Admin API Log in as user will return a token for users that doesn't exist #18503
Description
Description
If you call https://element-hq.github.io/synapse/latest/admin_api/user_admin_api.html#login-as-a-user with a localpart that does not exist on your server, you still get a 200 response and an access token in return
Steps to reproduce
Call https://element-hq.github.io/synapse/latest/admin_api/user_admin_api.html#login-as-a-user with a localpart that does not exist
$ curl -X GET -H 'authorization: Bearer syt_YWRtaW4_fJeLjYZWUhagHqLsnLGM_0fPxjc' http://synapse.matrix.local/_synapse/admin/v2/users/@foo:matrix.local
{"errcode":"M_NOT_FOUND","error":"User not found"}
$ curl -X POST -H 'authorization: Bearer syt_YWRtaW4_fJeLjYZWUhagHqLsnLGM_0fPxjc' http://synapse.matrix.local/_synapse/admin/v1/users/@foo:matrix.local/login
{"access_token":"syt_Zm9v_wzJfLsJWZQBiIjSqIhFW_3dO3BT"}Homeserver
EMS & local synapse in Podman
Synapse Version
1.130.0
Installation Method
Docker (matrixdotorg/synapse)
Database
single PostgreSQL 17.5 brand new synapse install. Not migrated. And whatever we run on EMS
Workers
Single process
Platform
EMS and local Podman
Configuration
# Configuration file for Synapse.
#
# This is a YAML file: see [1] for a quick introduction. Note in particular
# that *indentation is important*: all the elements of a list or dictionary
# should have the same indentation.
#
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
server_name: "matrix.local"
pid_file: /data/homeserver.pid
listeners:
- port: 8448
tls: false
type: http
x_forwarded: true
resources:
- names: [client, federation]
compress: false
bind_addresses:
- 0.0.0.0
database:
name: psycopg2
args:
database: synapse
cp_max: 10
cp_min: 5
host: postgres
password: password
user: synapse
log_config: "/data/log.config.yaml"
media_store_path: /data/media_store
registration_shared_secret: "fsWQiHX_3CerrTZKXrGLxAkidj_+lP;7l=fBlu8;Ur;NQZIVpK"
report_stats: false
macaroon_secret_key: "cqN+f-7.pY+S^e40zo7IDoMdJkC@URwWFiLT:TCkfWrBd9XH;l"
form_secret: "+iYzJF,:S@j@60z3iI9;_vO91gG8R#1Tp-dDH;i#xCf;kASolN"
signing_key_path: "/data/matrix.local.signing.key"
trusted_key_servers:
- server_name: "matrix.org"
accept_keys_insecurely: true
# vim:ft=yaml
enable_registration: true
enable_registration_without_verification: true
password_config:
pepper: s3cr3tP3pp3r
presence:
enabled: true
suppress_key_server_warning: true
user_directory:
enabled: true
prefer_local_users: true
search_all_users: trueRelevant log output
2025-06-02 16:57:09,045 - synapse.access.http.8448 - 508 - INFO - GET-153 - 10.89.0.7 - 8448 - {@admin:matrix.local} Processed request: 0.002sec/0.000sec (0.000sec, 0.000sec) (0.000sec/0.000sec/1) 50B 404 "GET /_synapse/admin/v2/users/@foo:matrix.local HTTP/1.1" "curl/7.88.1" [0 dbevts]
2025-06-02 16:57:17,122 - synapse.handlers.auth - 999 - INFO - POST-154 - Logging in user @admin:matrix.local as @foo:matrix.local
2025-06-02 16:57:17,138 - synapse.access.http.8448 - 508 - INFO - POST-154 - 10.89.0.7 - 8448 - {@admin:matrix.local} Processed request: 0.018sec/0.000sec (0.000sec, 0.001sec) (0.001sec/0.016sec/2) 55B 200 "POST /_synapse/admin/v1/users/@foo:matrix.local/login HTTP/1.1" "curl/7.88.1" [0 dbevts]
2025-06-02 16:57:29,293 - synapse.storage.databases.main.event_push_actions - 1396 - INFO - rotate_notifs-28 - Rotating notifications
2025-06-02 16:57:29,295 - synapse.storage.databases.main.event_push_actions - 1599 - INFO - rotate_notifs-28 - Rotating notifications up to: 1
2025-06-02 16:57:29,296 - synapse.storage.databases.main.event_push_actions - 1685 - INFO - rotate_notifs-28 - Rotating notifications, handling 0 rows
2025-06-02 16:57:29,301 - synapse.storage.databases.main.event_push_actions - 1770 - INFO - rotate_notifs-28 - Rotating notifications, deleted 0 push actions
2025-06-02 16:57:29,312 - synapse.util.caches.lrucache - 217 - INFO - LruCache._expire_old_entries-28 - Dropped 0 items from caches
2025-06-02 16:57:34,966 - synapse.access.http.8448 - 508 - INFO - GET-152 - 10.89.0.7 - 8448 - {@admin:matrix.local} Processed request: 30.003sec/0.001sec (0.001sec, 0.000sec) (0.000sec/0.000sec/0) 225B 200 "GET /_matrix/client/v3/sync?filter=0&timeout=30000&org.matrix.msc4222.use_state_after=true&set_presence=online&since=s1_17_0_1_3_1_1_8_0_1 HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" [0 dbevts]Anything else that would be useful to know?
No response