From f048f87daccc250049fb3bad3c7ef684c764f7aa Mon Sep 17 00:00:00 2001 From: Jason Volk Date: Sat, 24 Jan 2026 03:01:56 +0000 Subject: [PATCH] Split `login_via_existing_session` conf item to `login_via_token`. Signed-off-by: Jason Volk --- src/api/client/session/token.rs | 4 ++-- src/core/config/mod.rs | 18 ++++++++++++++++-- tuwunel-example.toml | 14 ++++++++++++-- 3 files changed, 30 insertions(+), 6 deletions(-) diff --git a/src/api/client/session/token.rs b/src/api/client/session/token.rs index 8f00b7c6..955902a5 100644 --- a/src/api/client/session/token.rs +++ b/src/api/client/session/token.rs @@ -22,7 +22,7 @@ pub(super) async fn handle_login( ) -> Result { let Token { token } = info; - if !services.config.login_via_existing_session { + if !services.config.login_via_token { return Err!(Request(Unknown("Token login is not enabled."))); } @@ -41,7 +41,7 @@ pub(crate) async fn login_token_route( InsecureClientIp(client): InsecureClientIp, body: Ruma, ) -> Result { - if !services.config.login_via_existing_session { + if !services.config.login_via_existing_session || !services.config.login_via_token { return Err!(Request(Forbidden("Login via an existing session is not enabled"))); } diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs index a4222f19..c60c0043 100644 --- a/src/core/config/mod.rs +++ b/src/core/config/mod.rs @@ -954,11 +954,25 @@ pub struct Config { /// Allow an existing session to mint a login token for another client. /// This requires interactive authentication, but has security ramifications /// as a malicious client could use the mechanism to spawn more than one - /// session. - /// Enabled by default. + /// session. Enabled by default. + /// + /// default: true #[serde(default = "true_fn")] pub login_via_existing_session: bool, + /// Whether to enable the login token route to accept login tokens at all. + /// Login tokens may be generated by the server for authorization flows such + /// as SSO; disabling tokens may break such features. + /// + /// This option is distinct from `login_via_existing_session` and does not + /// carry the same security implications; the intent is to leave this + /// enabled while disabling the former to prevent clients from commanding + /// login token creation but without preventing the server from doing so. + /// + /// default: true + #[serde(default = "true_fn")] + pub login_via_token: bool, + /// Login token expiration/TTL in milliseconds. /// /// These are short-lived tokens for the m.login.token endpoint. diff --git a/tuwunel-example.toml b/tuwunel-example.toml index 66adcbe1..6a944746 100644 --- a/tuwunel-example.toml +++ b/tuwunel-example.toml @@ -785,11 +785,21 @@ # Allow an existing session to mint a login token for another client. # This requires interactive authentication, but has security ramifications # as a malicious client could use the mechanism to spawn more than one -# session. -# Enabled by default. +# session. Enabled by default. # #login_via_existing_session = true +# Whether to enable the login token route to accept login tokens at all. +# Login tokens may be generated by the server for authorization flows such +# as SSO; disabling tokens may break such features. +# +# This option is distinct from `login_via_existing_session` and does not +# carry the same security implications; the intent is to leave this +# enabled while disabling the former to prevent clients from commanding +# login token creation but without preventing the server from doing so. +# +#login_via_token = true + # Login token expiration/TTL in milliseconds. # # These are short-lived tokens for the m.login.token endpoint.