MSC4155: Invite filtering #4155
Conversation
Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>
Johennes
force-pushed
the
johannes/invite-filtering
branch
from
ddd43ec to
6adc165
Compare
clokep
added
proposal
There was a problem hiding this comment.
Implementation requirements:
- Client supporting the feature, and using it
There was a problem hiding this comment.
Since I believe all the gematik implementations will be closed source, I'll reference #3860 (comment) as an example for how cases like this were handled in the past. Thanks @clokep for digging it up.
There was a problem hiding this comment.
element-hq/synapse#18288 is a serverside implementation, albeit with #4155 (comment) "corrected"
There was a problem hiding this comment.
element-hq/element-web#29603 exposes the serverside settings in the client, but does no filtering of itself. @Johennes does this evoke any worries from you if the invite filtering is done server-side?
There was a problem hiding this comment.
No, I this is fine and consistent with the proposal which allows but doesn't enforce the filtering on either the client or the server. Now that I think of it, we might need a capability so that the client knows when the server does not filter in which case the client needs to filter itself.
There was a problem hiding this comment.
element-hq/synapse#18288 supports the updated proposal.
There was a problem hiding this comment.
With my SCT hat:
The following implementations demonstrate the desire for filtering, and experiment with different ordering, but all demonstrate that the code is more than possible:
- Add support for MSC4155 Invite filtering element-hq/synapse#18288
- Nheko-Reborn/mtxclient@d6a0a4e
- Nheko-Reborn/nheko@978174a
- https://github.com/famedly/synapse-invite-checker/blob/5608f40ffeaef1320edef8554cb432fa2c881fdd/synapse_invite_checker/types.py#L71
- https://github.com/matrix-org/msc4155-synapse-invite-filter
The following implementations show that there's desire, but don't do much with the actual config:
Collectively, I feel this satisfies the implementation component, though we should monitor for user feedback if the rule processing order feels wrong. If so, we can correct it with a future MSC relatively easily (it'll suck for people on implementations which use the 'old' rules, but as those implementations update users will see the changes).
There was a problem hiding this comment.
If so, we can correct it with a future MSC relatively easily (it'll suck for people on implementations which use the 'old' rules, but as those implementations update users will see the changes).
I wish I shared your confidence. Won't it (also) suck for people who have set up rules with the "old" system, which suddenly don't work because the ordering has changed? And then they'll change the rules and get something that works with their client but not their server.
There was a problem hiding this comment.
I cannot think of a good way to prevent that other than blocking this MSC to let implementations try out the currently proposed ordering in practice. That'll involve exactly the same migration pain for users if the proposal changes, just that people will (hopefully consciously) have opted into an explicitly unstable implementation at their own risk.
There was a problem hiding this comment.
Yeah I don't disagree with you there. At some point we're going to have to just decide that we have enough confidence in the ordering that it's worth shipping. I just think it's worth having our eyes open to the fact that changing it later is going to be a bit of a buttpain, rather than "relatively easy" as Travis claimed.
turt2live
added
implementation-needs-checking
github-project-automation
bot
moved this to Needs idea feedback / initial review
in Spec Core Team Workflow
turt2live
moved this from Needs idea feedback / initial review
to Ready for FCP ticks
in Spec Core Team Workflow
turt2live
moved this from Ready for FCP ticks
to Proposed for FCP readiness
in Spec Core Team Workflow
Co-authored-by: Will Hunt <github@half-shot.uk>
This implements matrix-org/matrix-spec-proposals#4155, which adds support for a new account data type that blocks an invite based on some conditions in the event contents. --------- Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
mscbot
removed
the
unresolved-concerns
proposals/4155-invite-filtering.md
Outdated
| 1. Verify the invite against each `*_users` setting: | ||
| 1. If it matches `allowed_users`, stop processing and allow. | ||
| 2. If it matches `ignored_users`, stop processing and ignore. | ||
| 3. If it matches `blocked_users`, stop processing and block. | ||
| 2. Verify the invite against each `*_servers` setting: | ||
| 1. If it matches `allowed_servers`, stop processing and allow. | ||
| 2. If it matches `ignored_servers`, stop processing and ignore. | ||
| 3. If it matches `blocked_servers`, stop processing and block. | ||
| 3. Otherwise, allow. |
There was a problem hiding this comment.
