mirror of
https://github.com/element-hq/synapse.git
synced 2024-12-14 11:57:44 +00:00
Revert "Merge pull request #7315 from matrix-org/babolivier/request_token"
This reverts commit6f4319368b
, reversing changes made to0d775fcc2d
.
This commit is contained in:
parent
6f4319368b
commit
1adf6a5587
7 changed files with 3 additions and 121 deletions
|
@ -1 +0,0 @@
|
||||||
Allow `/requestToken` endpoints to hide the existence (or lack thereof) of 3PID associations on the homeserver.
|
|
|
@ -409,16 +409,6 @@ retention:
|
||||||
# longest_max_lifetime: 1y
|
# longest_max_lifetime: 1y
|
||||||
# interval: 1d
|
# interval: 1d
|
||||||
|
|
||||||
# Inhibits the /requestToken endpoints from returning an error that might leak
|
|
||||||
# information about whether an e-mail address is in use or not on this
|
|
||||||
# homeserver.
|
|
||||||
# Note that for some endpoints the error situation is the e-mail already being
|
|
||||||
# used, and for others the error is entering the e-mail being unused.
|
|
||||||
# If this option is enabled, instead of returning an error, these endpoints will
|
|
||||||
# act as if no error happened and return a fake session ID ('sid') to clients.
|
|
||||||
#
|
|
||||||
#request_token_inhibit_3pid_errors: true
|
|
||||||
|
|
||||||
|
|
||||||
## TLS ##
|
## TLS ##
|
||||||
|
|
||||||
|
|
|
@ -507,17 +507,6 @@ class ServerConfig(Config):
|
||||||
|
|
||||||
self.enable_ephemeral_messages = config.get("enable_ephemeral_messages", False)
|
self.enable_ephemeral_messages = config.get("enable_ephemeral_messages", False)
|
||||||
|
|
||||||
# Inhibits the /requestToken endpoints from returning an error that might leak
|
|
||||||
# information about whether an e-mail address is in use or not on this
|
|
||||||
# homeserver, and instead return a 200 with a fake sid if this kind of error is
|
|
||||||
# met, without sending anything.
|
|
||||||
# This is a compromise between sending an email, which could be a spam vector,
|
|
||||||
# and letting the client know which email address is bound to an account and
|
|
||||||
# which one isn't.
|
|
||||||
self.request_token_inhibit_3pid_errors = config.get(
|
|
||||||
"request_token_inhibit_3pid_errors", False,
|
|
||||||
)
|
|
||||||
|
|
||||||
def has_tls_listener(self) -> bool:
|
def has_tls_listener(self) -> bool:
|
||||||
return any(l["tls"] for l in self.listeners)
|
return any(l["tls"] for l in self.listeners)
|
||||||
|
|
||||||
|
@ -978,16 +967,6 @@ class ServerConfig(Config):
|
||||||
# - shortest_max_lifetime: 3d
|
# - shortest_max_lifetime: 3d
|
||||||
# longest_max_lifetime: 1y
|
# longest_max_lifetime: 1y
|
||||||
# interval: 1d
|
# interval: 1d
|
||||||
|
|
||||||
# Inhibits the /requestToken endpoints from returning an error that might leak
|
|
||||||
# information about whether an e-mail address is in use or not on this
|
|
||||||
# homeserver.
|
|
||||||
# Note that for some endpoints the error situation is the e-mail already being
|
|
||||||
# used, and for others the error is entering the e-mail being unused.
|
|
||||||
# If this option is enabled, instead of returning an error, these endpoints will
|
|
||||||
# act as if no error happened and return a fake session ID ('sid') to clients.
|
|
||||||
#
|
|
||||||
#request_token_inhibit_3pid_errors: true
|
|
||||||
"""
|
"""
|
||||||
% locals()
|
% locals()
|
||||||
)
|
)
|
||||||
|
|
|
@ -30,7 +30,7 @@ from synapse.http.servlet import (
|
||||||
)
|
)
|
||||||
from synapse.push.mailer import Mailer, load_jinja2_templates
|
from synapse.push.mailer import Mailer, load_jinja2_templates
|
||||||
from synapse.util.msisdn import phone_number_to_msisdn
|
from synapse.util.msisdn import phone_number_to_msisdn
|
||||||
from synapse.util.stringutils import assert_valid_client_secret, random_string
|
from synapse.util.stringutils import assert_valid_client_secret
|
||||||
from synapse.util.threepids import check_3pid_allowed
|
from synapse.util.threepids import check_3pid_allowed
|
||||||
|
|
||||||
from ._base import client_patterns, interactive_auth_handler
|
from ._base import client_patterns, interactive_auth_handler
|
||||||
|
@ -100,11 +100,6 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
|
||||||
)
|
)
|
||||||
|
|
||||||
if existing_user_id is None:
|
if existing_user_id is None:
|
||||||
if self.config.request_token_inhibit_3pid_errors:
