From 8f25d7d6717bedef6890b589fe94cf43fcd80896 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Commaille?= Date: Mon, 27 May 2024 12:35:21 +0200 Subject: [PATCH] Do not require UIA when first uploading cross-signing keys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As per MSC3967. Signed-off-by: Kévin Commaille --- data/api/client-server/cross_signing.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/data/api/client-server/cross_signing.yaml b/data/api/client-server/cross_signing.yaml index 0f3a46be..6f3313e0 100644 --- a/data/api/client-server/cross_signing.yaml +++ b/data/api/client-server/cross_signing.yaml @@ -19,11 +19,26 @@ paths: /keys/device_signing/upload: post: x-addedInMatrixVersion: "1.1" + x-changedInMatrixVersion: + "1.11": UIA is not always required for this endpoint. summary: Upload cross-signing keys. description: |- Publishes cross-signing keys for the user. This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api). + + User-Interactive Authentication is required, except in these cases: + - there is no existing cross-signing master key uploaded to the homeserver, OR + - there is an existing cross-signing master key and it exactly matches the + cross-signing master key provided in the request body. If there are any additional + keys provided in the request (self-signing key, user-signing key) they MUST also + match the existing keys stored on the server. In other words, the request contains + no new keys. + + This allows clients to freely upload 1 set of keys, but not modify/overwrite keys if + they already exist. By allowing clients to upload the same set of keys more than once, + this makes this endpoint idempotent in the case where the response is lost over the + network, which would otherwise cause a UIA challenge upon retry. operationId: uploadCrossSigningKeys security: - accessTokenQuery: []