The allow semantic here is in the reverse order to server ACL, and the implication is that an allow rules overrule ban rules. This will cause problems later if an allow policy rule recommendation is created, because it will have different semantics based on context.
To be explicit, for it to be consistent with server ACL, the allow rule would have to be applied first and processing can only continue if there is a match.
There was a problem hiding this comment.
it feels beneficial to follow the Server ACL order, with a slight change to the very last rule. Instead of "Otherwise, deny", we "Otherwise, allow" for backwards compatibility.
I think this means processing the rules as such:
- Verify the invite against each
*_userssetting:- If it matches
blocked_users, stop processing and block. - If it matches
ignored_users, stop processing and ignore. - If it matches
allowed_users, stop processing and allow.
- If it matches
- Verify the invite against each
*_serverssetting:- If it matches
blocked_servers, stop processing and block. - If it matches
ignored_servers, stop processing and ignore. - If it matches
allowed_servers, stop processing and allow.
- If it matches
- Otherwise, allow.
I don't think we want to check each in batches (all blocks, then all ignores, then all allows) specifically to ensure the user is able to allow-list certain senders from otherwise banned servers. For example: blocked_servers: [matrix.org], allowed_users: [@abuse:matrix.org].
Later, when we have more rules, we'd append to just before the "Otherwise, allow" rule.
There was a problem hiding this comment.
Consider the following issue1.
@alice:example.comis added toallowed_users.example.combecomes hostile.example.comis added toblocked_servers.@alice:example.comsends malicious invitations.
When example.com is added to blocked_servers, the entry for each user from that server in allowed_users becomes stale. There could probably be other scenarios where entries can become stale too.
A way to fix this could be to instead provide a *_users object for eachserver.
{
"example.com": { "allowed_users": "@alice:example.com" }
}
You would then also need to be able to state whether all users from the server can send invitations, or specific users. So you would also need to introduce a "match all" rule for *_users.
Footnotes
-
You can't avoid this problem by inverting the behavior described in the comment above (ie requiring that both checks for servers and users pass) because then you would end up in a situation where the
allowed_serversentry for the user being added can become stale as theallowed_usersentries are changed. To be explicit, adding@alice:example.comtoallowed_userswould require addingexample.comtoallowed_serversfirst. ↩
- Improvements to generate config documentation from JSON Schema file. ([\element-hq#18522](element-hq#18522)) - Add support for [MSC4155](matrix-org/matrix-spec-proposals#4155) Invite Filtering. ([\element-hq#18288](element-hq#18288)) - Add experimental `user_may_send_state_event` module API callback. ([\element-hq#18455](element-hq#18455)) - Add experimental `get_media_config_for_user` and `is_user_allowed_to_upload_media_of_size` module API callbacks that allow overriding of media repository maximum upload size. ([\element-hq#18457](element-hq#18457)) - Add experimental `get_ratelimit_override_for_user` module API callback that allows overriding of per-user ratelimits. ([\element-hq#18458](element-hq#18458)) - Pass `room_config` argument to `user_may_create_room` spam checker module callback. ([\element-hq#18486](element-hq#18486)) - Support configuration of default and extra user types. ([\element-hq#18456](element-hq#18456)) - Successful requests to `/_matrix/app/v1/ping` will now force Synapse to reattempt delivering transactions to appservices. ([\element-hq#18521](element-hq#18521)) - Support the import of the `RatelimitOverride` type from `synapse.module_api` in modules and rename `messages_per_second` to `per_second`. ([\element-hq#18513](element-hq#18513)) - Remove destinations from sending if not whitelisted. ([\element-hq#18484](element-hq#18484)) - Fixed room summary API incorrectly returning that a room is private in the room summary response when the join rule is omitted by the remote server. Contributed by @nexy7574. ([\element-hq#18493](element-hq#18493)) - Prevent users from adding themselves to their own user ignore list. ([\element-hq#18508](element-hq#18508)) - Generate config documentation from JSON Schema file. ([\element-hq#17892](element-hq#17892)) - Mention `CAP_NET_BIND_SERVICE` as an alternative to running Synapse as root in order to bind to a privileged port. ([\element-hq#18408](element-hq#18408)) - Surface hidden Admin API documentation regarding fetching of scheduled tasks. ([\element-hq#18516](element-hq#18516)) - Mark the new module APIs in this release as experimental. ([\element-hq#18536](element-hq#18536)) - Mark dehydrated devices in the [List All User Devices Admin API](https://element-hq.github.io/synapse/latest/admin_api/user_admin_api.html#list-all-devices). ([\element-hq#18252](element-hq#18252)) - Reduce disk wastage by cleaning up `received_transactions` older than 1 day, rather than 30 days. ([\element-hq#18310](element-hq#18310)) - Distinguish all vs local events being persisted in the "Event Send Time Quantiles" graph (Grafana). ([\element-hq#18510](element-hq#18510))
Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
proposals/4155-invite-filtering.md
Outdated
| All properties in `content` are optional arrays. A missing or `null` property MUST be treated like an | ||
| empty array. The array elements are [glob expressions]. Any `*_users` glob is to be matched against |
There was a problem hiding this comment.
