).click();
+        await waitForElement(By.id('mx_LanguageDropdown__en'));
+        await browser.findElement(By.id('mx_LanguageDropdown__en')).click();
+        await browser.sleep(3000);
+
+        await waitForElement(By.xpath('//div[@role="button" and contains(., "Continue with")]'));
+        await browser.findElement(By.xpath('//div[@role="button" and contains(., "Continue with")]')).click();
+        if (!alreadyAuthenticated) {
+            await waitForElement(By.id('inputUsername'));
+            await browser.findElement(By.id('inputUsername')).sendKeys(username);
+            await browser.findElement(By.id('inputPassword')).sendKeys(password);
+            await browser.findElement(By.id('loginSubmitButton')).click();
+        }
+
+        await waitForElement(By.xpath('//p[@class="confirm-trust" and contains(., "Continuing will grant ")]'));
+        await browser.findElement(By.xpath('//a[contains(., "Continue")]')).click();
+
+        if (proceedWithReset) {
+            await waitForElement(By.xpath('//h2[text()="Confirm your identity"]'));
+
+            await waitForElement(By.xpath('//button[text()="Can\'t confirm?"]'));
+            await browser.findElement(By.xpath('//button[text()="Can\'t confirm?"]')).click();
+
+            await waitForElement(By.xpath('//button[text()="Continue"]'));
+            await browser.findElement(By.xpath('//button[text()="Continue"]')).click();
+
+            await waitForElement(By.xpath('//button[text()="Done"] | //div[text()="Single Sign On"]'));
+
+            if (await browser.findElements(By.xpath('//div[text()="Single Sign On"]')).then(found => !!found.length)) {
+
+                await browser.findElement(By.xpath('//div[text()="Single Sign On"]')).click();
+
+                const originalWindowHandle = await browser.getWindowHandle();
+                await browser.wait(async () => (await browser.getAllWindowHandles()).length === 2, 10000);
+                //Loop through until we find a new window handle
+                const windows = await browser.getAllWindowHandles();
+                windows.forEach(async handle => {
+                    if (handle !== originalWindowHandle) {
+                        await browser.switchTo().window(handle);
+                    }
+                });
+                await waitForElement(By.xpath('//a[contains(., "Continue with")]'));
+                await browser.findElement(By.xpath('//a[contains(., "Continue with")]')).click();
+
+                // switch back to the main window
+                await browser.switchTo().window(originalWindowHandle);
+
+                await waitForElement(By.xpath('//div[text()="Confirm"]'));
+                await browser.findElement(By.xpath('//div[text()="Confirm"]')).click();
+            }
+
+            await waitForElement(By.xpath('//div[text()="Cancel"] | //h1[contains(., "Welcome")]'));
+            if (await browser.findElements(By.xpath('//div[text()="Cancel"]')).then(found => !!found.length)) {
+                await browser.findElement(By.xpath('//div[text()="Cancel"]')).click();
+            }
+        }
+
+        await browser.sleep(3000);
+        await waitForElement(By.xpath(`//h1[contains(., "Welcome")]`));
     }
 
-    function createRoom(done) {
-        superagent.post('https://' + app.fqdn + '/_matrix/client/r0/createRoom?access_token=' + token).send({
-            room_alias_name: 'general'
-        }).end(function (error, result) {
-            if (error) return done(error);
-            if (result.statusCode !== 200) return done(new Error('Room creation failed with status ' + result.statusCode));
-
-            roomId = result.body.room_id;
-            if (!roomId) return done(new Error('No room id'));
-
-            done();
-        });
+    async function login() {
+        await browser.get(`https://${elementApp.fqdn}/#/login`);
+        await browser.wait(until.elementLocated(By.xpath('//input[@value="Sign in"]')), TEST_TIMEOUT);
+        await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(USERNAME);
+        await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(PASSWORD);
+        await browser.findElement(By.xpath('//input[@value="Sign in"]')).click();
+        await browser.sleep(5000);
+        await skipVerification();
+        await browser.wait(until.elementLocated(By.xpath('//h1[contains(., "Welcome")] | //span[text()="Rooms"]')), TEST_TIMEOUT);
     }
 
-    function checkRoom(done) {
-        superagent.get('https://' + app.fqdn + '/_matrix/client/r0/joined_rooms?access_token=' + token).end(function (error, result) {
-            if (error) return done(error);
-            if (result.statusCode !== 200) return done(new Error('Room listing failed with status ' + result.statusCode));
+    async function skipVerification() {
+        await browser.wait(until.elementLocated(By.xpath('//div[@aria-label="Skip verification for now"]')), TEST_TIMEOUT);
+        await browser.sleep(5000);
+        await browser.findElement(By.xpath('//div[@aria-label="Skip verification for now"]')).click();
+        await browser.wait(until.elementLocated(By.xpath('//div[contains(text(), "verify later")]')), TEST_TIMEOUT);
+        await browser.sleep(5000);
+        await browser.findElement(By.xpath('//div[contains(text(), "verify later")]')).click();
+        await browser.sleep(5000);
+    }
 
-            if (!result.body.joined_rooms.includes(roomId)) return done(new Error('No room in list: ' + JSON.stringify(result.body)));
+    async function logout() {
+        await browser.get(`https://${elementApp.fqdn}/#/home`);
+        await browser.sleep(5000);
+        await waitForElement(By.xpath('//div[@role="button" and @aria-label="User menu"]'));
 
-            done();
-        });
+        await browser.findElement(By.xpath('//div[@role="button" and @aria-label="User menu"]')).click();
+        await browser.sleep(2000);
+
+        await browser.findElement(By.xpath('//li[@role="menuitem" and @aria-label="Sign out"]')).click();
+        await browser.sleep(2000);
+
+        if (await browser.findElements(By.xpath('//button[contains(text(), "I don\'t want my encrypted messages")]')).then(found => !!found.length)) {
+            await browser.findElement(By.xpath('//button[contains(text(), "I don\'t want my encrypted messages")]')).click();
+            await browser.sleep(3000);
+        }
+
+        await waitForElement(By.xpath('//h1[text()="Sign in"]'));
+    }
+
+    async function isLoggedIn() {
+        await browser.get(`https://${elementApp.fqdn}/#/home`);
+        await browser.wait(until.elementLocated(By.xpath('//h1[contains(., "Welcome")] | //span[text()="Rooms"]')), TEST_TIMEOUT);
     }
 
     xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
 
     // No SSO
     it('install app (no sso)', function () { execSync('cloudron install --no-sso --location ' + LOCATION, EXEC_ARGS); });
-
     it('can get app information', getAppInfo);
-
     it('check landing page', checkLandingPage);
-    it('can register new user', registerUser);
-    it('can login', checkLogin);
-    it('check autojoin', checkAutoJoinRoom);
-    it('create room', createRoom);
-    it('check room', checkRoom);
 
+    it('can install element-web app (no sso)', function () { execSync('cloudron install --appstore-id im.riot.cloudronapp --location ' + ELEMENT_LOCATION, EXEC_ARGS); });
+    it('update element-app config', updateSynapseConfig);
+
+    it('can get Element app info', getElementAppInfo);
+    it('can register new user', registerUser);
+    it('can logout', logout); // from auto-login
+
+    it('can login', login);
+    it('can logout', logout);
+
+    it('uninstall element-web app', async function () {
+        await browser.get('about:blank');
+        execSync(`cloudron uninstall --app ${ELEMENT_LOCATION}`, EXEC_ARGS);
+    });
     it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
 
     // SSO
-    it('install app', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); });
+    it('install app (sso)', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); });
+    it('can get app info', getAppInfo);
 
-    it('can get app information', getAppInfo);
+    it('can install element-web app (sso)', function () { execSync('cloudron install --appstore-id im.riot.cloudronapp --location ' + ELEMENT_LOCATION, EXEC_ARGS); });
+    it('can get Element app info', getElementAppInfo);
+    it('update element-app config', updateSynapseConfig);
 
-    it('check landing page', checkLandingPage);
-    it('can login', checkLogin);
-    it('check autojoin', checkAutoJoinRoom);
-    it('create room', createRoom);
-    it('check room', checkRoom);
+    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD, false, false));
+    it('can get app info', getAppInfo);
 
-    it('can restart app', function () { execSync('cloudron restart'); });
+    it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`); });
 
-    it('check landing page', checkLandingPage);
-    it('check room', checkRoom);
+    it('backup app', function () { execSync(`cloudron backup create --app ${app.id}`, EXEC_ARGS); });
 
