ember/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
6005 commits 143 branches 32 tags 16 MiB
Commit graph

1157 commits

Author SHA1 Message Date
timedout
f243b383cb
style: Fix typo in validate_remote_member_event_stub 2026-02-08 15:37:40 +00:00
timedout
e0b7d03018
fix: Perform additional membership validation on remote knocks too 2026-02-08 15:34:07 +00:00
timedout
184ae2ebb9
fix: Apply validation to make_join process 2026-02-06 18:15:39 +00:00
timedout
0ea0d09b97
fix: Don't fail open when a PDU doesn't have a short state hash 2026-02-06 18:09:09 +00:00
timedout
00c054d356
fix: Get_missing_events returns the same event N times 2026-02-05 21:28:21 +00:00
timedout
082ed5b70c feat: Use info level logs for residency check failures 2026-02-03 20:09:41 +00:00
timedout
c4a9f7a6d1 perf: Don't handle expensive requests for rooms we aren't in 
Mostly borrowed from dendrite:

https://github.com/element-hq/dendrite/blob/a042861/federationapi/routing/routing.go#L601
 2026-02-03 20:09:41 +00:00
timedout
fd9bbb08ed fix: Restore admin room announcement for deactivations 2026-01-30 05:11:30 +00:00
timedout
25f7d80a8c fix: Clippy lint 2026-01-30 05:11:30 +00:00
timedout
02fa0ba0b8 perf: Optimise account deactivation process 2026-01-30 05:11:30 +00:00
K900
cb79a3b9d7 refactor(treewide): get rid of compile time build environment introspection 
It's cursed and not very useful. Still a few uses of ctor left, but oh well.
 2026-01-19 19:44:28 +00:00
timedout
ebc8df1c4d
feat: Add endpoints required for API-based takedowns and room bans 2026-01-18 18:47:15 +00:00
Jason Volk
79a278b9e8
Fix verification loss; workaround Nheko-Reborn/nheko#1908 (closes #146) 
Signed-off-by: Jason Volk <jason@zemos.net>
 2026-01-18 14:41:01 +00:00
Jade Ellis
d260c4fcc2
style: Fix yo unused variables 2026-01-13 20:29:30 +00:00
timedout
86e450a835
fix: M_BAD_JSON in send_join and send_knock 2026-01-12 17:53:37 +00:00
timedout
99a10998b4
style: Remove unused import 2026-01-11 15:42:06 +00:00
nex
05c6b5df75
fix: M_BAD_JSON in c2s invite 2026-01-11 15:37:59 +00:00
timedout
e3cf288f39 feat: Support creating custom v12 room IDs 2026-01-09 02:50:04 +00:00
timedout
5a2a1b6240
style: Clean up whoami code 2026-01-09 01:12:38 +00:00
timedout
d22d47954f
fix: Return 403 instead of 404 at /_matrix/client/v3/account/whoami 2026-01-09 00:44:38 +00:00
Ginger
8cf2d175d6 fix: Update package and crate metadata 2026-01-08 19:28:27 +00:00
timedout
247bc15659
fix: Await future 2026-01-07 17:31:53 +00:00
timedout
88a35e139d
fix: Correctly return M_USER_LOCKED during login 2026-01-07 17:31:53 +00:00
timedout
1c816850ed
feat: Allow admins to disable the login capability of an account 
# Conflicts:
#	src/admin/user/commands.rs
 2026-01-07 17:31:51 +00:00
Ginger
adc7c5ac49 fix(!783): Don't allow registrations by default with no token configured 2026-01-07 14:22:37 +00:00
Ginger
ca77970ff3 feat(!783): Add admin commands for managing tokens 2026-01-07 14:22:37 +00:00
Ginger
42f4ec34cd feat(!783): Initial implementation 
Adds support for extra limited-use registration tokens
stored in the database, and a new service to manage them.
 2026-01-07 14:22:37 +00:00
Jade Ellis
9552dd7485
style: Log error 2026-01-06 01:55:52 +00:00
Ginger
88c84f221f
chore: Add comment and warning to unhappy path 2026-01-06 00:59:32 +00:00
Laurențiu Nicola
a10bd71945
