tests: use stable MAS integration in Synapse (#30473)

* tests: use stable MAS integration in Synapse

* Automatically follow MAS main branch

* Update the pinned Synapse container image to latest develop

* Update element-web-playwright-common to 1.4.5

* Fix the typing of the MAS config

* Update playwright-common to 1.4.6

* Use the modern MAS -> Synapse API

* Relax MAS rate limiting

* Revert using the modern API explicitly, it is now the default

* Better adjust the MAS rate limits

Author: sandhose

.github/workflows/playwright-image-updates.yaml

@@ -21,6 +21,15 @@ jobs:
               env:
                   IMAGE: ghcr.io/element-hq/synapse:develop
 
+            - name: Update MAS image
+              run: |
+                  docker pull "$IMAGE"
+                  INSPECT=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
+                  DIGEST=${INSPECT#*@}
+                  sed -i "s/const TAG.*/const TAG = \"main@$DIGEST\";/" playwright/testcontainers/mas.ts
+              env:
+                  IMAGE: ghcr.io/element-hq/matrix-authentication-service:main
+
             - name: Create Pull Request
               id: cpr
               uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7

package.json

@@ -187,7 +187,7 @@
         "@babel/runtime": "^7.12.5",
         "@casualbot/jest-sonar-reporter": "2.2.7",
         "@element-hq/element-call-embedded": "0.14.1",
-        "@element-hq/element-web-playwright-common": "^1.4.4",
+        "@element-hq/element-web-playwright-common": "^1.4.6",
         "@peculiar/webcrypto": "^1.4.3",
         "@playwright/test": "^1.50.1",
         "@principalstudio/html-webpack-inject-preload": "^1.2.7",

playwright/e2e/oidc/oidc-native.spec.ts

@@ -95,10 +95,6 @@ test.describe("OIDC Native", { tag: ["@no-firefox", "@no-webkit"] }, () => {
             const result = await mas.manage("kill-sessions", userId);
             expect(result.output).toContain("Ended 1 active OAuth 2.0 session");
 
-            // Workaround for Synapse's 2 minute cache on MAS token validity
-            // (https://github.com/element-hq/synapse/pull/18231)
-            await homeserver.restart();
-
             await page.goto("http://localhost:8080");
             await expect(
                 page.getByText("For security, this session has been signed out. Please sign in again."),

playwright/plugins/homeserver/synapse/masHomeserver.ts

@@ -1,55 +1,60 @@
 /*
-Copyright 2024 New Vector Ltd.
+Copyright 2024-2025 New Vector Ltd.
 Copyright 2023 The Matrix.org Foundation C.I.C.
 
 SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
 Please see LICENSE files in the repository root for full details.
 */
 
-import { MatrixAuthenticationServiceContainer } from "@element-hq/element-web-playwright-common/lib/testcontainers";
-
+import { MatrixAuthenticationServiceContainer } from "../../../testcontainers/mas.ts";
 import { type Fixtures } from "../../../element-web-test.ts";
 
 export const masHomeserver: Fixtures = {
     mas: [
         async ({ _homeserver: homeserver, logger, network, postgres, mailpit }, use) => {
-            const config = {
-                clients: [
-                    {
-                        client_id: "0000000000000000000SYNAPSE",
-                        client_auth_method: "client_secret_basic",
-                        client_secret: "SomeRandomSecret",
-                    },
-                ],
-                matrix: {
-                    homeserver: "localhost",
-                    secret: "AnotherRandomSecret",
-                    endpoint: "http://homeserver:8008",
-                },
-            };
+            const secret = "AnotherRandomSecret";
 
+            const limits = { burst: 10, per_second: 10 };
             const container = await new MatrixAuthenticationServiceContainer(postgres)
                 .withNetwork(network)
                 .withNetworkAliases("mas")
                 .withLogConsumer(logger.getConsumer("mas"))
-                .withConfig(config)
+                .withConfig({
+                    matrix: {
+                        kind: "synapse",
+                        homeserver: "localhost",
+                        secret,
+                        endpoint: "http://homeserver:8008",
+                    },
+                    rate_limiting: {
+                        login: {
+                            per_ip: limits,
+                            per_account: limits,
+                        },
+                        registration: limits,
+                        email_authentication: {
+                            per_ip: limits,
+                            per_address: limits,
+                            emails_per_session: limits,
+                            attempt_per_session: limits,
+                        },
+                        account_recovery: {
+                            per_ip: limits,
+                            per_address: limits,
+                        },
+                    },
+                })
                 .start();
 
             homeserver.withConfig({
                 enable_registration: undefined,
                 enable_registration_without_verification: undefined,
                 disable_msisdn_registration: undefined,
                 password_config: undefined,
-                experimental_features: {
-                    msc3861: {
-                        enabled: true,
-                        issuer: `http://mas:8080/`,
-                        introspection_endpoint: "http://mas:8080/oauth2/introspect",
-                        client_id: config.clients[0].client_id,
-                        client_auth_method: config.clients[0].client_auth_method,
-                        client_secret: config.clients[0].client_secret,
-                        admin_token: config.matrix.secret,
-                    },
+                matrix_authentication_service: {
+                    enabled: true,
+                    endpoint: "http://mas:8080/",
+                    secret,
                 },
             });
 
