This bot provides a two-step-registration for matrix (synapse).
This is done in several steps:
- potential new user registers on a bot-provided site
- user has to verify its mail address
- bot sends a message to predefined room with a registration notification.
- users in that room now can approve or decline the registration.
- When approved
- the bot creates short time credentials
- sends them to the user
- stores them encrypted in own databas or uses that as initial password for registration
There are two operation modes available:
operationMode=synapse
- No adjustments on your running environment are required. This bot uses the the Shared-Secret Registration of synapse to register the users.
operationMode=local
:- Bot handles user management. Therefore it stores the user-data and uses matrix-synapse-rest-auth to authenticate the users.
- This way it is possible to set the display name of a user on first login (first- and lastname instead of username)
- The email address of the user can be used to implement third party lookup (requires mxisd)
- search for users you have not seen yet but are available on the server
- Working PHP environment with
- database connection provider [one of sqlite, mysql, postgres]
- curl extension
- mail capability to interact with the users (verification, approval (+ initial password), notifications)
- either via sendmail or with credentials
- composer installed
- matrix-synapse-rest-auth when using
operationMode=local
git clone https://github.com/krombel/matrix-register-bot
cd matrix-register-bot
composer install
cp config.sample.php config.php
editor config.php
- Configure your webserver to have the folder
public
accessible via web.
When running operationMode=local
:
- Configure your webserver to provide the folder
internal
internally. This is only meant to be accessible by mxisd and matrix-synapse-rest-auth - To integrate with matrix-synapse-rest-auth:
/_matrix-internal/identity/v1/check_credentials
should map tointernal/login.php
- To integrate with mxisd: Have a look at the docs of mxisd and apply as follows:
Key | file which handles that | Description |
---|---|---|
rest.endpoints.auth | internal/login.php | Validate credentials and get user profile |
rest.endpoints.directory | internal/directory_search.php | Search for users by arbitrary input |
rest.endpoints.identity.single | internal/identity_single.php | Endpoint to query a single 3PID |
rest.endpoints.identity.bulk | internal/identity_bulk.php | Endpoint to query a list of 3PID |
Currently the passwords which are typed in while capturing the register request are stored in clear text.
The bot needs to access them to trigger a register request with correct credentials.
It is currently strongly recommended to set "getPasswordOnRegistration" => false
in your config!
This leads to autocreating passwords which will then be send to the users directly without storing it.
To allow users to change their pasword you need a reverse proxy which maps /_matrix/client/r0/account/password
to internal/intercept_change_password.php
.
Here is an example for nginx:
location /_matrix/client/r0/account/password {
proxy_pass http://localhost/mxbot/internal/intercept_change_password.php;
proxy_set_header X-Forwarded-For $remote_addr;
}
There is a cron.php which implements retries and database cleanups (e.g. to remove a username claim) For this run cron.php regularly with your system of choice. A suggested interval is once per day