Skip to content

Do not send empty auth when setting up cross-signing keys #29914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Do not send empty auth when setting up cross-signing keys #29914

wants to merge 2 commits into from
+3 −3

Conversation

gnieto
Copy link

@gnieto gnieto commented May 9, 2025

My understanding from the spec is that no auth parameter should be sent when starting a UIA flow. This section says that "A client should first make a request with no auth parameter" and this is not what element-web is doing (since it is sending an auth parameter with an empty dictionary).

In the upload cross-signing keys endpoint
documentation it says that type may be omitted if session is set, but in this specific case neither of the fields is set.

The proposed changes changes the empty dictionary for a null value in order to prevent the auth field to be sent.

Checklist

  • Tests written for new code (and old code if feasible).
  • New or updated public/exported symbols have accurate TSDoc documentation.
  • Linter and other CI checks pass.
  • I have licensed the changes to Element by completing the Contributor License Agreement (CLA)

@gnieto
Do not send empty auth when setting up cross-signing keys
53ad794 
My understanding from the spec is that no auth parameter should be sent
when starting a UIA flow. [This section](https://spec.matrix.org/v1.14/client-server-api/#user-interactive-api-in-the-rest-api)
says that "A client should first make a request with no auth parameter"
and this is not what element-web is doing (since it is sending an auth parameter with
an empty dictionary).

In the upload cross-signing keys endpoint
[documentation](https://spec.matrix.org/v1.14/client-server-api/#post_matrixclientv3keysdevice_signingupload_request_authentication-data)
it says that type may be omitted if session is set, but in this specific
case neither of the fields is set.
@gnieto gnieto requested a review from a team as a code owner May 9, 2025 16:16
@gnieto gnieto requested review from t3chguy and florianduros May 9, 2025 16:16
@github-actions github-actions bot added the Z-Community-PR Issue is solved by a community member's PR label May 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@t3chguy t3chguy Awaiting requested review from t3chguy t3chguy is a code owner automatically assigned from element-hq/element-web-reviewers

@florianduros florianduros Awaiting requested review from florianduros florianduros is a code owner automatically assigned from element-hq/element-web-reviewers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Z-Community-PR Issue is solved by a community member's PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gnieto