From c89b5acce9b2a9d4abfc4b60a056052f23f536cb Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Mon, 4 Aug 2025 13:47:14 +0200 Subject: [PATCH 01/10] tests: use stable MAS integration in Synapse --- playwright/e2e/oidc/oidc-native.spec.ts | 4 -- .../homeserver/synapse/masHomeserver.ts | 44 +++---------------- 2 files changed, 5 insertions(+), 43 deletions(-) diff --git a/playwright/e2e/oidc/oidc-native.spec.ts b/playwright/e2e/oidc/oidc-native.spec.ts index 8b49942dd35..acb23c0a817 100644 --- a/playwright/e2e/oidc/oidc-native.spec.ts +++ b/playwright/e2e/oidc/oidc-native.spec.ts @@ -95,10 +95,6 @@ test.describe("OIDC Native", { tag: ["@no-firefox", "@no-webkit"] }, () => { const result = await mas.manage("kill-sessions", userId); expect(result.output).toContain("Ended 1 active OAuth 2.0 session"); - // Workaround for Synapse's 2 minute cache on MAS token validity - // (https://github.com/element-hq/synapse/pull/18231) - await homeserver.restart(); - await page.goto("http://localhost:8080"); await expect( page.getByText("For security, this session has been signed out. Please sign in again."), diff --git a/playwright/plugins/homeserver/synapse/masHomeserver.ts b/playwright/plugins/homeserver/synapse/masHomeserver.ts index 342737d80d4..c64d3061578 100644 --- a/playwright/plugins/homeserver/synapse/masHomeserver.ts +++ b/playwright/plugins/homeserver/synapse/masHomeserver.ts @@ -14,14 +14,8 @@ export const masHomeserver: Fixtures = { mas: [ async ({ _homeserver: homeserver, logger, network, postgres, mailpit }, use) => { const config = { - clients: [ - { - client_id: "0000000000000000000SYNAPSE", - client_auth_method: "client_secret_basic", - client_secret: "SomeRandomSecret", - }, - ], matrix: { + kind: "synapse", homeserver: "localhost", secret: "AnotherRandomSecret", endpoint: "http://homeserver:8008", @@ -40,16 +34,10 @@ export const masHomeserver: Fixtures = { enable_registration_without_verification: undefined, disable_msisdn_registration: undefined, password_config: undefined, - experimental_features: { - msc3861: { - enabled: true, - issuer: `http://mas:8080/`, - introspection_endpoint: "http://mas:8080/oauth2/introspect", - client_id: config.clients[0].client_id, - client_auth_method: config.clients[0].client_auth_method, - client_secret: config.clients[0].client_secret, - admin_token: config.matrix.secret, - }, + matrix_authentication_service: { + enabled: true, + endpoint: "http://mas:8080/", + secret: config.matrix.secret, }, }); @@ -59,28 +47,6 @@ export const masHomeserver: Fixtures = { { scope: "worker" }, ], - config: async ({ homeserver, context, mas }, use) => { - const issuer = `${mas.baseUrl}/`; - const wellKnown = { - "m.homeserver": { - base_url: homeserver.baseUrl, - }, - "org.matrix.msc2965.authentication": { - issuer, - account: `${issuer}account`, - }, - }; - - // Ensure org.matrix.msc2965.authentication is in well-known - await context.route("https://localhost/.well-known/matrix/client", async (route) => { - await route.fulfill({ json: wellKnown }); - }); - - await use({ - default_server_config: wellKnown, - }); - }, - context: async ({ homeserverType, context }, use, testInfo) => { testInfo.skip(homeserverType !