From 9e89c4ced3d4902a9a1bd719bbdf4adb23eff920 Mon Sep 17 00:00:00 2001 From: Andrew Ferrazzutti Date: Wed, 3 Sep 2025 15:36:42 -0400 Subject: [PATCH] Add example docker compose; fix dynamic reg --- README.md | 2 + backend/dev_homeserver.yaml | 9 +-- backend/dev_mas.yaml | 96 ++++++++++++++++++++++++++++++++ backend/dev_nginx.conf | 17 ++++++ config/config.devenv.json | 3 + dev-backend-docker-compose.yml | 27 +++++++++ src/App.tsx | 2 +- src/config/ConfigOptions.ts | 2 - src/utils/oidc/callbackUrl.ts | 2 +- src/utils/oidc/registerClient.ts | 1 + 10 files changed, 153 insertions(+), 8 deletions(-) create mode 100644 backend/dev_mas.yaml diff --git a/README.md b/README.md index 8ca7fa96..e0789fc0 100644 --- a/README.md +++ b/README.md @@ -209,6 +209,7 @@ A docker compose file `dev-backend-docker-compose.yml` is provided to start the whole stack of components which is required for a local development environment: - Minimum Synapse Setup (servername: `synapse.m.localhost`) +- Matrix Authentication Service Setup (issuer: `mas.m.localhost`) - MatrixRTC Authorization Service (Note requires Federation API and hence a TLS reverse proxy) - Minimum LiveKit SFU Setup using dev defaults for config - Redis db for completeness @@ -218,6 +219,7 @@ whole stack of components which is required for a local development environment: certificates - Minimum TLS reverse proxy for - Synapse homeserver: `synapse.m.localhost` + - Matrix Authentication Service: `mas.m.localhost` - MatrixRTC backend: `matrix-rtc.m.localhost` - Local Element Call development `call.m.localhost` via `yarn dev --host ` - Element Web `app.m.localhost` diff --git a/backend/dev_homeserver.yaml b/backend/dev_homeserver.yaml index eab4e698..6425dbf4 100644 --- a/backend/dev_homeserver.yaml +++ b/backend/dev_homeserver.yaml @@ -12,6 +12,11 @@ listeners: - names: [client, federation, openid] compress: false +matrix_authentication_service: + enabled: true + secret: "mas-matrix-secret" + endpoint: http://mas:8080 + database: name: sqlite3 args: @@ -46,9 +51,5 @@ rc_message: per_second: 0.5 burst_count: 30 -# Required for Element Call in Single Page Mode due to on-the-fly user registration -enable_registration: true -enable_registration_without_verification: true - report_stats: false serve_server_wellknown: true diff --git a/backend/dev_mas.yaml b/backend/dev_mas.yaml new file mode 100644 index 00000000..54a87625 --- /dev/null +++ b/backend/dev_mas.yaml @@ -0,0 +1,96 @@ +http: + listeners: + - name: web + resources: + - name: discovery + - name: human + - name: oauth + - name: assets + - name: adminapi + binds: + - address: '[::]:8080' + proxy_protocol: false + trusted_proxies: + - 192.168.0.0/16 + - 172.16.0.0/12 + - 10.0.0.0/10 + - 127.0.0.1/8 + - fd00::/8 + - ::1/128 + public_base: https://mas.m.localhost/ +database: + uri: postgres://postgres@mas-db/mas + max_connections: 10 + min_connections: 0 + connect_timeout: 30 + idle_timeout: 600 + max_lifetime: 1800 +email: + from: '"Authentication Service" ' + reply_to: '"Authentication Service" ' + transport: blackhole +secrets: + encryption: 91c9eda308d874d1b8ba51c0fe3b7cbb868638c8fbb82d7eec0e6912586bdabd + keys: + - kid: H30QE7M5eX + key: | + -----BEGIN RSA PRIVATE