Matrix is being spammed with email users

bheesham · bheesham · commit 339244e86045 · 2025-04-14T16:33:05.000-04:00
We already allowed email registrations to Matrix, so we can't disable this
connection, since that would break logging in for existing users.

That leaves us with only one option: deny at pre-user-registration.

Jira: IAM-1617
diff --git a/tf/actions-pre-user-registration.tf b/tf/actions-pre-user-registration.tf
@@ -0,0 +1,18 @@
+resource "auth0_trigger_actions" "pre_user_registration_flow" {
+  trigger = "pre-user-registration"
+  actions {
+    id           = auth0_action.deny_registration.id
+    display_name = auth0_action.deny_registration.name
+  }
+}
+
+resource "auth0_action" "deny_registration" {
+  name    = "denyRegistration"
+  runtime = "node22"
+  deploy  = true
+  code    = file("${path.module}/actions/denyRegistration.js")
+  supported_triggers {
+    id      = "pre-user-registration"
+    version = "v2"
+  }
+}
diff --git a/tf/actions/denyRegistration.js b/tf/actions/denyRegistration.js
@@ -0,0 +1,32 @@
+// Reject users from registering for an application (by client id) using a
+// specific connection.
+//
+// This is a workaround for disabling a connection entirely for an application,
+// since we may have allowed registrations already.
+//
+// If we instead disabled the connection then we'd break logins for users who
+// only have that connection available.
+//
+// DEBT(bhee): LDAP's connection name is
+// * `Mozilla-LDAP` on prod;
+// * `Mozilla-LDAP-Dev` on dev.
+//
+// If we need to deny registrations on those, for some reason, we'll need to
+// think of a better way. Connection Ids are not stable across tenants either.
+
+exports.onExecutePreUserRegistration = async (event, api) => {
+  const CLIENT_CONNECTIONS_DENYLIST = {
+    // Matrix, IAM-1617
+    pFf6sBIfp4n3Wcs3F9Q7a9ry8MTrbi2F: ["email"],
+  };
+
+  const denylist = CLIENT_CONNECTIONS_DENYLIST[event.client.client_id] ?? [];
+
+  if (denylist.includes(event.connection.name)) {
+    return api.access.deny(
+      `Not allowed to register for ${event.client.name} using ${event.connection.name}.`
+    );
+  }
+
+  return;
+};
diff --git a/tf/tests/denyRegistration.test.js b/tf/tests/denyRegistration.test.js
@@ -0,0 +1,26 @@
+const _ = require("lodash");
+const eventObj = require("./modules/event.json");
+const {
+  onExecutePreUserRegistration,
+} = require("../actions/denyRegistration.js");
+
+beforeEach(() => {
+  _event = _.cloneDeep(eventObj);
+  api = {
+    access: {
+      deny: jest.fn(),
+    },
+  };
+});
+
+test("Should not deny registration an app we haven't specified", async () => {
+  await onExecutePreUserRegistration(_event, api);
+  expect(api.access.deny).not.toHaveBeenCalled();
+});
+
+test("Should deny registration for Matrix", async () => {
+  _event.connection.name = "email";
+  _event.client.client_id = "pFf6sBIfp4n3Wcs3F9Q7a9ry8MTrbi2F";
+  await onExecutePreUserRegistration(_event, api);
+  expect(api.access.deny).toHaveBeenCalled();
+});