|
|
||||||
# Make the client think the operation succeeded. See the rationale in the
|
|
||||||
# comments for request_token_inhibit_3pid_errors.
|
|
||||||
return 200, {"sid": random_string(16)}
|
|
||||||
|
|
||||||
raise SynapseError(400, "Email not found", Codes.THREEPID_NOT_FOUND)
|
raise SynapseError(400, "Email not found", Codes.THREEPID_NOT_FOUND)
|
||||||
|
|
||||||
if self.config.threepid_behaviour_email == ThreepidBehaviour.REMOTE:
|
if self.config.threepid_behaviour_email == ThreepidBehaviour.REMOTE:
|
||||||
|
@ -383,11 +378,6 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
|
||||||
)
|
)
|
||||||
|
|
||||||
if existing_user_id is not None:
|
if existing_user_id is not None:
|
||||||
if self.config.request_token_inhibit_3pid_errors:
|
|
||||||
# Make the client think the operation succeeded. See the rationale in the
|
|
||||||
# comments for request_token_inhibit_3pid_errors.
|
|
||||||
return 200, {"sid": random_string(16)}
|
|
||||||
|
|
||||||
raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE)
|
raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE)
|
||||||
|
|
||||||
if self.config.threepid_behaviour_email == ThreepidBehaviour.REMOTE:
|
if self.config.threepid_behaviour_email == ThreepidBehaviour.REMOTE:
|
||||||
|
@ -451,11 +441,6 @@ class MsisdnThreepidRequestTokenRestServlet(RestServlet):
|
||||||
existing_user_id = await self.store.get_user_id_by_threepid("msisdn", msisdn)
|
existing_user_id = await self.store.get_user_id_by_threepid("msisdn", msisdn)
|
||||||
|
|
||||||
if existing_user_id is not None:
|
if existing_user_id is not None:
|
||||||
if self.hs.config.request_token_inhibit_3pid_errors:
|
|
||||||
# Make the client think the operation succeeded. See the rationale in the
|
|
||||||
# comments for request_token_inhibit_3pid_errors.
|
|
||||||
return 200, {"sid": random_string(16)}
|
|
||||||
|
|
||||||
raise SynapseError(400, "MSISDN is already in use", Codes.THREEPID_IN_USE)
|
raise SynapseError(400, "MSISDN is already in use", Codes.THREEPID_IN_USE)
|
||||||
|
|
||||||
if not self.hs.config.account_threepid_delegate_msisdn:
|
if not self.hs.config.account_threepid_delegate_msisdn:
|
||||||
|
|
|
@ -49,7 +49,7 @@ from synapse.http.servlet import (
|
||||||
from synapse.push.mailer import load_jinja2_templates
|
from synapse.push.mailer import load_jinja2_templates
|
||||||
from synapse.util.msisdn import phone_number_to_msisdn
|
from synapse.util.msisdn import phone_number_to_msisdn
|
||||||
from synapse.util.ratelimitutils import FederationRateLimiter
|
from synapse.util.ratelimitutils import FederationRateLimiter
|
||||||
from synapse.util.stringutils import assert_valid_client_secret, random_string
|
from synapse.util.stringutils import assert_valid_client_secret
|
||||||
from synapse.util.threepids import check_3pid_allowed
|
from synapse.util.threepids import check_3pid_allowed
|
||||||
|
|
||||||
from ._base import client_patterns, interactive_auth_handler
|
from ._base import client_patterns, interactive_auth_handler
|
||||||
|
@ -135,11 +135,6 @@ class EmailRegisterRequestTokenRestServlet(RestServlet):
|
||||||
)
|
)
|
||||||
|
|
||||||
if existing_user_id is not None:
|
if existing_user_id is not None:
|
||||||
if self.hs.config.request_token_inhibit_3pid_errors:
|
|
||||||
# Make the client think the operation succeeded. See the rationale in the
|
|
||||||
# comments for request_token_inhibit_3pid_errors.
|
|
||||||
return 200, {"sid": random_string(16)}
|
|
||||||
|
|
||||||
raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE)
|
raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE)
|
||||||
|
|
||||||
if self.config.threepid_behaviour_email == ThreepidBehaviour.REMOTE:
|
if self.config.threepid_behaviour_email == ThreepidBehaviour.REMOTE:
|
||||||
|
@ -207,11 +202,6 @@ class MsisdnRegisterRequestTokenRestServlet(RestServlet):
|
||||||
)
|
)
|
||||||
|
|
||||||
if existing_user_id is not None:
|
if existing_user_id is not None:
|
||||||
if self.hs.config.request_token_inhibit_3pid_errors:
