|
| 1 | +# MSC3383: Include destination in X-Matrix Auth Header |
| 2 | + |
| 3 | +Currently, a federation request can't be validated mid-flight without talking |
| 4 | +to both the originating server and the destination server. The originating |
| 5 | +server needs to be asked for it's key, and the destination server for it's |
| 6 | +`server_name`, because the `Host` header does not necessarily contain the |
| 7 | +`server_name` of the destination server, if delegation via `.well-known` is |
| 8 | +being used. |
| 9 | + |
| 10 | +This hasn't been a problem so far, as the `server_name` of the destination is |
| 11 | +usually known when validating the `Authorization` header, it's the |
| 12 | +`server_name` of the matrix server that's doing the validation. But there's two |
| 13 | +scenarios where this might not be the case: Forward proxies (that act as an API |
| 14 | +gateway for enforcing additional rules), or Matrix Homeservers implementing |
| 15 | +vhosting and have multiple `server_name`s pointing to the same `Host`. |
| 16 | + |
| 17 | +## Proposal |
| 18 | + |
| 19 | +In addition to the currently present `origin`, `key` and `sig` fields, the |
| 20 | +`Authorization` header of the scheme `X-Matrix` used in the Matrix S2S API |
| 21 | +should also include a `destination` field, which contains the `server_name` of |
| 22 | +the Matrix Homeserver that the request is being sent to. |
| 23 | + |
| 24 | +## Potential issues |
| 25 | + |
| 26 | +Server implementations could theoretically be affected by this change, |
| 27 | +depending on how the header is parsed, which would cause failures in verifying |
| 28 | +the authenticity of the requests. This would be fatal, as it would mean that |
| 29 | +federation would stop working. Luckily, from an initial assessment, it seems |
| 30 | +that all major implementations work here, the parsing implementations in |
| 31 | +Synapse, Dendrite, Conduit, Sydent and SyTest looks like it'd gracefully handle |
| 32 | +this addition without any trouble. |
| 33 | + |
| 34 | +## Alternatives |
| 35 | + |
| 36 | +For the forward proxy scenario, it'd be possible to use the |
| 37 | +`/_matrix/key/v2/server` endpoint for fetching the `server_name` when receiving |
| 38 | +a request. After that though, the `server_name` has to be resolved back to a |
| 39 | +`Host`, for making sure that the domain owner of `server_name` actually intends |
| 40 | +for requests for `server_name` to go to the host in `Host`. This is |
| 41 | +unnecessarily complex and prone to error, which is why it'd be better to have |
| 42 | +that included. |
| 43 | + |
| 44 | +For the vhosting scenario, it'd be possible to have a different hostname to |
| 45 | +delegate to for each vhost. That means that wildcard DNS records and |
| 46 | +certificates have to be used though, to make it manageable to allow anyone |
| 47 | +pointing a `server_name` against a certain service. This is a limitation that |
| 48 | +might be problematic in certain setups, which is why I'd be better to not force |
| 49 | +that. |
| 50 | + |
| 51 | +## Security considerations |
| 52 | + |
| 53 | +I can't think of anything required in this section for this MSC, but I'm open |
| 54 | +to input. |
0 commit comments