If we're explicitly extending to include null we should be complete, ie. undefined or indeed anything that isn't an array should be treated as absent (if we just said 'missing' I'd assume it was implicit, but if you're calling out one I think you need to be complete).
There was a problem hiding this comment.
I'd prefer only missing to be considered empty. What's the goal of including null here?
There was a problem hiding this comment.
How would clients/servers treat null differently to missing though?
There was a problem hiding this comment.
Why is null valid in the grammar?
There was a problem hiding this comment.
If we're explicitly extending to include null we should be complete, ie. undefined or indeed anything that isn't an array should be treated as absent [...]
I think undefined is just the JS equivalent of "missing" in JSON but good point on other data types.
What's the goal of including null here?
There's occasionally been complaints that the spec doesn't clearly describe the behavior for null, missing or empty values. So I was trying to be specific here with the intention that a null or missing value doesn't have any special meaning.
However, I suppose that's sort of obvious because how else would such a value be interpreted? I have removed the sentence entirely with 5c3cab8.
There was a problem hiding this comment.
I think the options are that invalid data should be treated as empty or that it invalidates the whole object. 🤷
There was a problem hiding this comment.
I wonder if this is something that could be defined spec-wide?
FWIW I'm dealing with this when implementing element-hq/synapse#18195 as well.
There was a problem hiding this comment.
It may be a spec-wide problem, but being explicit in the MSC in the meantime helps ensure it's covered and not delayed behind yet more MSCs.
There was a problem hiding this comment.
Ok, then I think anything that doesn't match the schema should lead to the whole object being discarded. This is because the different lists will commonly work together and using only some of them might lead to unexpected results.
All properties in
contentare optional arrays. A missing property MUST be treated like an empty array. Any value that is not an array of strings MUST lead to the entire event being considered invalid.
How does that sound?
Clarify membership event and unignoring behaviour
|
@mscbot concern Pending review from Foundation T&S team |
mscbot
added
the
unresolved-concerns
Builds on NetBSD 10 amd64, and builds/tests-ok on NetBSD 9 amd64 using dependencies from 2025Q2. NB: A security update to synapse is scheduled for July 22. Consult https://matrix.org/blog/2025/07/security-predisclosure/ for further details. Those running synapse in production may wish to update to 1.134.0 to reduce the magnitude of change when updating to the July 22 version (although that will be a big update regardless). Note that the usual pkgsrc pre-commit test is upgrading from the current pkgsrc version and briefly checking operation. Therefore, not upgrading has a theoretical risk of encountering a 1.127.1 to 1.135.0 update bug when 1.127.1 to 134.0 and 1.134.0 to 1.135.0 are ok. # Synapse 1.134.0 (2025-07-15) - Support for [MSC4235](matrix-org/matrix-spec-proposals#4235): `via` query param for hierarchy endpoint. Contributed by Krishan (@kfiven). ([\#18070](element-hq/synapse#18070)) - Add `forget_forced_upon_leave` capability as per [MSC4267](matrix-org/matrix-spec-proposals#4267). ([\#18196](element-hq/synapse#18196)) - Add `federated_user_may_invite` spam checker callback which receives the entire invite event. Contributed by @tulir @ Beeper. ([\#18241](element-hq/synapse#18241)) # Synapse 1.133.0 (2025-07-01) - Add support for the [MSC4260 user report API](matrix-org/matrix-spec-proposals#4260). ([\#18120](element-hq/synapse#18120)) # Synapse 1.132.0 (2025-06-17) - Add support for [MSC4155](matrix-org/matrix-spec-proposals#4155) Invite Filtering. ([\#18288](element-hq/synapse#18288)) - Add experimental `user_may_send_state_event` module API callback. ([\#18455](element-hq/synapse#18455)) - Add experimental `get_media_config_for_user` and `is_user_allowed_to_upload_media_of_size` module API callbacks that allow overriding of media repository maximum upload size. ([\#18457](element-hq/synapse#18457)) - Add experimental `get_ratelimit_override_for_user` module API callback that allows overriding of per-user ratelimits. ([\#18458](element-hq/synapse#18458)) - Pass `room_config` argument to `user_may_create_room` spam checker module callback. ([\#18486](element-hq/synapse#18486)) - Support configuration of default and extra user types. ([\#18456](element-hq/synapse#18456)) - Successful requests to `/_matrix/app/v1/ping` will now force Synapse to reattempt delivering transactions to appservices. ([\#18521](element-hq/synapse#18521)) - Support the import of the `RatelimitOverride` type from `synapse.module_api` in modules and rename `messages_per_second` to `per_second`. ([\#18513](element-hq/synapse#18513)) # Synapse 1.131.0 (2025-06-03) - Add `msc4263_limit_key_queries_to_users_who_share_rooms` config option as per [MSC4263](matrix-org/matrix-spec-proposals#4263). ([\#18180](element-hq/synapse#18180)) - Add option to allow registrations that begin with `_`. Contributed by `_` (@hex5f). ([\#18262](element-hq/synapse#18262)) - Include room ID in response to the [Room Deletion Status Admin API](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#status-of-deleting-rooms). ([\#18318](element-hq/synapse#18318)) - Add support for calling Policy Servers ([MSC4284](matrix-org/matrix-spec-proposals#4284)) to mark events as spam. ([\#18387](element-hq/synapse#18387)) # Synapse 1.130.0 (2025-05-20) - Add an Admin API endpoint `GET /_synapse/admin/v1/scheduled_tasks` to fetch scheduled tasks. ([\#18214](element-hq/synapse#18214)) - Add config option `user_directory.exclude_remote_users` which, when enabled, excludes remote users from user directory search results. ([\#18300](element-hq/synapse#18300)) - Add support for handling `GET /devices/` on workers. ([\#18355](element-hq/synapse#18355)) # Synapse 1.129.0 (2025-05-06) - Add `passthrough_authorization_parameters` in OIDC configuration to allow passing parameters to the authorization grant URL. ([\#18232](element-hq/synapse#18232)) - Add `total_event_count`, `total_message_count`, and `total_e2ee_event_count` fields to the homeserver usage statistics. ([\#18260](element-hq/synapse#18260)) # Synapse 1.128.0 (2025-04-08) - Add an access token introspection cache to make Matrix Authentication Service integration ([MSC3861](matrix-org/matrix-spec-proposals#3861)) more efficient. ([\#18231](element-hq/synapse#18231)) - Add background job to clear unreferenced state groups. ([\#18254](element-hq/synapse#18254)) - Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. ([\#18277](element-hq/synapse#18277), [\#18302](element-hq/synapse#18302), [\#18296](element-hq/synapse#18296))
chat/matrix-synapse: Update package in anticipation of security fix
Revisions pulled up:
- chat/matrix-synapse/Makefile 1.112
- chat/matrix-synapse/PLIST 1.59
- chat/matrix-synapse/cargo-depends.mk 1.27
- chat/matrix-synapse/distinfo 1.80
---
Module Name: pkgsrc
Committed By: gdt
Date: Thu Jul 17 11:24:44 UTC 2025
Modified Files:
pkgsrc/chat/matrix-synapse: Makefile PLIST cargo-depends.mk distinfo
Log Message:
chat/matrix-synapse: Update to 1.134.0
Builds on NetBSD 10 amd64, and builds/tests-ok on NetBSD 9 amd64 using
dependencies from 2025Q2.
NB: A security update to synapse is scheduled for July 22. Consult
https://matrix.org/blog/2025/07/security-predisclosure/
for further details.
Those running synapse in production may wish to update to 1.134.0 to
reduce the magnitude of change when updating to the July 22 version
(although that will be a big update regardless). Note that the usual
pkgsrc pre-commit test is upgrading from the current pkgsrc version
and briefly checking operation. Therefore, not upgrading has a
theoretical risk of encountering a 1.127.1 to 1.135.0 update bug when
1.127.1 to 134.0 and 1.134.0 to 1.135.0 are ok.