== "synapse", "does not yet support MAS"); await use(context); From f35a2b36882f7e27b2daecc6d19fad12d32d667c Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Tue, 5 Aug 2025 10:20:40 +0200 Subject: [PATCH 02/10] Automatically follow MAS main branch --- .../workflows/playwright-image-updates.yaml | 9 +++++++ .../homeserver/synapse/masHomeserver.ts | 5 ++-- playwright/testcontainers/mas.ts | 24 +++++++++++++++++++ 3 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 playwright/testcontainers/mas.ts diff --git a/.github/workflows/playwright-image-updates.yaml b/.github/workflows/playwright-image-updates.yaml index 4cbdb17bbd0..b7d2a168ef5 100644 --- a/.github/workflows/playwright-image-updates.yaml +++ b/.github/workflows/playwright-image-updates.yaml @@ -21,6 +21,15 @@ jobs: env: IMAGE: ghcr.io/element-hq/synapse:develop + - name: Update MAS image + run: | + docker pull "$IMAGE" + INSPECT=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE") + DIGEST=${INSPECT#*@} + sed -i "s/const TAG.*/const TAG = \"main@$DIGEST\";/" playwright/testcontainers/mas.ts + env: + IMAGE: ghcr.io/element-hq/matrix-authentication-service:main + - name: Create Pull Request id: cpr uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 diff --git a/playwright/plugins/homeserver/synapse/masHomeserver.ts b/playwright/plugins/homeserver/synapse/masHomeserver.ts index c64d3061578..8fcbcca4c81 100644 --- a/playwright/plugins/homeserver/synapse/masHomeserver.ts +++ b/playwright/plugins/homeserver/synapse/masHomeserver.ts @@ -1,13 +1,12 @@ /* -Copyright 2024 New Vector Ltd. +Copyright 2024-2025 New Vector Ltd. Copyright 2023 The Matrix.org Foundation C.I.C. SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial Please see LICENSE files in the repository root for full details. */ -import { MatrixAuthenticationServiceContainer } from "@element-hq/element-web-playwright-common/lib/testcontainers"; - +import { MatrixAuthenticationServiceContainer } from "../../../testcontainers/mas.ts"; import { type Fixtures } from "../../../element-web-test.ts"; export const masHomeserver: Fixtures = { diff --git a/playwright/testcontainers/mas.ts b/playwright/testcontainers/mas.ts new file mode 100644 index 00000000000..efca9c31daf --- /dev/null +++ b/playwright/testcontainers/mas.ts @@ -0,0 +1,24 @@ +/* +Copyright 2025 New Vector Ltd. + +SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial +Please see LICENSE files in the repository root for full details. +*/ + +import { + MatrixAuthenticationServiceContainer as BaseMatrixAuthenticationServiceContainer, + type StartedPostgreSqlContainer, +} from "@element-hq/element-web-playwright-common/lib/testcontainers"; + +const TAG = "main@sha256:1fc2f65aa2c88967bbf8e7cea74c9f87bdde0957274c882446f2d97adf15f663"; + +/** + * MatrixAuthenticationServiceContainer which freezes the docker digest to + * stabilise tests, updated periodically by the `playwright-image-updates.yaml` + * workflow. + */ +export class MatrixAuthenticationServiceContainer extends BaseMatrixAuthenticationServiceContainer { + public constructor(db: StartedPostgreSqlContainer) { + super(db, `ghcr.io/element-hq/matrix-authentication-service:${TAG}`); + } +} From fb72849e5335b72aa95c8206824e114f2316b151 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Tue, 5 Aug 2025 10:24:11 +0200 Subject: [PATCH 03/10] Update the pinned Synapse container image to latest develop --- playwright/testcontainers/synapse.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playwright/testcontainers/synapse.ts b/playwright/testcontainers/synapse.ts index 4d675a2c5b8..6c8962abf2b 100644 --- a/playwright/testcontainers/synapse.ts +++ b/playwright/testcontainers/synapse.ts @@ -7,7 +7,7 @@ Please see LICENSE files in the repository root for full details. import { SynapseContainer as BaseSynapseContainer } from "@element-hq/element-web-playwright-common/lib/testcontainers"; -const TAG = "develop@sha256:8e478cf4f135467287c17687e80fd859f70db23e1d6cd35a853369ff423c9773"; +const TAG = "develop@sha256:2f6fff14ff23f356705abdbf2ed62c3dd6ca2103cef4ae813714ddc199bbd76a"; /** * SynapseContainer which freezes the docker digest to stabilise tests, From 2d6e93d34a3ed7cc5e74ad32f27f2a7660894d54 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Tue, 5 Aug 2025 11:39:31 +0200 Subject: [PATCH 04/10] Update element-web-playwright-common to 1.4.5 --- package.json | 2 +- yarn.lock | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package.json b/package.json index 675120f452e..b363ca35943 100644 --- a/package.json +++ b/package.json @@ -187,7 +187,7 @@ "@babel/runtime": "^7.12.5", "@casualbot/jest-sonar-reporter": "2.2.7", "@element-hq/element-call-embedded": "0.13.1", - "@element-hq/element-web-playwright-common": "^1.4.4", + "@element-hq/element-web-playwright-common": "^1.4.5", "@peculiar/webcrypto": "^1.4.3", "@playwright/test": "^1.50.1", "@principalstudio/html-webpack-inject-preload": "^1.2.7", diff --git a/yarn.lock b/yarn.lock index b4fe445ee67..6c13147e5aa 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1687,10 +1687,10 @@ resolved "https://registry.yarnpkg.com/@element-hq/element-web-module-api/-/element-web-module-api-1.3.0.tgz#6067fa654174d1dd0953447bb036e38f9dfa51a5" integrity sha512-rEV0xnT/tNYPIdqHWWiz2KZo96UeZR0YChfoVLiPT46ZlEYyxqkjxT5bOm1eL2/CiYRe8t1yka3UDkIjq481/g== -"@element-hq/element-web-playwright-common@^1.4.4": - version "1.4.4" - resolved "https://registry.yarnpkg.com/@element-hq/element-web-playwright-common/-/element-web-playwright-common-1.4.4.tgz#d58dba7b5b4198f2fc137e1bdd1ad82c2cee46fb" - integrity sha512-QnWz8dlRuQHZYZT9ewrcN++l7gQ0Kf+oZwMCi0k1TBf8Za40r5ibNrgZqZYyCoItBc8LGTVL3yOrUfzN4Dm2Qw== +"@element-hq/element-web-playwright-common@^1.4.5": + version "1.4.5" + resolved "https://registry.yarnpkg.com/@element-hq/element-web-playwright-common/-/element-web-playwright-common-1.4.5.tgz#534b52bbb5ec43136182d9f3fab0e5aaaebe19a5" + integrity sha512-LS95fWX/CoP6dpJ1Eg56KtC+FFU1yYCsOmOg3xBYPNV6nm36hP0+aIy2QIyuz7638lvAgOrPuDGrV0J31NP1WQ== dependencies: "@axe-core/playwright" "^4.10.1" "@testcontainers/postgresql" "^11.0.0" @@ -4552,7 +4552,7 @@ resolved "https://registry.yarnpkg.com/@vector-im/matrix-wysiwyg/-/matrix-wysiwyg-2.39.0.tgz#a6238e517f23a2f3025d9c65445914771c63b163" integrity sha512-OROXnzPcQWrCMoUpIrCKEC4FYU+9SsRomUgu+VbJwWtBDkCbfvLD4z6w/mgiADw3iTUpBPgmcWJoGxesFuB20Q== dependencies: - "@vector-im/matrix-wysiwyg-wasm" "link:../../Library/Caches/Yarn/v6/npm-@vector-im-matrix-wysiwyg-2.39.0-a6238e517f23a2f3025d9c65445914771c63b163-integrity/node_modules/bindings/wysiwyg-wasm" + "@vector-im/matrix-wysiwyg-wasm" "link:../../../Library/Caches/Yarn/v6/npm-@vector-im-matrix-wysiwyg-2.39.0-a6238e517f23a2f3025d9c65445914771c63b163-integrity/node_modules/bindings/wysiwyg-wasm" "@vitest/expect@3.2.4": version "3.2.4" From 56c6496fb7b67d3b8088c15f42a40aca413bc98e Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Tue, 5 Aug 2025 11:46:25 +0200 Subject: [PATCH 05/10] Fix the typing of the MAS config --- .../homeserver/synapse/masHomeserver.ts | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/playwright/plugins/homeserver/synapse/masHomeserver.ts b/playwright/plugins/homeserver/synapse/masHomeserver.ts index 8fcbcca4c81..99b6b3dec7d 100644 --- a/playwright/plugins/homeserver/synapse/masHomeserver.ts +++ b/playwright/plugins/homeserver/synapse/masHomeserver.ts @@ -12,20 +12,20 @@ import { type Fixtures } from "../../../element-web-test.ts"; export const masHomeserver: Fixtures = { mas: [ async ({ _homeserver: homeserver, logger, network, postgres, mailpit }, use) => { - const config = { - matrix: { - kind: "synapse", - homeserver: "localhost", - secret: "AnotherRandomSecret", - endpoint: "http://homeserver:8008", - }, - }; + const secret = "AnotherRandomSecret"; const container = await new MatrixAuthenticationServiceContainer(postgres) .withNetwork(network) .withNetworkAliases("mas") .withLogConsumer(logger.getConsumer("mas")) - .withConfig(config) + .withConfig({ + matrix: { + kind: "synapse", + homeserver: "localhost", + secret, + endpoint: "http://homeserver:8008", + }, + }) .start(); homeserver.withConfig({ @@ -36,7 +36,7 @@ export const masHomeserver: Fixtures = { matrix_authentication_service: { enabled: true, endpoint: "http://mas:8080/", - secret: config.matrix.secret, + secret, }, }); From ce92765d1dd13ba3821153ce2076b5fc07cd2828 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Tue, 5 Aug 2025 12:23:01 +0200 Subject: [PATCH 06/10] Update playwright-common to 1.4.6 --- package.json | 2 +- yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index b363ca35943..18ebae22d54 100644 --- a/package.json +++ b/package.json @@ -187,7 +187,7 @@ "@babel/runtime": "^7.12.5", "@casualbot/jest-sonar-reporter": "2.2.7", "@element-hq/element-call-embedded": "0.13.1", - "@element-hq/element-web-playwright-common": "^1.4.5", + "@element-hq/element-web-playwright-common": "^1.4.6", "@peculiar/webcrypto": "^1.4.3", "@playwright/test": "^1.50.1", "@principalstudio/html-webpack-inject-preload": "^1.2.7", diff --git a/yarn.lock b/yarn.lock index 6c13147e5aa..8e5b30aed10 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1687,10 +1687,10 @@ resolved "https://registry.yarnpkg.com/@element-hq/element-web-module-api/-/element-web-module-api-1.3.0.tgz#6067fa654174d1dd0953447bb036e38f9dfa51a5" integrity sha512-rEV0xnT/tNYPIdqHWWiz2KZo96UeZR0YChfoVLiPT46ZlEYyxqkjxT5bOm1eL2/CiYRe8t1yka3UDkIjq481/g== -"@element-hq/element-web-playwright-common@^1.4.5": - version "1.4.5" - resolved "https://registry.yarnpkg.com/@element-hq/element-web-playwright-common/-/element-web-playwright-common-1.4.5.tgz#534b52bbb5ec43136182d9f3fab0e5aaaebe19a5" - integrity sha512-LS95fWX/CoP6dpJ1Eg56KtC+FFU1yYCsOmOg3xBYPNV6nm36hP0+aIy2QIyuz7638lvAgOrPuDGrV0J31NP1WQ== +"@element-hq/element-web-playwright-common@^1.4.6": + version "1.4.6" + resolved "https://registry.yarnpkg.com/@element-hq/element-web-playwright-common/-/element-web-playwright-common-1.4.6.tgz#a94d5d4ea94627aec430dd904c43f509a2e6c4b2" + integrity sha512-LJ4V6e6NrF2ikNCsxR93PFwDfcRUTY3b2reXwlFJeo44pj8vTYFxkuJwokibFx6+x1zkXWAIMh/0saTMRUXdSA== dependencies: "@axe-core/playwright" "^4.10.1" "@testcontainers/postgresql" "^11.0.0" From 06ad2b98fcbfe7b413fa62f2bbeca7fdd0cc7d7e Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Tue, 5 Aug 2025 14:56:27 +0200 Subject: [PATCH 07/10] Use the modern MAS -> Synapse API --- playwright/plugins/homeserver/synapse/masHomeserver.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playwright/plugins/homeserver/synapse/masHomeserver.ts b/playwright/plugins/homeserver/synapse/masHomeserver.ts index 99b6b3dec7d..148a03003d2 100644 --- a/playwright/plugins/homeserver/synapse/masHomeserver.ts +++ b/playwright/plugins/homeserver/synapse/masHomeserver.ts @@ -20,7 +20,7 @@ export const masHomeserver: Fixtures = { .withLogConsumer(logger.getConsumer("mas")) .withConfig({ matrix: { - kind: "synapse", + kind: "synapse_modern", homeserver: "localhost", secret, endpoint: "http://homeserver:8008", From adac66353a82ab21a3372c4db7c99287aec8a833 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Tue, 5 Aug 2025 15:16:14 +0200 Subject: [PATCH 08/10] Relax MAS rate limiting --- .../homeserver/synapse/masHomeserver.ts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/playwright/plugins/homeserver/synapse/masHomeserver.ts b/playwright/plugins/homeserver/synapse/masHomeserver.ts index 148a03003d2..6f9d9a0f82e 100644 --- a/playwright/plugins/homeserver/synapse/masHomeserver.ts +++ b/playwright/plugins/homeserver/synapse/masHomeserver.ts @@ -25,6 +25,24 @@ export const masHomeserver: Fixtures = { secret, endpoint: "http://homeserver:8008", }, + rate_limiting: { + login: { + burst: 10, + per_second: 10, + }, + registration: { + burst: 10, + per_second: 10, + }, + email_authentication: { + burst: 10, + per_second: 10, + }, + account_recovery: { + burst: 10, + per_second: 10, + }, + }, }) .start(); From 0f913ff6898deb6fd0aaf09b954e14f8daae1878 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Tue, 5 Aug 2025 18:02:06 +0200 Subject: [PATCH 09/10] Revert using the modern API explicitly, it is now the default --- playwright/plugins/homeserver/synapse/masHomeserver.ts | 2 +- playwright/testcontainers/mas.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playwright/plugins/homeserver/synapse/masHomeserver.ts b/playwright/plugins/homeserver/synapse/masHomeserver.ts index 6f9d9a0f82e..4621bf0a7f9 100644 --- a/playwright/plugins/homeserver/synapse/masHomeserver.ts +++ b/playwright/plugins/homeserver/synapse/masHomeserver.ts @@ -20,7 +20,7 @@ export const masHomeserver: Fixtures = { .withLogConsumer(logger.getConsumer("mas")) .withConfig({ matrix: { - kind: "synapse_modern", + kind: "synapse", homeserver: "localhost", secret, endpoint: "http://homeserver:8008", diff --git a/playwright/testcontainers/mas.ts b/playwright/testcontainers/mas.ts index efca9c31daf..6ee49ba6ef7 100644 --- a/playwright/testcontainers/mas.ts +++ b/playwright/testcontainers/mas.ts @@ -10,7 +10,7 @@ import { type StartedPostgreSqlContainer, } from "@element-hq/element-web-playwright-common/lib/testcontainers"; -const TAG = "main@sha256:1fc2f65aa2c88967bbf8e7cea74c9f87bdde0957274c882446f2d97adf15f663"; +const TAG = "main@sha256:ee8ce7523f6aeeee9abacb00021428f6f864347581ae23feb17303e55f633f13"; /** * MatrixAuthenticationServiceContainer which freezes the docker digest to From bab0318479831938b762557749fc89e3ee8d76d3 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Tue, 5 Aug 2025 18:25:46 +0200 Subject: [PATCH 10/10] Better adjust the MAS rate limits --- .../homeserver/synapse/masHomeserver.ts | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/playwright/plugins/homeserver/synapse/masHomeserver.ts b/playwright/plugins/homeserver/synapse/masHomeserver.ts index 4621bf0a7f9..84d73018fc1 100644 --- a/playwright/plugins/homeserver/synapse/masHomeserver.ts +++ b/playwright/plugins/homeserver/synapse/masHomeserver.ts @@ -14,6 +14,7 @@ export const masHomeserver: Fixtures = { async ({ _homeserver: homeserver, logger, network, postgres, mailpit }, use) => { const secret = "AnotherRandomSecret"; + const limits = { burst: 10, per_second: 10 }; const container = await new MatrixAuthenticationServiceContainer(postgres) .withNetwork(network) .withNetworkAliases("mas") @@ -27,20 +28,19 @@ export const masHomeserver: Fixtures = { }, rate_limiting: { login: { - burst: 10, - per_second: 10, - }, - registration: { - burst: 10, - per_second: 10, + per_ip: limits, + per_account: limits, }, + registration: limits, email_authentication: { - burst: 10, - per_second: 10, + per_ip: limits, + per_address: limits, + emails_per_session: limits, + attempt_per_session: limits, }, account_recovery: { - burst: 10, - per_second: 10, + per_ip: limits, + per_address: limits, }, }, })