KEY----- + MIIEogIBAAKCAQEA3+t9XjM8LhYMpagIKXnpTXVWxIo5zwM/R8wYRPg0MPGCrOUB + i/L/Vof4yK7lIMWtCT724e989PLR4YmG2pXBpB8P7SZ3feggLoUMi8+QNzyKsGD+ + lYmZd0D/2aVmxBxK83JP3LLodmoHduva2qSBF9YdZ6Greg/IcEdG2UY3iGYeojsQ + 1Wx7V2+WPeUCtaIONBPk/rwOgWmzAhqGyCXONbvGazElNEuM0fwI278qveP5kNoh + aL6HvlaYQbMSGAg1tf06AKOjsJG0CRsvsMdFxuG9GEwd4pJr9+v+OqwnaFJHJ70z + kQFC3s/w+xCk4NnO+jSopBptu8ycwjZYMuq2kQIDAQABAoIBAHbDqFL2Sc0H1N1o + KiwVhTCYM9U6mz65Mi8aiSTLoKL09aJONGvODrAOnl2SpeSj9AsbYkajh1tEDx3Y + m7YECBjMgN3/sREOtUL3PphJFuy1J7o1N9KIkOU3jHwbxk3t07MbxlAAdFuaESt6 + HTIqXm4OGrqEfTbYeC9VHrbPD1VAFj/OGHsYDurJzhfIlFSlZWZqHNjdNh2HAOJM + FElqJWqqR9fj2pYYdpo+oaheI/iIAuWpAgcZOJzaZ4iui4R9i4od+qqQ3EVECPvS + /QnezvDpiobShG6WOmrRj3WBtheiPLdNlNB0sVW9h3dHcrkE/l2n5pfArVbHB+wg + 4e5FEAECgYEA4XjB6hpN1iX66ADf27L5mHymu1hTojZLoQdy76OcjgG+4ZoQl71U + OAww4ek9I6Alz+aQqTAnRtLHBKH+xSuO2VoxQfimk71mUmByCr25vIU8mGtXRIJO + rtWEVE4HQPhK2LODLm5zbp3I1GsrfNgMCsuA/yse5MIczC8bRFyf+DECgYEA/jzx + ddl1asjArcFcQyKFJxdobNqYJ4P+rbDLIOmC9IQ8n/v+ETERCzj/y93yaXXqCBlR + uHDzo72F/+SYDDWGYanpRmN2cUv1A0XTUs+dWYjfrscFJUEx8CZh0GeoLE4H3uru + GlwqPnc9sMPee98mj4yDMyrNqLx/VaXV+wnpbGECgYAh4JoKSa9+SLCdYVxBT2/v + OHN43LmcOto8NLlRRl0EfUCn9xUdJ4Za8YH6v6e/DZYA2dzMfv63xn2+tXRpPbU1 + 9TZHekvVEPUp1XHtKTqaF87V+/LdyVJ3NH+whxTR7zyXuMkyFchkS3Lcb8nV9URB + 7vfP3zPCHWRkTYOkTuJ+UQKBgFCrj8ZgMOSoPJMlppvayTtFLypTFjJ7rIT6cwnH + bnkduIrfD5fu5MSV2nyauT+DXbYiKo8GsBhFm849f41oMnKs0ks2Zi++9UiLkGlX + XUs6phc0KUrP7AOSejkBmxgrzk2KZ/DPS8w0U8vR6reNcBPedwb2Tvl6jkDj9QjJ + 9VohAoGAISjlufqw3y8F/0on1AhqyROlJghTBsQ+xDEBZ9txx/HcKVghqMhBCbFj + LRf8B4vH9QXtlZVtPFj0wE3INxsYtilsbD8wbwkxsLeGUFdPDucPacfBSyX+wLRh + S1/twrPS9KVhkU5d0TbyfOlEB1OSXZTWZ1n9NaqOZUPf6FAwm78= + -----END RSA PRIVATE KEY----- + - kid: VrRd3Y2OeF + key: | + -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIB3zBxhuh275A3piMMDZ2BEM6vsoxswNLrTJRiaY+m80oAoGCCqGSM49 + AwEHoUQDQgAECqFotDpyEYNrWf2UZaUB0CZz6KiptQL2wi8oRNkKlarjgDDNCBzR + dgCokx9C8bLpfqhTJE/6aSe6T19qkaPHIg== + -----END EC PRIVATE KEY----- + - kid: SHaCwxflXU + key: | + -----BEGIN EC PRIVATE KEY----- + MIGkAgEBBDCdchyP7aFxQce7vA+QMPkMkOaYKbmNoN1fnlKviKsJK1riq+1eKSEe + UeUF5BOczfugBwYFK4EEACKhZANiAAR1pIE4xN9xkULiCgMd/uztt4Lnu8FhvEZD + 3BhUfy5kdBVbYyk1khgKy3k+dQvXaTVkzsHkQN8K78WxlUDlF5zKXLjgkeEiqgz7 + HU0rr2e8geUiaEE2AkzWhvmIikvhuMo= + -----END EC PRIVATE KEY----- + - kid: ngjUaMfCuT + key: | + -----BEGIN EC PRIVATE KEY----- + MHQCAQEEIE11jnxjUvPk93ylMuIcwcayJsFUhsSH2EqAn97CiHf8oAcGBSuBBAAK + oUQDQgAE1XySwFNBUkzZ946MBf2/3ecXVptrauZEQ8d8zqUdBS7wOe5pZwZ15Jx4 + aZhlusZ3BPl0KiTlWwOlaRDMrw9EGA== + -----END EC PRIVATE KEY----- +passwords: + enabled: true + schemes: + - version: 1 + algorithm: argon2id + minimum_complexity: 0 +matrix: + kind: synapse + homeserver: synapse.m.localhost + secret: "mas-matrix-secret" + endpoint: http://homeserver:8008/ diff --git a/backend/dev_nginx.conf b/backend/dev_nginx.conf index a29b06d7..817363bb 100644 --- a/backend/dev_nginx.conf +++ b/backend/dev_nginx.conf @@ -40,6 +40,23 @@ server { } +# Matrix Authentication Server reverse proxy +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name mas.m.localhost; + ssl_certificate /root/ssl/cert.pem; + ssl_certificate_key /root/ssl/key.pem; + + location / { + proxy_pass "http://mas:8080"; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + error_page 500 502 503 504 /50x.html; +} + # MatrixRTC reverse proxy # - MatrixRTC Authorization Service # - LiveKit SFU websocket signaling connection diff --git a/config/config.devenv.json b/config/config.devenv.json index df0ff4c1..6f947042 100644 --- a/config/config.devenv.json +++ b/config/config.devenv.json @@ -15,5 +15,8 @@ "delayed_leave_event_delay_ms": 18000, "delayed_leave_event_restart_ms": 4000, "network_error_retry_ms": 100 + }, + "oidc_metadata": { + "client_name": "Element Call (dev)" } } diff --git a/dev-backend-docker-compose.yml b/dev-backend-docker-compose.yml index e6180710..45856067 100644 --- a/dev-backend-docker-compose.yml +++ b/dev-backend-docker-compose.yml @@ -68,6 +68,31 @@ services: volumes: - ./backend/synapse_tmp:/data:Z - ./backend/dev_homeserver.yaml:/data/cfg/homeserver.yaml:Z + depends_on: + - mas + networks: + - ecbackend + + mas: + # To add users, see `docker exec element-call-mas-1 mas-cli manage register-user -h` + image: ghcr.io/element-hq/matrix-authentication-service:latest + pull_policy: always + hostname: mas + volumes: + - ./backend/dev_mas.yaml:/config.yaml:ro,Z + depends_on: + - mas-db + networks: + - ecbackend + + mas-db: + image: docker.io/postgres:16-alpine + hostname: mas-db + restart: always + shm_size: 128mb + environment: + - POSTGRES_HOST_AUTH_METHOD=trust + - POSTGRES_DB=mas networks: - ecbackend @@ -101,7 +126,9 @@ services: - "host.docker.internal:host-gateway" depends_on: - synapse + - mas networks: ecbackend: aliases: + - mas.m.localhost - matrix-rtc.m.localhost diff --git a/src/App.tsx b/src/App.tsx index ba810aef..2fda77ad 100644 --- a/src/App.tsx +++ b/src/App.tsx @@ -89,7 +89,7 @@ export const App: FC = ({ vm }) => { } /> } /> - } /> + } /> } /> } /> diff --git a/src/config/ConfigOptions.ts b/src/config/ConfigOptions.ts index 0e3a7c06..cfe608d9 100644 --- a/src/config/ConfigOptions.ts +++ b/src/config/ConfigOptions.ts @@ -163,9 +163,7 @@ export interface ConfigOptions { oidc_metadata?: { client_name?: string; client_uri?: string; - redirect_uris?: string[]; logo_uri?: string; - application_type?: string; tos_uri?: string; policy_uri?: string; contacts?: string[]; diff --git a/src/utils/oidc/callbackUrl.ts b/src/utils/oidc/callbackUrl.ts index c5e0186a..85528515 100644 --- a/src/utils/oidc/callbackUrl.ts +++ b/src/utils/oidc/callbackUrl.ts @@ -10,5 +10,5 @@ Please see LICENSE in the repository root for full details. */ export function getOidcCallbackUrl(): URL { // TODO: save the path somewhere - return new URL("after_login", window.location.origin); + return new URL("after-login", window.location.origin); } \ No newline at end of file diff --git a/src/utils/oidc/registerClient.ts b/src/utils/oidc/registerClient.ts index 1a1d5e9e..02675dbc 100644 --- a/src/utils/oidc/registerClient.ts +++ b/src/utils/oidc/registerClient.ts @@ -51,6 +51,7 @@ export async function getOidcClientId( { clientName: config.oidc_metadata?.client_name ?? "Element Call", clientUri: config.oidc_metadata?.client_uri ?? window.location.origin, + logoUri: config.oidc_metadata?.logo_uri, redirectUris: [getOidcCallbackUrl().href], applicationType: "web", contacts: config.oidc_metadata?.contacts,