Skip to content

Use the stable MAS integration of Synapse in the documentation and in mas-cli doctor #4902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 2, 2025
Merged

Use the stable MAS integration of Synapse in the documentation and in mas-cli doctor #4902

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c4e811a
Update `mas-cli doctor` to suggest the stable MAS integration
sandhose Aug 18, 2025
ef50efe
Document Synapse integration with the stable feature
sandhose Aug 18, 2025
6a2d341
Apply suggestions from code review
sandhose Aug 18, 2025
68b74db
Reformat with rustfmt
sandhose Aug 18, 2025
9b6aa2a
Fix the wording about admin token vs. secret in the doctor command
sandhose Sep 2, 2025
0a5f05f
Merge branch 'main' into quenting/stable-docs
sandhose Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 22 additions & 50 deletions crates/cli/src/commands/doctor.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ use std::process::ExitCode;
use anyhow::Context;
use clap::Parser;
use figment::Figment;
use hyper::StatusCode;
use mas_config::{ConfigurationSection, RootConfig};
use mas_http::RequestBuilderExt;
use tracing::{error, info, info_span, warn};
Expand Down Expand Up @@ -99,17 +100,14 @@ Make sure that the MAS config contains:

http:
public_base: {issuer:?}
# Or, if the issuer is different from the public base:
issuer: {issuer:?}

And in the Synapse config:

experimental_features:
msc3861:
enabled: true
# This must exactly match:
issuer: {issuer:?}
# ...
matrix_authentication_service:
enabled: true
# This must point to where MAS is reachable by Synapse
endpoint: {issuer:?}
# ...

See {DOCS_BASE}/setup/homeserver.html
"#
Expand All @@ -128,11 +126,10 @@ Check the well-known document at "{well_known_uri}"
Check the well-known document at "{well_known_uri}"
Make sure Synapse has delegated auth enabled:

experimental_features:
msc3861:
enabled: true
issuer: {issuer:?}
# ...
matrix_authentication_service:
enabled: true
endpoint: {issuer:?}
# ...

If it is not Synapse handling the well-known document, update it to include the following:

Expand Down Expand Up @@ -278,62 +275,37 @@ Check that the homeserver is running."#
Err(e) => error!(
r#"❌ Can't reach the homeserver at "{whoami}".

Error details: {e}
"#
),
}

// Try to reach the admin API on an unauthorized endpoint
let server_version = hs_api.join("/_synapse/admin/v1/server_version")?;
let result = http_client.get(server_version.as_str()).send_traced().await;
match result {
Ok(response) => {
let status = response.status();
if status.is_success() {
info!(r#"✅ The Synapse admin API is reachable at "{server_version}"."#);
} else {
error!(
r#"❌ A Synapse admin API endpoint at "{server_version}" replied with {status}.
Make sure MAS can reach the admin API, and that the homeserver is running.
"#
);
}
}
Err(e) => error!(
r#"❌ Can't reach the Synapse admin API at "{server_version}".
Make sure MAS can reach the admin API, and that the homeserver is running.

Comment on lines -286 to -305
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this no longer useful? Doesn't MAS still need to use Synapse's Admin API in several cases?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's using a dedicated API now, and doesn't have full admin access anymore

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also now just testing for the dedicated MAS API, which should cover both the 'it's unreachable' and the 'it's the wrong secret' cases

Error details: {e}
"#
),
}

// Try to reach an authenticated admin API endpoint
let background_updates = hs_api.join("/_synapse/admin/v1/background_updates/status")?;
let mas_api = hs_api.join("/_synapse/mas/is_localpart_available")?;
let result = http_client
.get(background_updates.as_str())
.get(mas_api.as_str())
.bearer_auth(&admin_token)
.send_traced()
.await;
match result {
Ok(response) => {
let status = response.status();
if status.is_success() {
// We're missing the localpart parameter, so expect a 400
if status == StatusCode::BAD_REQUEST {
info!(
r#"✅ The Synapse admin API is reachable with authentication at "{background_updates}"."#
r#"✅ The Synapse admin API is reachable with authentication at "{mas_api}"."#
);
} else {
error!(
r#"❌ A Synapse admin API endpoint at "{background_updates}" replied with {status}.
r#"❌ A Synapse admin API endpoint at "{mas_api}" replied with {status}.
Make sure the homeserver is running, and that the MAS config has the correct `matrix.secret`.
It should match the `admin_token` set in the Synapse config.

experimental_features:
msc3861:
enabled: true
issuer: {issuer}
# This must exactly match the secret in the MAS config:
admin_token: {admin_token:?}
matrix_authentication_service:
enabled: true
endpoint: {issuer:?}
# This must exactly match the secret in the MAS config:
secret: {admin_token:?}

And in the MAS config:

Expand All @@ -346,7 +318,7 @@ And in the MAS config:
}
}
Err(e) => error!(
r#"❌ Can't reach the Synapse admin API at "{background_updates}".
r#"❌ Can't reach the Synapse admin API at "{mas_api}".
Make sure the homeserver is running, and that the MAS config has the correct `matrix.secret`.

Error details: {e}
Expand Down