watcha
/
watcha-synapse
mirror of https://github.com/watcha-fr/synapse
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

Factor out a validate_user_via_ui_auth method

Browse Source 
Collect together all the places that validate a logged-in user via UI auth.
pull/4/merge
Richard van der Hoff 7 years ago
parent aa6ecf0984
commit d7ea8c4800
3 changed files with 102 additions and 74 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 43
      synapse/handlers/auth.py
  2. 71
      synapse/rest/client/v2_alpha/account.py
  3. 26
      synapse/rest/client/v2_alpha/devices.py

43
synapse/handlers/auth.py
Unescape View File

@ -88,6 +88,49 @@ class AuthHandler(BaseHandler):
) )
self._supported_login_types = frozenset(login_types) self._supported_login_types = frozenset(login_types)
@defer.inlineCallbacks
def validate_user_via_ui_auth(self, requester, request_body, clientip):
"""
Checks that the user is who they claim to be, via a UI auth.
This is used for things like device deletion and password reset where
the user already has a valid access token, but we want to double-check
that it isn't stolen by re-authenticating them.
Args:
requester (Requester): The user, as given by the access token
request_body (dict): The body of the request sent by the client
clientip (str): The IP address of the client.
Returns:
defer.Deferred[dict]: the parameters for this request (which may
have been given only in a previous call).
Raises:
InteractiveAuthIncompleteError if the client has not yet completed
any of the permitted login flows
AuthError if the client has completed a login flow, and it gives
a different user to `requester`
"""
# we only support password login here
flows = [[LoginType.PASSWORD]]
result, params, _ = yield self.check_auth(
flows, request_body, clientip,
)
user_id = result[LoginType.PASSWORD]
# check that the UI auth matched the access token
if user_id != requester.user.to_string():
raise AuthError(403, "Invalid auth")
defer.returnValue(params)
@defer.inlineCallbacks @defer.inlineCallbacks
def check_auth(self, flows, clientdict, clientip): def check_auth(self, flows, clientdict, clientip):
""" """

71
synapse/rest/client/v2_alpha/account.py
Unescape View File

@ -19,7 +19,7 @@ from twisted.internet import defer
from synapse.api.auth import has_access_token from synapse.api.auth import has_access_token
from synapse.api.constants import LoginType from synapse.api.constants import LoginType
from synapse.api.errors import Codes, LoginError, SynapseError from synapse.api.errors import Codes, SynapseError
from synapse.http.servlet import ( from synapse.http.servlet import (
RestServlet, assert_params_in_request, RestServlet, assert_params_in_request,
parse_json_object_from_request, parse_json_object_from_request,
@ -103,26 +103,32 @@ class PasswordRestServlet(RestServlet):
@interactive_auth_handler @interactive_auth_handler
@defer.inlineCallbacks @defer.inlineCallbacks
def on_POST(self, request): def on_POST(self, request):
yield run_on_reactor()
body = parse_json_object_from_request(request) body = parse_json_object_from_request(request)
result, params, _ = yield self.auth_handler.check_auth([ # there are two possibilities here. Either the user does not have an
[LoginType.PASSWORD], # access token, and needs to do a password reset; or they have one and
[LoginType.EMAIL_IDENTITY], # need to validate their identity.
[LoginType.MSISDN], #
], body, self.hs.get_ip_from_request(request)) # In the first case, we offer a couple of means of identifying
# themselves (email and msisdn, though it's unclear if msisdn actually
user_id = None # works).
requester = None #
# In the second case, we require a password to confirm their identity.
if LoginType.PASSWORD in result: if has_access_token(request):
# if using password, they should also be logged in
requester = yield self.auth.get_user_by_req(request) requester = yield self.auth.get_user_by_req(request)
params = yield self.auth_handler.validate_user_via_ui_auth(
requester, body, self.hs.get_ip_from_request(request),
)
user_id = requester.user.to_string() user_id = requester.user.to_string()
if user_id != result[LoginType.PASSWORD]: else:
raise LoginError(400, "", Codes.UNKNOWN) requester = None
elif LoginType.EMAIL_IDENTITY in result: result, params, _ = yield self.auth_handler.check_auth(
[[LoginType.EMAIL_IDENTITY], [LoginType.MSISDN]],
body, self.hs.get_ip_from_request(request),
)
if LoginType.EMAIL_IDENTITY in result:
threepid = result[LoginType.EMAIL_IDENTITY] threepid = result[LoginType.EMAIL_IDENTITY]
if 'medium' not in threepid or 'address' not in threepid: if 'medium' not in threepid or 'address' not in threepid:
raise SynapseError(500, "Malformed threepid") raise SynapseError(500, "Malformed threepid")
@ -171,40 +177,21 @@ class DeactivateAccountRestServlet(RestServlet):
def on_POST(self, request): def on_POST(self, request):
body = parse_json_object_from_request(request) body = parse_json_object_from_request(request)
# if the caller provides an access token, it ought to be valid. requester = yield self.auth.get_user_by_req(request)
requester = None
if has_access_token(request):
requester = yield self.auth.get_user_by_req(
request,
) # type: synapse.types.Requester
# allow ASes to dectivate their own users # allow ASes to dectivate their own users
if requester and requester.app_service: if requester.app_service:
yield self._deactivate_account_handler.deactivate_account( yield self._deactivate_account_handler.deactivate_account(
requester.user.to_string() requester.user.to_string()
) )
defer.returnValue((200, {})) defer.returnValue((200, {}))
result, params, _ = yield self.auth_handler.check_auth([ yield self.auth_handler.validate_user_via_ui_auth(
[LoginType.PASSWORD], requester, body, self.hs.get_ip_from_request(request),
], body, self.hs.get_ip_from_request(request)) )
yield self._deactivate_account_handler.deactivate_account(
if LoginType.PASSWORD in result: requester.user.to_string(),
user_id = result[LoginType.PASSWORD]
# if using password, they should also be logged in
if requester is None:
raise SynapseError(
400,
"Deactivate account requires an access_token",
errcode=Codes.MISSING_TOKEN
) )
if requester.user.to_string() != user_id:
raise LoginError(400, "", Codes.UNKNOWN)
else:
logger.error("Auth succeeded but no known type!", result.keys())
raise SynapseError(500, "", Codes.UNKNOWN)
yield self._deactivate_account_handler.deactivate_account(user_id)
defer.returnValue((200, {})) defer.returnValue((200, {}))

26
synapse/rest/client/v2_alpha/devices.py
Unescape View File

@ -17,7 +17,7 @@ import logging
from twisted.internet import defer from twisted.internet import defer
from synapse.api import constants, errors from synapse.api import errors
from synapse.http import servlet from synapse.http import servlet
from ._base import client_v2_patterns, interactive_auth_handler from ._base import client_v2_patterns, interactive_auth_handler
@ -63,6 +63,8 @@ class DeleteDevicesRestServlet(servlet.RestServlet):
@interactive_auth_handler @interactive_auth_handler
@defer.inlineCallbacks @defer.inlineCallbacks
def on_POST(self, request): def on_POST(self, request):
requester = yield self.auth.get_user_by_req(request)
try: try:
body = servlet.parse_json_object_from_request(request) body = servlet.parse_json_object_from_request(request)
except errors.SynapseError as e: except errors.SynapseError as e:
@ -78,11 +80,10 @@ class DeleteDevicesRestServlet(servlet.RestServlet):
400, "No devices supplied", errcode=errors.Codes.MISSING_PARAM 400, "No devices supplied", errcode=errors.Codes.MISSING_PARAM
) )
result, params, _ = yield self.auth_handler.check_auth([ result, params, _ = yield self.auth_handler.validate_user_via_ui_auth(
[constants.LoginType.PASSWORD], requester, body, self.hs.get_ip_from_request(request),
], body, self.hs.get_ip_from_request(request)) )
requester = yield self.auth.get_user_by_req(request)
yield self.device_handler.delete_devices( yield self.device_handler.delete_devices(
requester.user.to_string(), requester.user.to_string(),
body['devices'], body['devices'],
@ -129,16 +130,13 @@ class DeviceRestServlet(servlet.RestServlet):
else: else:
raise raise
result, params, _ = yield self.auth_handler.check_auth([ yield self.auth_handler.validate_user_via_ui_auth(
[constants.LoginType.PASSWORD], requester, body, self.hs.get_ip_from_request(request),
], body, self.hs.get_ip_from_request(request)) )
# check that the UI auth matched the access token
user_id = result[constants.LoginType.PASSWORD]
if user_id != requester.user.to_string():
raise errors.AuthError(403, "Invalid auth")
yield self.device_handler.delete_device(user_id, device_id) yield self.device_handler.delete_device(
requester.user.to_string(), device_id,
)
defer.returnValue((200, {})) defer.returnValue((200, {}))
@defer.inlineCallbacks @defer.inlineCallbacks

Write Preview
Loading…
Cancel
Save