diff --git a/synapse/rest/admin/devices.py b/synapse/rest/admin/devices.py
index 3b2f2d9abb..11ebed9bfd 100644
--- a/synapse/rest/admin/devices.py
+++ b/synapse/rest/admin/devices.py
@@ -137,6 +137,35 @@ class DevicesRestServlet(RestServlet):
devices = await self.device_handler.get_devices_by_user(target_user.to_string())
return HTTPStatus.OK, {"devices": devices, "total": len(devices)}
+ async def on_POST(
+ self, request: SynapseRequest, user_id: str
+ ) -> Tuple[int, JsonDict]:
+ """Creates a new device for the user."""
+ await assert_requester_is_admin(self.auth, request)
+
+ target_user = UserID.from_string(user_id)
+ if not self.is_mine(target_user):
+ raise SynapseError(
+ HTTPStatus.BAD_REQUEST, "Can only create devices for local users"
+ )
+
+ u = await self.store.get_user_by_id(target_user.to_string())
+ if u is None:
+ raise NotFoundError("Unknown user")
+
+ body = parse_json_object_from_request(request)
+ device_id = body.get("device_id")
+ if not device_id:
+ raise SynapseError(HTTPStatus.BAD_REQUEST, "Missing device_id")
+ if not isinstance(device_id, str):
+ raise SynapseError(HTTPStatus.BAD_REQUEST, "device_id must be a string")
+
+ await self.device_handler.check_device_registered(
+ user_id=user_id, device_id=device_id
+ )
+
+ return HTTPStatus.CREATED, {}
+
class DeleteDevicesRestServlet(RestServlet):
"""
diff --git a/synapse/rest/client/login.py b/synapse/rest/client/login.py
index a348720131..afdbf821b5 100644
--- a/synapse/rest/client/login.py
+++ b/synapse/rest/client/login.py
@@ -87,11 +87,6 @@ class LoginRestServlet(RestServlet):
# JWT configuration variables.
self.jwt_enabled = hs.config.jwt.jwt_enabled
- self.jwt_secret = hs.config.jwt.jwt_secret
- self.jwt_subject_claim = hs.config.jwt.jwt_subject_claim
- self.jwt_algorithm = hs.config.jwt.jwt_algorithm
- self.jwt_issuer = hs.config.jwt.jwt_issuer
- self.jwt_audiences = hs.config.jwt.jwt_audiences
# SSO configuration.
self.saml2_enabled = hs.config.saml2.saml2_enabled
@@ -427,7 +422,7 @@ class LoginRestServlet(RestServlet):
self, login_submission: JsonDict, should_issue_refresh_token: bool = False
) -> LoginResponse:
"""
- Handle the final stage of SSO login.
+ Handle token login.
Args:
login_submission: The JSON request body.
@@ -452,72 +447,24 @@ class LoginRestServlet(RestServlet):
async def _do_jwt_login(
self, login_submission: JsonDict, should_issue_refresh_token: bool = False
) -> LoginResponse:
- token = login_submission.get("token", None)
- if token is None:
- raise LoginError(
- 403, "Token field for JWT is missing", errcode=Codes.FORBIDDEN
- )
-
- from authlib.jose import JsonWebToken, JWTClaims
- from authlib.jose.errors import BadSignatureError, InvalidClaimError, JoseError
-
- jwt = JsonWebToken([self.jwt_algorithm])
- claim_options = {}
- if self.jwt_issuer is not None:
- claim_options["iss"] = {"value": self.jwt_issuer, "essential": True}
- if self.jwt_audiences is not None:
- claim_options["aud"] = {"values": self.jwt_audiences, "essential": True}
-
- try:
- claims = jwt.decode(
- token,
- key=self.jwt_secret,
- claims_cls=JWTClaims,
- claims_options=claim_options,
- )
- except BadSignatureError:
- # We handle this case separately to provide a better error message
- raise LoginError(
- 403,
- "JWT validation failed: Signature verification failed",
- errcode=Codes.FORBIDDEN,
- )
- except JoseError as e:
- # A JWT error occurred, return some info back to the client.
- raise LoginError(
- 403,
- "JWT validation failed: %s" % (str(e),),
- errcode=Codes.FORBIDDEN,
- )
-
- try:
- claims.validate(leeway=120) # allows 2 min of clock skew
-
- # Enforce the old behavior which is rolled out in productive
- # servers: if the JWT contains an 'aud' claim but none is
- # configured, the login attempt will fail
- if claims.get("aud") is not None:
- if self.jwt_audiences is None or len(self.jwt_audiences) == 0:
- raise InvalidClaimError("aud")
- except JoseError as e:
- raise LoginError(
- 403,
- "JWT validation failed: %s" % (str(e),),
- errcode=Codes.FORBIDDEN,
- )
+ """
+ Handle the custom JWT login.