-    it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
+    it('is logged in', isLoggedIn);
 
-    it('check landing page', checkLandingPage);
-    it('check room', checkRoom);
+    it('restore app', async function () {
+        const backups = JSON.parse(execSync(`cloudron backup list --raw --app ${app.id}`));
+
+        await browser.get('about:blank');
+        execSync(`cloudron uninstall --app ${app.id}`, EXEC_ARGS);
+        execSync(`cloudron install --location ${LOCATION}`, EXEC_ARGS);
 
-    it('restore app', function () {
-        const backups = JSON.parse(execSync('cloudron backup list --raw'));
-        execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS);
-        execSync('cloudron install --location ' + LOCATION, EXEC_ARGS);
         getAppInfo();
+
         execSync(`cloudron restore --backup ${backups[0].id} --app ${app.id}`, EXEC_ARGS);
     });
 
-    it('check landing page', checkLandingPage);
-    it('check room', checkRoom);
+    it('is logged in', isLoggedIn);
+    it('can logout', logout);
+    it('can get app info', getAppInfo);
 
-    it('move to different location', function () {
+    // web ui also throws random errors after changing domain
+    xit('move to different location (skipped since no matrix support)', async function () {
         browser.manage().deleteAllCookies();
-        execSync('cloudron configure --location ' + LOCATION + '2', EXEC_ARGS);
+        await browser.get('about:blank');
+
+        execSync(`cloudron configure --location ${LOCATION}2`, EXEC_ARGS);
         getAppInfo();
+        await browser.sleep(15000);
+    });
+    xit('update element-app config', updateSynapseConfig);
+    xit('can get Element app info', getElementAppInfo);
+    xit('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD, true, true));
+
+    it('uninstall app', async function () {
+        await browser.get('about:blank');
+        execSync(`cloudron uninstall --app ${app.id}`, EXEC_ARGS);
     });
 
-    it('check landing page', checkLandingPage);
-    it('check room', checkRoom);
-
-    it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
+    it('uninstall element-web app', function () {
+        execSync(`cloudron uninstall --app ${ELEMENT_LOCATION}`, EXEC_ARGS);
+    });
 
     // test update
-    it('can install app', function () { execSync('cloudron install --appstore-id org.matrix.synapse --location ' + LOCATION, EXEC_ARGS); });
+    it('clear cache', clearCache);
+    it('can install app for update', function () { execSync('cloudron install --appstore-id org.matrix.synapse --location ' + LOCATION, EXEC_ARGS); });
+    it('can get app info', getAppInfo);
 
-    it('can get app information', getAppInfo);
+    it('can install element-web app (update)', function () { execSync('cloudron install --appstore-id im.riot.cloudronapp --location ' + ELEMENT_LOCATION, EXEC_ARGS); });
+    it('can get Element app info', getElementAppInfo);
+    it('update element-app config', updateSynapseConfig);
 
-    it('check landing page', checkLandingPage);
-    it('can login', checkLogin);
-    it('create room', createRoom);
-    it('check room', checkRoom);
+    it('can login via OIDC', loginOIDCOld.bind(null, USERNAME, PASSWORD, false, false));
 
-    it('can update', function () { execSync('cloudron update --app ' + LOCATION, EXEC_ARGS); });
+    it('is logged in', isLoggedIn);
+    it('can logout', logout);
+    it('clear cache', clearCache);
 
-    it('check landing page', checkLandingPage);
-    it('check room', checkRoom);
+    it('can update', async function () {
+        await browser.get('about:blank');
+        execSync(`cloudron update --app ${app.id}`, EXEC_ARGS);
+        await browser.sleep(15000);
+    });
 
-    it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
+    it('can get Element app info', getElementAppInfo);
+    it('can login via OIDC', loginOIDC.bind(null, USERNAME, PASSWORD, false, true));
+
+    it('is logged in', isLoggedIn);
+
+    it('uninstall app', async function () {
+        await browser.get('about:blank');
+        execSync(`cloudron uninstall --app ${app.id}`, EXEC_ARGS);
+    });
+
+    it('uninstall element-web app', function () {
+        execSync(`cloudron uninstall --app ${ELEMENT_LOCATION}`, EXEC_ARGS);
+    });
 });