|
|
||||||
# Make the client think the operation succeeded. See the rationale in the
|
|
||||||
# comments for request_token_inhibit_3pid_errors.
|
|
||||||
return 200, {"sid": random_string(16)}
|
|
||||||
|
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
400, "Phone number is already in use", Codes.THREEPID_IN_USE
|
400, "Phone number is already in use", Codes.THREEPID_IN_USE
|
||||||
)
|
)
|
||||||
|
|
|
@ -178,22 +178,6 @@ class PasswordResetTestCase(unittest.HomeserverTestCase):
|
||||||
# Assert we can't log in with the new password
|
# Assert we can't log in with the new password
|
||||||
self.attempt_wrong_password_login("kermit", new_password)
|
self.attempt_wrong_password_login("kermit", new_password)
|
||||||
|
|
||||||
@unittest.override_config({"request_token_inhibit_3pid_errors": True})
|
|
||||||
def test_password_reset_bad_email_inhibit_error(self):
|
|
||||||
"""Test that triggering a password reset with an email address that isn't bound
|
|
||||||
to an account doesn't leak the lack of binding for that address if configured
|
|
||||||
that way.
|
|
||||||
"""
|
|
||||||
self.register_user("kermit", "monkey")
|
|
||||||
self.login("kermit", "monkey")
|
|
||||||
|
|
||||||
email = "test@example.com"
|
|
||||||
|
|
||||||
client_secret = "foobar"
|
|
||||||
session_id = self._request_token(email, client_secret)
|
|
||||||
|
|
||||||
self.assertIsNotNone(session_id)
|
|
||||||
|
|
||||||
def _request_token(self, email, client_secret):
|
def _request_token(self, email, client_secret):
|
||||||
request, channel = self.make_request(
|
request, channel = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
|
|
|
@ -33,11 +33,7 @@ from tests import unittest
|
||||||
|
|
||||||
class RegisterRestServletTestCase(unittest.HomeserverTestCase):
|
class RegisterRestServletTestCase(unittest.HomeserverTestCase):
|
||||||
|
|
||||||
servlets = [
|
servlets = [register.register_servlets]
|
||||||
login.register_servlets,
|
|
||||||
register.register_servlets,
|
|
||||||
synapse.rest.admin.register_servlets,
|
|
||||||
]
|
|
||||||
url = b"/_matrix/client/r0/register"
|
url = b"/_matrix/client/r0/register"
|
||||||
|
|
||||||
def default_config(self, name="test"):
|
def default_config(self, name="test"):
|
||||||
|
@ -264,47 +260,6 @@ class RegisterRestServletTestCase(unittest.HomeserverTestCase):
|
||||||
[["m.login.email.identity"]], (f["stages"] for f in flows)
|
[["m.login.email.identity"]], (f["stages"] for f in flows)
|
||||||
)
|
)
|
||||||
|
|
||||||
@unittest.override_config(
|
|
||||||
{
|
|
||||||
"request_token_inhibit_3pid_errors": True,
|
|
||||||
"public_baseurl": "https://test_server",
|
|
||||||
"email": {
|
|
||||||
"smtp_host": "mail_server",
|
|
||||||
"smtp_port": 2525,
|
|
||||||
"notif_from": "sender@host",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
)
|
|
||||||
def test_request_token_existing_email_inhibit_error(self):
|
|
||||||
"""Test that requesting a token via this endpoint doesn't leak existing
|
|
||||||
associations if configured that way.
|
|
||||||
"""
|
|
||||||
user_id = self.register_user("kermit", "monkey")
|
|
||||||
self.login("kermit", "monkey")
|
|
||||||
|
|
||||||
email = "test@example.com"
|
|
||||||
|
|
||||||
# Add a threepid
|
|
||||||
self.get_success(
|
|
||||||
self.hs.get_datastore().user_add_threepid(
|
|
||||||
user_id=user_id,
|
|
||||||
medium="email",
|
|
||||||
address=email,
|
|
||||||
validated_at=0,
|
|
||||||
added_at=0,
|
|
||||||
)
|
|
||||||
)
|
|
||||||
|
|
||||||
request, channel = self.make_request(
|
|
||||||
"POST",
|
|
||||||
b"register/email/requestToken",
|
|
||||||
{"client_secret": "foobar", "email": email, "send_attempt": 1},
|
|
||||||
)
|
|
||||||
self.render(request)
|
|
||||||
self.assertEquals(200, channel.code, channel.result)
|
|
||||||
|
|
||||||
self.assertIsNotNone(channel.json_body.get("sid"))
|
|
||||||
|
|
||||||
|
|
||||||
class AccountValidityTestCase(unittest.HomeserverTestCase):
|
class AccountValidityTestCase(unittest.HomeserverTestCase):
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue