fix(matrix): restore conservative Synapse rc_login limits + operator password floor#173
Draft
ndee wants to merge 1 commit into
Draft
fix(matrix): restore conservative Synapse rc_login limits + operator password floor#173ndee wants to merge 1 commit into
ndee wants to merge 1 commit into
Conversation
…password floor The generated homeserver.yaml hard-coded rc_login to per_second: 1000 / burst_count: 1000 across address, account, and failed_attempts, which effectively disables login brute-force protection. Synapse's /_matrix/client/v3/login is reverse-proxied on the public hostname and LAN, and the operator's Matrix password is the same credential the setup UI accepts, so an attacker could brute-force the operator credential directly against Synapse with no throttling or lockout. - Set rc_login limits to Synapse's conservative defaults (per_second: 0.17, burst_count: 3) for address, account, and failed_attempts, restoring brute-force throttling/lockout. - Require a minimum length (12) for the operator password when supplied at install time (operatorInstallInputSchema). Login verification keeps min(1) so already-provisioned operators are never locked out. - Update matrix.test.ts to assert the conservative limits ship (and that 1000/1000 never does); add operatorInstallInputSchema unit tests. Validated: biome lint, tsc, and the full unit suite (201 tests) pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The generated
homeserver.yamlhard-codesrc_logintoper_second: 1000/burst_count: 1000foraddress,account, andfailed_attempts— effectively disabling login brute-force protection.This matters because:
/_matrix/client/v3/loginis reverse-proxied on the public hostname / LAN (Caddy catch-all →synapse:8008).verifyOperatorPasswordPOSTs to that endpoint).So an attacker on the LAN (or the internet in relay/public-TLS modes) could iterate a password list against
/loginwith no throttling or lockout and, on success, obtain a full operator/homeserver-admin token.Fix
rc_loginlimits — Synapse defaultsper_second: 0.17, burst_count: 3foraddress,account, andfailed_attempts. This re-enables sustained-rate throttling (~10/min) and lockout on failed attempts.operatorInstallInputSchema). Login verification (contracts/auth.ts) deliberately keepsmin(1)so already-provisioned operators are never locked out by this tightening.Tests
src/system/matrix.test.ts: assert the conservative limits are rendered and that1000/1000is not present.src/contracts/install.test.ts: newoperatorInstallInputSchemacases (omitted password ok, at-minimum ok, below-minimum rejected).biomelint,tsc --noEmit, and the full unit suite (201 tests) pass locally.Notes
homeserver.yamlwith the new limits on next provision; the password floor only gates new install-time input.