synapse

sharpetronics/synapse

Fork 0

mirror of https://github.com/element-hq/synapse.git synced 2025-12-12 00:01:45 -05:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Eric Eastwood	0be7fe926d	Add debug log when `HMAC incorrect` (#18474 ) Spawning from getting `HMAC incorrect` errors that seem unexplainable except for the `registration_shared_secret` being misconfigured. It's also possible my HMAC calculation is incorrect but every time I double-check the result with the [known-good Python example](`553e124f76/docs/admin_api/register_api.md`) (which matches [Synapse's source](`24e849e483/synapse/rest/admin/users.py (L618-L633)`)), it's as expected. With these logs, we can actually debug whether `registration_shared_secret` is being configured correctly or not. It also helps specifically when using `registration_shared_secret_path` since the default Synapse behavior (of creating the file and secret if it doesn't exist) can mask deployment race condition where we would start up Synapse before the `registration_shared_secret_path` file was put in place: > `registration_shared_secret_path` > > [...] > > If this file does not exist, Synapse will create a new shared secret on startup and store it in this file. > > -- [Synapse config docs](`6521406a37/docs/usage/configuration/config_documentation.md (registration_shared_secret_path)`) This only applies to the [`POST /_synapse/admin/v1/register`](`553e124f76/docs/admin_api/register_api.md`) endpoint but does log very sensitive information so we've made it so you have to explicitly enable the logs by configuring `synapse.rest.admin.users.registration_debug` (does not inherit root log level) (via our new `ExplicitlyConfiguredLogger`) `homeserver.yaml` ```yaml log_config: "/myserver.log.config.yaml" ``` `myserver.log.config.yaml` ```yaml version: 1 formatters: precise: format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' handlers: # ... file/buffer handler (see `sample_log_config.yaml`) # A handler that writes logs to stderr. Unused by default, but can be used # instead of "buffer" and "file" in the logger handlers. console: class: logging.StreamHandler formatter: precise loggers: synapse.storage.SQL: # beware: increasing this to DEBUG will make synapse log sensitive # information such as access tokens. level: INFO # Has to be explicitly configured as such. Will not inherit from the root level even if it's set to DEBUG synapse.rest.admin.users.registration_debug: level: DEBUG root: level: INFO handlers: [console] disable_existing_loggers: false ```	2025-07-22 11:09:45 -05:00

Eric Eastwood

0be7fe926d

Add debug log when HMAC incorrect (#18474 )

Spawning from getting `HMAC incorrect` errors that seem unexplainable
except for the `registration_shared_secret` being misconfigured. It's
also possible my HMAC calculation is incorrect but every time I
double-check the result with the [known-good Python
example](553e124f76/docs/admin_api/register_api.md)
(which matches [Synapse's
source](24e849e483/synapse/rest/admin/users.py (L618-L633))),
it's as expected.

With these logs, we can actually debug whether
`registration_shared_secret` is being configured correctly or not.

It also helps specifically when using `registration_shared_secret_path`
since the default Synapse behavior (of creating the file and secret if
it doesn't exist) can mask deployment race condition where we would
start up Synapse before the `registration_shared_secret_path` file was
put in place:

> **`registration_shared_secret_path`**
>
> [...]
>
> If this file does not exist, Synapse will create a new shared secret
on startup and store it in this file.
>
> *-- [Synapse config
docs](6521406a37/docs/usage/configuration/config_documentation.md (registration_shared_secret_path))*


This only applies to the [`POST
/_synapse/admin/v1/register`](553e124f76/docs/admin_api/register_api.md)
endpoint but does log very sensitive information so we've made it so you
have to explicitly enable the logs by configuring
`synapse.rest.admin.users.registration_debug` (does not inherit root log
level) (via our new `ExplicitlyConfiguredLogger`)


`homeserver.yaml`
```yaml
log_config: "/myserver.log.config.yaml"
```

`myserver.log.config.yaml`
```yaml
version: 1

formatters:
    precise:
        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
        

handlers:
    # ... file/buffer handler (see `sample_log_config.yaml`)

    # A handler that writes logs to stderr. Unused by default, but can be used
    # instead of "buffer" and "file" in the logger handlers.
    console:
        class: logging.StreamHandler
        formatter: precise

loggers:
    synapse.storage.SQL:
        # beware: increasing this to DEBUG will make synapse log sensitive
        # information such as access tokens.
        level: INFO

    # Has to be explicitly configured as such. Will not inherit from the root level even if it's set to DEBUG
    synapse.rest.admin.users.registration_debug:
        level: DEBUG

root:
    level: INFO

    handlers: [console]

disable_existing_loggers: false
```

2025-07-22 11:09:45 -05:00

1 Commits