Only allow C-S device scopes when the C-S API scope has been requested #5215
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
reivilibre
force-pushed
the
rei/devicelimit_policy
branch
from
d911dcd to
090fce6
Compare
It'd be weird for a client to request a device on the client-server API but yet not request any client-server API scopes to use it with. By adding this restriction, we can then create a partial index on the oauth2_sessions table to quickly identify sessions that have C-S API scopes and use this as a proxy metric for how many sessions may have device scopes. This in turn makes it feasible to efficiently limit the number of 'devices' a user has, or more precisely: the number of sessions with client-server API access. We can't do the same for device scopes themselves because, other than nastiness like parsing the JSON stringification of the scope list, it's not feasible to identify device scopes within a Postgres index predicate. Part of: #4339
reivilibre
force-pushed
the
rei/devicelimit_policy
branch
from
090fce6 to
e2a08d2
Compare
Deploying matrix-authentication-service-docs with
|
| Latest commit: |
58ffe37
|
| Status: | 🚫 Build failed. |
sandhose
approved these changes
Nov 5, 2025
| else ifeq ($(PODMAN), 1) | ||
| # When running rootless, the volume directory may need to be given global write permissions on the host | ||
| OPA := podman run -i -v $(shell pwd):/policies:ro:Z -w /policies --rm $(OPA_DOCKER_IMAGE) | ||
| OPA := podman run -i -v $(shell pwd):/policies:ro,Z -w /policies --rm $(OPA_DOCKER_IMAGE) |
Member
There was a problem hiding this comment.
did that change in podman or did this never work?
Contributor
Author
There was a problem hiding this comment.
I don't know, but it only has one opts field now
Co-authored-by: Quentin Gliech <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It'd be weird for a client to request a device on the client-server API but yet not request any client-server API scopes to use it with.
By adding this restriction, we can then create a partial index on the
oauth2_sessionstable to quickly identify sessions that have C-S API scopes and use this as a proxy metric for how many sessions may have device scopes.This in turn makes it feasible to efficiently limit the number of 'devices' a user has, or more precisely: the number of sessions with client-server API access.
We can't do the same for device scopes themselves because, other than nastiness like parsing the JSON stringification of the scope list, it's not feasible to identify device scopes within a Postgres index predicate.
Part of: #4339