Stop putting a time caveat on access tokens

The 'time' caveat on the access tokens was something of a lie, since we weren't enforcing it; more pertinently its presence stops us ever adding useful time caveats. Let's move in the right direction by not lying in our caveats.
author: Richard van der Hoff <richard@matrix.org> 2016-11-28 09:55:21 +0000
committer: Richard van der Hoff <richard@matrix.org> 2016-11-29 16:49:41 +0000
commit: 1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd (patch)
tree: 1aa5d1b54239c730c32cab8d05abf405cd6e2ff9 /synapse/api/auth.py
parent: Merge pull request #1655 from matrix-org/rav/remove_redundant_macaroon_checks (diff)
download: synapse-1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 1ab27da941..77ff55cddf 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -810,6 +810,10 @@ class Auth(object):
         else:
             v.satisfy_general(lambda c: c.startswith("time < "))
 
+        # access_tokens and refresh_tokens include a nonce for uniqueness: any
+        # value is acceptable
+        v.satisfy_general(lambda c: c.startswith("nonce = "))
+
         v.verify(macaroon, self.hs.config.macaroon_secret_key)
 
     def _verify_expiry(self, caveat):
author	Richard van der Hoff <richard@matrix.org>	2016-11-28 09:55:21 +0000
committer	Richard van der Hoff <richard@matrix.org>	2016-11-29 16:49:41 +0000
commit	1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd (patch)
tree	1aa5d1b54239c730c32cab8d05abf405cd6e2ff9 /synapse/api/auth.py
parent	Merge pull request #1655 from matrix-org/rav/remove_redundant_macaroon_checks (diff)
download	synapse-1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd.tar.xz