- user = claims.get(self.jwt_subject_claim, None)
- if user is None:
- raise LoginError(403, "Invalid JWT", errcode=Codes.FORBIDDEN)
+ Args:
+ login_submission: The JSON request body.
+ should_issue_refresh_token: True if this login should issue
+ a refresh token alongside the access token.
- user_id = UserID(user, self.hs.hostname).to_string()
- result = await self._complete_login(
+ Returns:
+ The body of the JSON response.
+ """
+ user_id = await self.hs.get_jwt_handler().validate_login(login_submission)
+ return await self._complete_login(
user_id,
login_submission,
create_non_existent_users=True,
should_issue_refresh_token=should_issue_refresh_token,
)
- return result
def _get_auth_flow_dict_for_idp(idp: SsoIdentityProvider) -> JsonDict:
diff --git a/synapse/rest/client/mutual_rooms.py b/synapse/rest/client/mutual_rooms.py
index 38ef4e459f..c99445da30 100644
--- a/synapse/rest/client/mutual_rooms.py
+++ b/synapse/rest/client/mutual_rooms.py
@@ -12,13 +12,14 @@
# See the License for the specific language governing permissions and
# limitations under the License.
import logging
-from typing import TYPE_CHECKING, Tuple
+from http import HTTPStatus
+from typing import TYPE_CHECKING, Dict, List, Tuple
from synapse.api.errors import Codes, SynapseError
from synapse.http.server import HttpServer
-from synapse.http.servlet import RestServlet
+from synapse.http.servlet import RestServlet, parse_strings_from_args
from synapse.http.site import SynapseRequest
-from synapse.types import JsonDict, UserID
+from synapse.types import JsonDict
from ._base import client_patterns
@@ -30,11 +31,11 @@ logger = logging.getLogger(__name__)
class UserMutualRoomsServlet(RestServlet):
"""
- GET /uk.half-shot.msc2666/user/mutual_rooms/{user_id} HTTP/1.1
+ GET /uk.half-shot.msc2666/user/mutual_rooms?user_id={user_id} HTTP/1.1
"""
PATTERNS = client_patterns(
- "/uk.half-shot.msc2666/user/mutual_rooms/(?P<user_id>[^/]*)",
+ "/uk.half-shot.msc2666/user/mutual_rooms$",
releases=(), # This is an unstable feature
)
@@ -43,17 +44,35 @@ class UserMutualRoomsServlet(RestServlet):
self.auth = hs.get_auth()
self.store = hs.get_datastores().main
- async def on_GET(
- self, request: SynapseRequest, user_id: str
- ) -> Tuple[int, JsonDict]:
- UserID.from_string(user_id)
+ async def on_GET(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
+ # twisted.web.server.Request.args is incorrectly defined as Optional[Any]
+ args: Dict[bytes, List[bytes]] = request.args # type: ignore
+
+ user_ids = parse_strings_from_args(args, "user_id", required=True)
+
+ if len(user_ids) > 1:
+ raise SynapseError(
+ HTTPStatus.BAD_REQUEST,
+ "Duplicate user_id query parameter",
+ errcode=Codes.INVALID_PARAM,
+ )
+
+ # We don't do batching, so a batch token is illegal by default
+ if b"batch_token" in args:
+ raise SynapseError(
+ HTTPStatus.BAD_REQUEST,
+ "Unknown batch_token",
+ errcode=Codes.INVALID_PARAM,
+ )
+
+ user_id = user_ids[0]
requester = await self.auth.get_user_by_req(request)
if user_id == requester.user.to_string():
raise SynapseError(
- code=400,
- msg="You cannot request a list of shared rooms with yourself",
- errcode=Codes.FORBIDDEN,
+ HTTPStatus.UNPROCESSABLE_ENTITY,
+ "You cannot request a list of shared rooms with yourself",
+ errcode=Codes.INVALID_PARAM,
)
rooms = await self.store.get_mutual_rooms_between_users(
diff --git a/synapse/rest/client/versions.py b/synapse/rest/client/versions.py
index 58c5b07390..32df054f56 100644
--- a/synapse/rest/client/versions.py
+++ b/synapse/rest/client/versions.py
@@ -91,7 +91,7 @@ class VersionsRestServlet(RestServlet):
# Implements additional endpoints as described in MSC2432
"org.matrix.msc2432": True,
# Implements additional endpoints as described in MSC2666
- "uk.half-shot.msc2666.mutual_rooms": True,
+ "uk.half-shot.msc2666.query_mutual_rooms": True,
# Whether new rooms will be set to encrypted or not (based on presets).
"io.element.e2ee_forced.public": self.e2ee_forced_public,
"io.element.e2ee_forced.private": self.e2ee_forced_private,
|
