fn_registry/functions/infra/wellknown_oidc_patch.md at master

Files

T

egutierrez daef7ea190 feat(matrix): MAS migration helpers + 2 flows + 15 issues + capability group

Helper functions (matrix-mas capability group):
- mas_client_register_bash_infra: register/sync OAuth clients via mas-cli
- mas_syn2mas_migration_bash_infra: dry-run + apply user migration to MAS
- synapse_msc3861_enable_go_infra: edit homeserver.yaml MSC3861 block (with diff)
- wellknown_oidc_patch_go_infra: patch well-known JSON with msc2965.authentication
- synapse_login_flows_check_go_infra: health-check post-migration login flows

Flows + issues for custom Matrix clients (PC + Android):
- 0010 matrix-client-pc: Wails + React+Mantine (issues 0147-0153)
- 0011 matrix-client-android: Kotlin + Compose (issues 0154-0161)
- 0162 enable MAS as auth provider (Synapse delegate) — EXECUTED on VPS
- 0163 custom admin panel propio (sustituye synapse-admin)

Production state (organic-machine.com):
- Synapse migrated SQLite -> Postgres
- MSC3861 active, password_config disabled
- 21 users + 41 access_tokens migrated via syn2mas
- 4 MAS clients registered (element, matrix_pc, matrix_android, admin_panel)
- synapse-admin container removed + Coolify route deleted
- well-known patched with org.matrix.msc2965.authentication

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-24 22:53:33 +02:00

3.7 KiB

Raw Permalink Blame History

name, kind, lang, domain, version, purity, signature, description, tags, uses_functions, uses_types, returns, returns_optional, error_type, imports, tested, tests, test_file_path, file_path, params, output

name

kind

lang

domain

version

purity

signature

description

tags

uses_functions

uses_types

returns

returns_optional

error_type

imports

tested

tests

test_file_path

file_path

params

output

wellknown_oidc_patch

function

infra

0.1.0

impure

func WellknownOidcPatch(cfg WellknownOidcPatchConfig) (WellknownOidcPatchResult, error)

Parchea el JSON .well-known/matrix/client aniadiendo org.matrix.msc2965.authentication (MAS issuer + account URL) para que los clientes Matrix descubran el OIDC provider dinamicamente. Preserva todos los campos existentes (m.homeserver, org.matrix.msc4143.rtc_foci, etc.). Crea backup antes de escribir. Soporta DryRun.

matrix

mas

oidc

well-known

msc2965

migration

mas-migration

infra

matrix-mas

error_go_core

false

error_go_core

encoding/json

fmt

path/filepath

time

true

patch adds key and preserves existing fields

idempotent: second call returns Modified=false

dry run does not write file

nonexistent file returns error

functions/infra/wellknown_oidc_patch_test.go

functions/infra/wellknown_oidc_patch.go

name	desc
WellknownJsonPath	Ruta absoluta al archivo .well-known/matrix/client JSON (copiado del VPS antes de llamar; el operador copia de vuelta tras la llamada)

name	desc
Issuer	URL del MAS issuer, DEBE terminar en '/' (RFC 8414). Ej: https://auth-af2f3d.organic-machine.com/

name	desc
AccountURL	URL del account page del MAS. Ej: https://auth-af2f3d.organic-machine.com/account

name	desc
BackupDir	Directorio donde se escribe wellknown_<unix_ts>.json antes de modificar. Se crea con mkdir -p si no existe.

name	desc
DryRun	Si true, calcula Before/After y Modified pero no escribe ningun archivo ni crea backup.

WellknownOidcPatchResult con BackupPath (vacio en DryRun/no-op), Before y After JSON pretty-printed, y Modified=false si el valor ya era identico.

Ejemplo

cfg := infra.WellknownOidcPatchConfig{
    WellknownJsonPath: "/tmp/wellknown_client.json",
    Issuer:            "https://auth-af2f3d.organic-machine.com/",
    AccountURL:        "https://auth-af2f3d.organic-machine.com/account",
    BackupDir:         "/tmp/wellknown_backups",
    DryRun:            true,
}
res, err := infra.WellknownOidcPatch(cfg)
if err != nil {
    log.Fatal(err)
}
fmt.Println("Modified:", res.Modified)
fmt.Println("After:\n", res.After)

// Si el resultado es correcto, volver a llamar con DryRun: false para escribir.

Cuando usarla

Paso 5 de la migracion 0162 (Synapse → MAS): antes de hacer hot-reload nginx del container wellknown. Tambien util si cambia el issuer MAS en el futuro (basta llamarla de nuevo con el nuevo URL — la idempotencia garantiza que no duplica la clave).

Gotchas

Issuer DEBE terminar en /: los clientes Matrix siguen RFC 8414 estrictamente. Un issuer sin / final causa fallos de descubrimiento silenciosos.
Usar mapa dinamico, no struct: la funcion parsea el JSON en map[string]any para preservar campos desconocidos. No asumir que el archivo solo tiene m.homeserver.
Tras escribir, recargar nginx: ssh <host> docker exec <wellknown_container> nginx -s reload. Esta funcion no lo hace — es responsabilidad del operador.
Synapse tambien puede servir el well-known: /_matrix/client/.well-known puede provenir de Synapse ademas del container wellknown. Verificar con curl -s https://matrix.organic-machine.com/.well-known/matrix/client y curl -s https://matrix.organic-machine.com/_matrix/client/.well-known/matrix/client para saber cual usa cada cliente.
DryRun no crea backup ni BackupDir: usar DryRun para verificar el diff antes de ejecutar en produccion.

3.7 KiB Raw Permalink Blame History

Ejemplo

Cuando usarla

Gotchas

3.7 KiB

Raw Permalink Blame History