Skip to content

feat: Optionally require S2S auth for the server /version endpoint#49

Open
jason-famedly wants to merge 1 commit intomasterfrom
jason/auth-fed-version
Open

feat: Optionally require S2S auth for the server /version endpoint#49
jason-famedly wants to merge 1 commit intomasterfrom
jason/auth-fed-version

Conversation

@jason-famedly
Copy link
Contributor

@jason-famedly jason-famedly commented Jun 30, 2025

Fixes: famedly/product-management (need a number)

Adds a new configuration setting possibility:

require_auth_for_server_version: false

true will mean no random people will be able to see what version a server is running without using a federation approved authentication. Defaults to false

A_26330 - Authentication of version queries
The Matrix Homeserver MUST authenticate outgoing requests to the /_matrix/federation/v1/version ¹ endpoint according to [Server-Server API/#request-authentication].

A_26331 - Rejection of unauthenticated version queries
The TI-M service MUST reject unauthenticated requests to the endpoint /_matrix/federation/v1/version ¹ with an HTTP 401 response.

Notes to consider: Famedly employees typically check that a server is online and responsive by checking this endpoint. This will no longer be viable. The client version of this end point is a potential work around. If a server endpoint is needed(due to workers or something) it may be possible to use the server keys endpoint instead

@jason-famedly jason-famedly force-pushed the jason/auth-fed-version branch from 926caab to 05c7b71 Compare June 30, 2025 18:20
@jason-famedly jason-famedly marked this pull request as ready for review June 30, 2025 18:20
@jason-famedly jason-famedly requested a review from a team as a code owner June 30, 2025 18:20
@itsoyou
Copy link
Contributor

itsoyou commented Jul 16, 2025

This looks good to me 💯, but 2 questions, do we need to align with other team about the version that contains this change?
and now we need to send authenticated requests, do we also need some change there? (I don't know where hehe)

@jason-famedly
Copy link
Contributor Author

jason-famedly commented Jul 22, 2025

This looks good to me 💯, but 2 questions, do we need to align with other team about the version that contains this change? and now we need to send authenticated requests, do we also need some change there? (I don't know where hehe)

Aligning with other teams, I suppose not?
And for sending authenticated requests for this endpoint: Nope. Synapse does not need to make that request and so does not have the code to make it already in place 🤷‍♂️

This change was a request made by gematik, but with zero clear use cases beyond obfuscating exactly which version of the homeserver(and it's branding/model/etc) is currently being run. As such, this work is complete but seems rather unnecessary and will just sit here for a time on the back burner of the stove 😆

@jason-famedly
feat: Optionally require S2S auth for the server /version endpoint
134bbcf 
Adds a new setting that defaults to 'False' for root level yaml
configuration

`require_auth_for_server_version`: boolean
@jason-famedly jason-famedly force-pushed the jason/auth-fed-version branch from 05c7b71 to 134bbcf Compare August 8, 2025 10:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jason-famedly @itsoyou