diff options
| -rw-r--r-- | synapse/rest/client/v2_alpha/register.py | 8 | ||||
| -rw-r--r-- | synapse/util/threepids.py | 25 |
2 files changed, 28 insertions, 5 deletions
diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py index ae1a8c4e6c..c589dd6c78 100644 --- a/synapse/rest/client/v2_alpha/register.py +++ b/synapse/rest/client/v2_alpha/register.py @@ -117,7 +117,7 @@ class EmailRegisterRequestTokenRestServlet(RestServlet): send_attempt = body["send_attempt"] next_link = body.get("next_link") # Optional param - if not await check_3pid_allowed(self.hs, "email", email): + if not await check_3pid_allowed(self.hs, "email", email, during_registration=True): raise SynapseError( 403, "You currently can't create an account with this email address", @@ -192,7 +192,7 @@ class MsisdnRegisterRequestTokenRestServlet(RestServlet): msisdn = phone_number_to_msisdn(country, phone_number) - if not await check_3pid_allowed(self.hs, "msisdn", msisdn): + if not await check_3pid_allowed(self.hs, "msisdn", msisdn, during_registration=True): raise SynapseError( 403, "Phone numbers are not authorized to register on this server", @@ -535,7 +535,9 @@ class RegisterRestServlet(RestServlet): medium = auth_result[login_type]["medium"] address = auth_result[login_type]["address"] - if not await check_3pid_allowed(self.hs, medium, address): + if not await check_3pid_allowed( + self.hs, medium, address, during_registration=True + ): raise SynapseError( 403, "Third party identifiers (email/phone numbers)" diff --git a/synapse/util/threepids.py b/synapse/util/threepids.py index bd63b9107e..527d873935 100644 --- a/synapse/util/threepids.py +++ b/synapse/util/threepids.py @@ -19,7 +19,7 @@ import re logger = logging.getLogger(__name__) -async def check_3pid_allowed(hs, medium, address): +async def check_3pid_allowed(hs, medium, address, during_registration: bool = False): """Checks whether a given format of 3PID is allowed to be used on this HS Args: @@ -27,11 +27,19 @@ async def check_3pid_allowed(hs, medium, address): medium (str): 3pid medium - e.g. email, msisdn address (str): address within that medium (e.g. "wotan@matrix.org") msisdns need to first have been canonicalised + during_registration: Whether this request has been made while registering a new + user. Returns: bool: whether the 3PID medium/address is allowed to be added to this HS """ - if hs.config.check_is_for_allowed_local_3pids: + if hs.config.check_is_for_allowed_local_3pids and during_registration: + # If this 3pid is being approved as part of registering a new user, + # we'll want to make sure the 3pid has been invited by someone already. + # + # We condition on registration so that user 3pids do not require an invite while + # doing tasks other than registration, such as resetting their password or adding a + # second email to their account. data = await hs.get_simple_http_client().get_json( "https://%s%s" % ( hs.config.check_is_for_allowed_local_3pids, @@ -39,6 +47,10 @@ async def check_3pid_allowed(hs, medium, address): ), {'medium': medium, 'address': address} ) + logger.info( + "Received internal-info data for medium '%s', address '%s': %s", + medium, address, data, + ) # Check for invalid response if 'hs' not in data and 'shadow_hs' not in data: @@ -49,10 +61,19 @@ async def check_3pid_allowed(hs, medium, address): data.get('hs') != hs.config.server_name and data.get('shadow_hs') != hs.config.server_name ): + logger.info( + "%s did not match %s or %s did not match %s", + data.get("hs"), hs.config.server_name, + data.get("shadow_hs"), hs.config.server_name, + ) return False if data.get('requires_invite', False) and not data.get('invited', False): # Requires an invite but hasn't been invited + logger.info( + "3PID check failed due to 'required_invite' = '%s' and 'invited' = '%s'", + data.get('required_invite'), data.get("invited"), + ) return False return True |