# Synapse 1.134.0 (2025-07-15)
- Support for [MSC4235](matrix-org/matrix-spec-proposals#4235): `via` query param for hierarchy endpoint. Contributed by Krishan (@kfiven).
([\#18070](element-hq/synapse#18070))
- Add `forget_forced_upon_leave` capability as per [MSC4267](matrix-org/matrix-spec-proposals#4267). ([\#18196](element-hq/synapse#18196))
- Add `federated_user_may_invite` spam checker callback which receives the entire invite event. Contributed by @tulir @ Beeper. ([\#18241](element-hq/synapse#18241))
# Synapse 1.133.0 (2025-07-01)
- Add support for the [MSC4260 user report API](matrix-org/matrix-spec-proposals#4260). ([\#18120](element-hq/synapse#18120))
# Synapse 1.132.0 (2025-06-17)
- Add support for [MSC4155](matrix-org/matrix-spec-proposals#4155) Invite Filtering. ([\#18288](element-hq/synapse#18288))
- Add experimental `user_may_send_state_event` module API callback. ([\#18455](element-hq/synapse#18455))
- Add experimental `get_media_config_for_user` and `is_user_allowed_to_upload_media_of_size` module API callbacks that allow overriding of media repository maximum upload size.
([\#18457](element-hq/synapse#18457))
- Add experimental `get_ratelimit_override_for_user` module API callback that allows overriding of per-user ratelimits. ([\#18458](element-hq/synapse#18458))
- Pass `room_config` argument to `user_may_create_room` spam checker module callback. ([\#18486](element-hq/synapse#18486))
- Support configuration of default and extra user types. ([\#18456](element-hq/synapse#18456))
- Successful requests to `/_matrix/app/v1/ping` will now force Synapse to reattempt delivering transactions to appservices. ([\#18521](element-hq/synapse#18521))
- Support the import of the `RatelimitOverride` type from `synapse.module_api` in modules and rename `messages_per_second` to `per_second`.
([\#18513](element-hq/synapse#18513))
# Synapse 1.131.0 (2025-06-03)
- Add `msc4263_limit_key_queries_to_users_who_share_rooms` config option as per [MSC4263](matrix-org/matrix-spec-proposals#4263).
([\#18180](element-hq/synapse#18180))
- Add option to allow registrations that begin with `_`. Contributed by `_` (@hex5f). ([\#18262](element-hq/synapse#18262))
- Include room ID in response to the [Room Deletion Status Admin API](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#status-of-deleting-rooms).
([\#18318](element-hq/synapse#18318))
- Add support for calling Policy Servers ([MSC4284](matrix-org/matrix-spec-proposals#4284)) to mark events as spam.
([\#18387](element-hq/synapse#18387))
# Synapse 1.130.0 (2025-05-20)
- Add an Admin API endpoint `GET /_synapse/admin/v1/scheduled_tasks` to fetch scheduled tasks. ([\#18214](element-hq/synapse#18214))
- Add config option `user_directory.exclude_remote_users` which, when enabled, excludes remote users from user directory search results. ([\#18300](element-hq/synapse#18300))
- Add support for handling `GET /devices/` on workers. ([\#18355](element-hq/synapse#18355))
# Synapse 1.129.0 (2025-05-06)
- Add `passthrough_authorization_parameters` in OIDC configuration to allow passing parameters to the authorization grant URL. ([\#18232](element-hq/synapse#18232))
- Add `total_event_count`, `total_message_count`, and `total_e2ee_event_count` fields to the homeserver usage statistics. ([\#18260](element-hq/synapse#18260))
# Synapse 1.128.0 (2025-04-08)
- Add an access token introspection cache to make Matrix Authentication Service integration ([MSC3861](matrix-org/matrix-spec-proposals#3861)) more efficient.
([\#18231](element-hq/synapse#18231))
- Add background job to clear unreferenced state groups. ([\#18254](element-hq/synapse#18254))
- Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. ([\#18277](element-hq/synapse#18277),
[\#18302](element-hq/synapse#18302), [\#18296](element-hq/synapse#18296))
Rendered
In line with matrix-org/matrix-spec#1700, the following disclosure applies:
I am a Systems Architect at gematik, Software Engineer at Unomed, Matrix community member and former Element employee. This proposal was written and published with my gematik hat on.
SCT stuff:
MSC checklist
FCP tickyboxes