fix(admin): fix force-leaving rooms with no left_state PDU 2026-01-06 00:59:31 +00:00
timedout
279f7cbfe4
style: Fix failing lints 2026-01-05 20:10:29 +00:00
timedout
006c57face
perf: Don't check accept_make_join twice for restricted make_join 2026-01-05 20:10:29 +00:00
timedout
d52e0dc014
fix: Apply check_all_joins to make_join 2026-01-05 20:10:29 +00:00
timedout
4b873a1b95
fix: Apply spam checker to local restricted joins 2026-01-05 20:10:29 +00:00
timedout
76865e6f91
fix: Accept_may_join callback works again 2026-01-05 20:10:29 +00:00
timedout
99f16c2dfc
fix: Call user_may_join_room later in the join process 2026-01-05 20:10:28 +00:00
timedout
5ac82f36f3
feat: Consolidate antispam checks into a service 
Also adds support for the spam checker join rule, and Draupnir callbacks
 2026-01-05 20:10:28 +00:00
timedout
c249dd992e
feat: Add support for automatically rejecting pending invites 2026-01-05 20:10:28 +00:00
timedout
0956779802
feat: Add Meowlnir invite interception support 
Co-authored-by: Jade Ellis <jade@ellis.link>
 2026-01-05 20:10:27 +00:00
timedout
7502a944d7
feat: Add user locking and unlocking commands and functionality 
Also corrects the response code returned by UserSuspended
 2026-01-05 19:30:16 +00:00
Jade Ellis
aed15f246a
refactor: Clean up logging issues 
Primary issues: Double escapes (debug fmt), spans without levels
 2026-01-05 18:28:57 +00:00
timedout
27d6604d14
fix: Use a timeout instead of deadline 2026-01-03 17:08:47 +00:00
timedout
1c7bd2f6fa
style: Remove unnecessary then() calls in chain 2026-01-03 16:22:49 +00:00
timedout
56d7099011
style: Include errors in key claim response too 2026-01-03 16:10:06 +00:00
timedout
bc426e1bfc
fix: Apply client-requested timeout to federated key queries 
Also parallelised federation calls in related functions
 2026-01-03 16:05:05 +00:00
timedout
bf200ad12d
fix: Resolve compile errors 
me and cargo check are oops now
 2025-12-31 20:01:29 +00:00
timedout
44851ee6a2
feat: Fall back to remote room summary if local fails 2025-12-31 20:01:29 +00:00
timedout
a7e6e6e83f
feat: Allow local server admins to bypass summary visibility checks 
feat: Allow local server admins to bypass summary visibility checks

Also improve error messages so they aren't so damn long.
 2025-12-31 20:01:29 +00:00
Terry
f8c1e9bcde
feat: Config defined admin list 
Closes !1246
 2025-12-31 19:35:40 +00:00
Olivia Lee
12aecf8091
validate membership events returned by remote servers 
This fixes a vulnerability where an attacker with a malicious remote
server and a user on the local server can trick the local server into
signing arbitrary events. The attacker issue a remote leave as the local
user to a room on the malicious server. Without any validation of the
make_leave response, the local server would sign the attacker-controlled
event and pass it back to the malicious server with send_leave.

The join and knock endpoints are also fixed in this commit, but are less
useful for exploitation because the local server replaces the "content"
field returned by the remote server. Remote invites are unaffected
because we already check that the event returned from /invite has the
same event ID as the event passed to it.

Co-authored-by: timedout <git@nexy7574.co.uk>
Co-authored-by: Jade Ellis <jade@ellis.link>
Co-authored-by: Ginger <ginger@gingershaped.computer>
 2025-12-30 15:24:45 +00:00