From 509542ccaf8667e759866c988baf6ea6c7dff994 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Sat, 9 Nov 2024 21:19:16 +0200
Subject: [PATCH] Enable QR code login (MSC4108) support for Synapse when
 Matrix Authentication Service is enabled

Related to 8a6b822bbd80ca3cdb25b0cd29bf369b6b0ce2e1

Related to https://github.com/matrix-org/matrix-spec-proposals/pull/4108

Potential (unconfirmed) fix for https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3749
---
 group_vars/matrix_servers                                    | 2 ++
 roles/custom/matrix-synapse/defaults/main.yml                | 4 ++++
 roles/custom/matrix-synapse/tasks/validate_config.yml        | 5 +++++
 .../matrix-synapse/templates/synapse/homeserver.yaml.j2      | 3 +++
 4 files changed, 14 insertions(+)

diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index fd2002ae6..5cd5c200e 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -4769,6 +4769,8 @@ matrix_synapse_experimental_features_msc3861_client_secret: "{{ '%s' | format(ma
 matrix_synapse_experimental_features_msc3861_admin_token: "{{ matrix_authentication_service_config_matrix_secret if matrix_authentication_service_enabled else '' }}"
 matrix_synapse_experimental_features_msc3861_account_management_url: "{{ matrix_authentication_service_account_management_url if matrix_authentication_service_enabled else '' }}"
 
+matrix_synapse_experimental_features_msc4108_enabled: "{{ matrix_authentication_service_enabled and not matrix_authentication_service_migration_in_progress }}"
+
 # Disable password authentication when delegating authentication to Matrix Authentication Service.
 # Unless this is done, Synapse fails on startup with:
 # > Error in configuration at 'password_config.enabled':
diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml
index c6e2db9be..216e63b57 100644
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -1180,6 +1180,10 @@ matrix_synapse_experimental_features_msc3861_admin_token: ''
 # URL to advertise to clients where users can self-manage their account.
 matrix_synapse_experimental_features_msc3861_account_management_url: ''
 
+# Controls whether to enable the "QR code login" experimental feature.
+# Enabling this requires that MSC3861 (see `matrix_synapse_experimental_features_msc3861_enabled`) is also enabled.
+matrix_synapse_experimental_features_msc4108_enabled: false
+
 ################################################################################
 #
 # /Next-generation auth for Matrix, based on OAuth 2.0/OIDC
diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml
index e9f02b44c..b53566c8e 100644
--- a/roles/custom/matrix-synapse/tasks/validate_config.yml
+++ b/roles/custom/matrix-synapse/tasks/validate_config.yml
@@ -154,3 +154,8 @@
   ansible.builtin.fail:
     msg: "When Synapse is delegating authentication to Matrix Authentication Service, it doesn't make sense to enable the password config (`matrix_synapse_password_config_enabled: true`), because it is not Synapse that is handling authentication. Please remove your `matrix_synapse_password_config_enabled: true` setting before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
   when: matrix_synapse_experimental_features_msc3861_enabled and matrix_synapse_password_config_enabled
+
+- name: Fail if QR code login (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not
+  ansible.builtin.fail:
+    msg: "When Synapse QR code login is enabled (MSC4108 via `matrix_synapse_experimental_features_msc4108_enabled`), Next-Gen auth (MSC3861 via `matrix_synapse_experimental_features_msc3861_enabled`) must also be enabled."
+  when: matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_experimental_features_msc3861_enabled
diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
index 5a20fea4f..3408a1050 100644
--- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -2987,5 +2987,8 @@ experimental_features:
     admin_token: {{ matrix_synapse_experimental_features_msc3861_admin_token | to_json }}
     account_management_url: {{ matrix_synapse_experimental_features_msc3861_account_management_url | to_json }}
   {% endif %}
+  {% if matrix_synapse_experimental_features_msc4108_enabled %}
+  msc4108_enabled: true
+  {% endif %}
 
 # vim:ft=yaml