Skip to content

MSC4140: allow auth on management endpoints for delayed events#19794

Merged
anoadragon453 merged 10 commits into
element-hq:developfrom
AndrewFerr:msc4140-may-auth-management
Jun 18, 2026
Merged

MSC4140: allow auth on management endpoints for delayed events#19794
anoadragon453 merged 10 commits into
element-hq:developfrom
AndrewFerr:msc4140-may-auth-management

Conversation

@AndrewFerr

@AndrewFerr AndrewFerr commented May 21, 2026

Copy link
Copy Markdown
Member

This is to allow authed requests to have their own ratelimit quotas.

MSC4140

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct (run the linters)

This is to allow authed requests to have their own ratelimit quotas.
Plus, since element-hq#19152, the delayed event management ratelimit hasn't
considered the requesting device ID, so don't mention that anymore.
@AndrewFerr AndrewFerr requested a review from a team as a code owner May 21, 2026 15:46
@MadLittleMods MadLittleMods changed the title MSC4140: allow auth on management endpoints MSC4140: allow auth on management endpoints for delayed events May 21, 2026
pull Bot pushed a commit to Reality2byte/matrix-js-sdk that referenced this pull request May 26, 2026
* MSC4140: use auth for delayed event management

Do this to let ratelimiting apply per user instead of per source IP
address, if the server supports that.

See element-hq/synapse#19794

* Add comment to explain why auth is being used
Comment thread synapse/handlers/delayed_events.py

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Enables authenticated requests to delayed event management endpoints (MSC4140) to be rate-limited based on the authenticated user rather than the source IP, so authenticated clients can have their own quotas distinct from unauthenticated/IP-based traffic.

Changes:

  • Add a shared _mgmt_ratelimit helper in DelayedEventsHandler that switches ratelimiting keys between authenticated user and unauthenticated source IP.
  • Expand delayed event management ratelimit tests to cover the “authenticated bypasses IP ratelimit” behavior and per-user override disabling ratelimits.
  • Update configuration schema/docs wording to reflect the new ratelimiting behavior, and add a Towncrier feature fragment.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/rest/client/test_delayed_events.py Updates ratelimit tests to cover authenticated-vs-unauthenticated quotas and user ratelimit overrides.
synapse/handlers/delayed_events.py Implements auth-aware ratelimiting for delayed event cancel/restart/send; simplifies user listing ratelimit keying.
schema/synapse-config.schema.yaml Updates config schema description for rc_delayed_event_mgmt to match new behavior.
docs/usage/configuration/config_documentation.md Updates user-facing config docs description for delayed event management ratelimiting.
changelog.d/19794.feature Adds Towncrier newsfragment describing the new authenticated behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread synapse/handlers/delayed_events.py Outdated
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

@anoadragon453 anoadragon453 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minor wording changes. Otherwise this LGTM!

Comment thread changelog.d/19794.feature Outdated
Comment thread schema/synapse-config.schema.yaml Outdated
Comment thread synapse/handlers/delayed_events.py
anoadragon453 and others added 2 commits June 18, 2026 10:59
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
@anoadragon453 anoadragon453 enabled auto-merge (squash) June 18, 2026 12:58
@anoadragon453 anoadragon453 disabled auto-merge June 18, 2026 13:27
@anoadragon453 anoadragon453 merged commit 2487b31 into element-hq:develop Jun 18, 2026
43 of 45 checks passed
AndrewFerr added a commit to AndrewFerr/synapse that referenced this pull request Jun 18, 2026
@AndrewFerr AndrewFerr deleted the msc4140-may-auth-management branch June 18, 2026 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants