10
45
Fork
You've already forked doipjs
28

Matrix claim verification broken — server-side bot cannot access #doipver:matrix.org events #179

Open
opened 2026年04月05日 19:44:07 +02:00 by jmrplens · 0 comments

Description

Matrix identity claim verification on keyoxide.org consistently fails with "The claim COULD NOT BE verified by the proof" despite the proof being correctly set up and the Matrix event being accessible.

Setup

PGP notation (on all UIDs):

proof@ariadne.id=matrix:u/jmrplens:matrix.jmrp.io?org.keyoxide.r=dBfQZxCoGVmSTujfiv:matrix.org&org.keyoxide.e=tsThbgplkWUMLHnv_q4PgzfjqFkZ4QSMGI0vWwqwWb8

Matrix proof event posted in #doipver:matrix.org:

{
 "sender": "@jmrplens:matrix.jmrp.io",
 "content": {
 "msgtype": "m.text",
 "body": "openpgp4fpr:0A993B268654DBBA52B7E8D3FCF653391E2C91FC"
 },
 "event_id": "",
 "type": "m.room.message"
}

What Keyoxide shows

@jmrplens:matrix.jmrp.io [Matrix]
Profile link: https://matrix.to/#/@jmrplens:matrix.jmrp.io
Claim verification has completed.
The claim COULD NOT BE verified by the proof.

Root cause analysis

After investigating the doipjs source code src/fetcher/matrix.js, the Matrix fetcher requires server-side credentials:

const url = `https://INSTANCE/_matrix/client/r0/rooms/ROOMID/event/EVENTID?access_token=TOKEN`

This means keyoxide.org must have a Matrix bot account that:

  1. Has a valid access token (opts.claims.matrix.accessToken)

The event IS accessible — I verified it directly via the Matrix Client-Server API using an authenticated account that is a member of the room. The event exists, contains the correct fingerprint, and was sent by my Matrix identity.

The Keyoxide bot appears to have lost access — either the access token has expired/been revoked, or the bot is no longer a member of the #doipver:matrix.org room.

Evidence this is a known systemic issue

  1. Issue #86 (Discord) — When implementing Discord verification, the developer explicitly states: "the Matrix approach does not work" as justification for using a different approach for Discord. This suggests developers are already aware Matrix verification is broken.

  2. PR #26 (Decentralized Matrix verification) — Proposed switching from the centralized #doipver:matrix.org room to a decentralized approach using room topics. This PR has been open since September 2022 and is stalled due to federation issues (room previews return M_FORBIDDEN across instances).

  3. Issue #67 (Reddit) — Shows a similar pattern where an external service loses access and verification silently breaks for all users.

Impact

  • All Matrix claim verifications on keyoxide.org are broken, not just mine
  • Users follow the documentation, set everything up correctly, but verification always fails
  • There is no error message indicating this is a server-side issue — users are left debugging their own (correct) setup

Suggested fixes

Short-term: Restore the Matrix bot access to #doipver:matrix.org on keyoxide.org (refresh the access token and/or rejoin the room).

Long-term (any of these):

  • Merge/revive PR #26 decentralized approach (room topic-based verification instead of centralized room)
  • Add a health check endpoint that monitors whether the Matrix bot can access the room
  • Add a clear error message when the server-side Matrix fetcher fails (currently fails silently as "could not verify")
  • Document the centralized room dependency so self-hosters know they must configure their own Matrix bot

Environment

  • doipjs version: as used by keyoxide-web 5.1.0
  • Matrix homeserver: matrix.jmrp.io (Synapse v1.147.1, federated with matrix.org)
### Description Matrix identity claim verification on keyoxide.org consistently fails with "The claim COULD NOT BE verified by the proof" despite the proof being correctly set up and the Matrix event being accessible. ### Setup - **OpenPGP fingerprint:** `0A993B268654DBBA52B7E8D3FCF653391E2C91FC` - **Keyoxide profile:** https://keyoxide.org/0A993B268654DBBA52B7E8D3FCF653391E2C91FC - **Matrix user:** `@jmrplens:matrix.jmrp.io` - **Keyoxide version:** keyoxide-web/5.1.0+3f51dc5c8c **PGP notation (on all UIDs):** ``` proof@ariadne.id=matrix:u/jmrplens:matrix.jmrp.io?org.keyoxide.r=dBfQZxCoGVmSTujfiv:matrix.org&org.keyoxide.e=tsThbgplkWUMLHnv_q4PgzfjqFkZ4QSMGI0vWwqwWb8 ``` **Matrix proof event posted in `#doipver:matrix.org`:** ```json { "sender": "@jmrplens:matrix.jmrp.io", "content": { "msgtype": "m.text", "body": "openpgp4fpr:0A993B268654DBBA52B7E8D3FCF653391E2C91FC" }, "event_id": "", "type": "m.room.message" } ``` ### What Keyoxide shows ``` @jmrplens:matrix.jmrp.io [Matrix] Profile link: https://matrix.to/#/@jmrplens:matrix.jmrp.io Claim verification has completed. The claim COULD NOT BE verified by the proof. ``` ### Root cause analysis After investigating the doipjs source code [`src/fetcher/matrix.js`](https://codeberg.org/keyoxide/doipjs/src/branch/main/src/fetcher/matrix.js), the Matrix fetcher requires server-side credentials: ```javascript const url = `https://INSTANCE/_matrix/client/r0/rooms/ROOMID/event/EVENTID?access_token=TOKEN` ``` This means keyoxide.org must have a Matrix bot account that: 1. Has a valid access token (`opts.claims.matrix.accessToken`) **The event IS accessible** — I verified it directly via the Matrix Client-Server API using an authenticated account that is a member of the room. The event exists, contains the correct fingerprint, and was sent by my Matrix identity. **The Keyoxide bot appears to have lost access** — either the access token has expired/been revoked, or the bot is no longer a member of the `#doipver:matrix.org` room. ### Evidence this is a known systemic issue 1. **Issue #86 (Discord)** — When implementing Discord verification, the developer explicitly states: *"the Matrix approach does not work"* as justification for using a different approach for Discord. This suggests developers are already aware Matrix verification is broken. 2. **PR #26 (Decentralized Matrix verification)** — Proposed switching from the centralized `#doipver:matrix.org` room to a decentralized approach using room topics. This PR has been open since September 2022 and is stalled due to federation issues (room previews return `M_FORBIDDEN` across instances). 3. **Issue #67 (Reddit)** — Shows a similar pattern where an external service loses access and verification silently breaks for all users. ### Impact - **All Matrix claim verifications on keyoxide.org are broken**, not just mine - Users follow the documentation, set everything up correctly, but verification always fails - There is no error message indicating this is a server-side issue — users are left debugging their own (correct) setup ### Suggested fixes **Short-term:** Restore the Matrix bot access to `#doipver:matrix.org` on keyoxide.org (refresh the access token and/or rejoin the room). **Long-term (any of these):** - Merge/revive PR #26 decentralized approach (room topic-based verification instead of centralized room) - Add a health check endpoint that monitors whether the Matrix bot can access the room - Add a clear error message when the server-side Matrix fetcher fails (currently fails silently as "could not verify") - Document the centralized room dependency so self-hosters know they must configure their own Matrix bot ### Environment - doipjs version: as used by keyoxide-web 5.1.0 - Matrix homeserver: matrix.jmrp.io (Synapse v1.147.1, federated with matrix.org)
Sign in to join this conversation.
No Branch/Tag specified
main
dev
fix-irc-fetcher
new-claim-eveonline-143
prepare-new-release
fix-jsdoc-types
yarn-to-npm
support-openpgp-aspe-claims
support-html-alias
improve-activitypub-support
v1-restructure
into-es-module
support-aspe
fix-js-lsp-issues
improve-linting
add-markers
support-opencollective-claim
support-entity-decoding
use-rome-tools
support-cloudflare-buster
support-fediverse-posts
matrix-room-verification
2.1.0
2.1.0-rc.3
2.1.0-rc.2
2.1.0-rc.1
2.0.1
2.0.0
2.0.0-rc.1
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.1.1
1.1.0
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0
v0.19.1-alpha.0
0.19.0
0.18.3
0.18.2
0.18.1
0.18.0
0.17.5
0.17.4
0.17.3
0.17.2
0.17.1
0.17.0
0.16.4
0.16.3
0.16.2
0.16.1
0.16.0
0.15.7
0.15.6
0.15.5
0.15.4
0.15.3
0.15.2
0.15.1
0.15.0
0.14.0
0.13.0
0.12.9
0.12.8
0.12.7
0.12.6
0.12.5
0.12.4
0.12.3
0.12.2
0.12.1
0.12.0
0.11.2
0.11.1
0.11.0
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.4
0.9.3
0.9.2
0.9.1
0.9.0
0.8.5
0.8.4
0.8.3
0.8.1
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.0
0.5.1
0.5.0
0.4.2
0.4.1
0.4.0
0.3.0
0.2.0
Labels
Clear labels
bug
Something is not working

Archived

enhancement
New feature

Archived

Contribution welcome
Get started contributing here
Good first issue
Good if you are new to the project or to open source contributions
Impact
External
Affects the people using the project
Impact
Internal
Affects on the people working on the project
Priority
Critical
Work on right now
Priority
High
Work on at earliest convenience
Priority
Low
Work on in spare time
Priority
Medium
Work on regularly
Review
Duplicate
Already exists
Review
Off Topic
Does not fall within the scope of the repo/project
Status
Backlog
Is not being worked on yet
Status
Blocked
Is waiting on something or someone
Status
Completed
Is done
Status
In Progress
Is being worked on
Status
Investigating
Is waiting on research or questions
Status
Needs Decision
Is waiting on a decision by the devs/contributors
Status
Needs Info
Is waiting on additional information before it can be solved
Status
Needs Triage
Is new issue that needs reviewing
Status
Testing
Is being checked and verified
Status
Waiting For Review
Is waiting on reviewers to approve
Status
Won't Fix
Won't be fixed
Type
Bug
Related to something not working as intended
Type
CI
Related to continuous integration
Type
Documentation
Related to documentation
Type
Enhancement
Related to a new feature or an improved one
Type
New Claim
Related to a new identity claim/proof
Type
Security
Related to security
Type
Tests
Related to code tests
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
keyoxide/doipjs#179
Reference in a new issue
keyoxide/doipjs
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?