@@ -59,28 +64,6 @@ export const masHomeserver: Fixtures = {
         { scope: "worker" },
     ],
 
-    config: async ({ homeserver, context, mas }, use) => {
-        const issuer = `${mas.baseUrl}/`;
-        const wellKnown = {
-            "m.homeserver": {
-                base_url: homeserver.baseUrl,
-            },
-            "org.matrix.msc2965.authentication": {
-                issuer,
-                account: `${issuer}account`,
-            },
-        };
-
-        // Ensure org.matrix.msc2965.authentication is in well-known
-        await context.route("https://localhost/.well-known/matrix/client", async (route) => {
-            await route.fulfill({ json: wellKnown });
-        });
-
-        await use({
-            default_server_config: wellKnown,
-        });
-    },
-
     context: async ({ homeserverType, context }, use, testInfo) => {
         testInfo.skip(homeserverType !== "synapse", "does not yet support MAS");
         await use(context);

playwright/testcontainers/mas.ts

@@ -0,0 +1,24 @@
+/*
+Copyright 2025 New Vector Ltd.
+
+SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
+Please see LICENSE files in the repository root for full details.
+*/
+
+import {
+    MatrixAuthenticationServiceContainer as BaseMatrixAuthenticationServiceContainer,
+    type StartedPostgreSqlContainer,
+} from "@element-hq/element-web-playwright-common/lib/testcontainers";
+
+const TAG = "main@sha256:ee8ce7523f6aeeee9abacb00021428f6f864347581ae23feb17303e55f633f13";
+
+/**
+ * MatrixAuthenticationServiceContainer which freezes the docker digest to
+ * stabilise tests, updated periodically by the `playwright-image-updates.yaml`
+ * workflow.
+ */
+export class MatrixAuthenticationServiceContainer extends BaseMatrixAuthenticationServiceContainer {
+    public constructor(db: StartedPostgreSqlContainer) {
+        super(db, `ghcr.io/element-hq/matrix-authentication-service:${TAG}`);
+    }
+}

yarn.lock

@@ -1726,10 +1726,10 @@
   resolved "https://registry.yarnpkg.com/@element-hq/element-web-module-api/-/element-web-module-api-1.4.1.tgz#a46526d58985190f9989bf1686ea872687d3c6e1"
   integrity sha512-A8yaQtX7QoKThzzZVU+VYOFhpiNyppEMuIQijK48RvhVp1nwmy0cTD6u/6Yn64saNwJjtna+Oy+Qzo/TfwwhxQ==
 
-"@element-hq/element-web-playwright-common@^1.4.4":
-  version "1.4.4"
-  resolved "https://registry.yarnpkg.com/@element-hq/element-web-playwright-common/-/element-web-playwright-common-1.4.4.tgz#d58dba7b5b4198f2fc137e1bdd1ad82c2cee46fb"
-  integrity sha512-QnWz8dlRuQHZYZT9ewrcN++l7gQ0Kf+oZwMCi0k1TBf8Za40r5ibNrgZqZYyCoItBc8LGTVL3yOrUfzN4Dm2Qw==
+"@element-hq/element-web-playwright-common@^1.4.6":
+  version "1.4.6"
+  resolved "https://registry.yarnpkg.com/@element-hq/element-web-playwright-common/-/element-web-playwright-common-1.4.6.tgz#a94d5d4ea94627aec430dd904c43f509a2e6c4b2"
+  integrity sha512-LJ4V6e6NrF2ikNCsxR93PFwDfcRUTY3b2reXwlFJeo44pj8vTYFxkuJwokibFx6+x1zkXWAIMh/0saTMRUXdSA==
   dependencies:
     "@axe-core/playwright" "^4.10.1"
     "@testcontainers/postgresql" "^11.0.0"
@@ -4714,13 +4714,14 @@
 
 "@vector-im/matrix-wysiwyg-wasm@link:../../../.cache/yarn/v6/npm-@vector-im-matrix-wysiwyg-2.39.0-a6238e517f23a2f3025d9c65445914771c63b163-integrity/node_modules/bindings/wysiwyg-wasm":
   version "0.0.0"
+  uid ""
 
 "@vector-im/[email protected]":
   version "2.39.0"
   resolved "https://registry.yarnpkg.com/@vector-im/matrix-wysiwyg/-/matrix-wysiwyg-2.39.0.tgz#a6238e517f23a2f3025d9c65445914771c63b163"
   integrity sha512-OROXnzPcQWrCMoUpIrCKEC4FYU+9SsRomUgu+VbJwWtBDkCbfvLD4z6w/mgiADw3iTUpBPgmcWJoGxesFuB20Q==
   dependencies:
-    "@vector-im/matrix-wysiwyg-wasm" "link:../../../.cache/yarn/v6/npm-@vector-im-matrix-wysiwyg-2.39.0-a6238e517f23a2f3025d9c65445914771c63b163-integrity/node_modules/bindings/wysiwyg-wasm"
+    "@vector-im/matrix-wysiwyg-wasm" "link:../../../Library/Caches/Yarn/v6/npm-@vector-im-matrix-wysiwyg-2.39.0-a6238e517f23a2f3025d9c65445914771c63b163-integrity/node_modules/bindings/wysiwyg-wasm"
 
 "@vitest/[email protected]":
   version "3.2.4"