Merge remote-tracking branch 'origin/clokep/no-validate-ui-auth-sess' into matrix-org-hotfixes

3 files changed, 27 insertions, 1 deletions

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py

index a167498add..1d779d2978 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -317,7 +317,7 @@ class AuthHandler(BaseHandler):
             except StoreError:
                 raise SynapseError(400, "Unknown session ID: %s" % (sid,))
 
-            if not clientdict:
+            if clientdict:
                 # This was designed to allow the client to omit the parameters
                 # and just supply the session in subsequent calls so it split
                 # auth between devices by just sharing the session, (eg. so you
@@ -327,6 +327,8 @@ class AuthHandler(BaseHandler):
                 # on a homeserver.
                 # Revisit: Assuming the REST APIs do sensible validation, the data
                 # isn't arbitrary.
+                await self.store.set_ui_auth_clientdict(sid, clientdict)
+            else:
                 clientdict = session.clientdict
 
         if not authdict:
diff --git a/synapse/storage/data_stores/main/ui_auth.py b/synapse/storage/data_stores/main/ui_auth.py

index c8eebc9378..1d8ee22fb1 100644
--- a/synapse/storage/data_stores/main/ui_auth.py
+++ b/synapse/storage/data_stores/main/ui_auth.py
@@ -172,6 +172,27 @@ class UIAuthWorkerStore(SQLBaseStore):
 
         return results
 
+    async def set_ui_auth_clientdict(
+        self, session_id: str, clientdict: JsonDict
+    ) -> None:
+        """
+        Store an updated clientdict for a given session ID.
+
+        Args:
+            session_id: The ID of this session as returned from check_auth
+            clientdict:
+                The dictionary from the client root level, not the 'auth' key.
+        """
+        # The clientdict gets stored as JSON.
+        clientdict_json = json.dumps(clientdict)
+
+        self.db.simple_update_one(
+            table="ui_auth_sessions",
+            keyvalues={"session_id": session_id},
+            updatevalues={"clientdict": clientdict_json},
+            desc="set_ui_auth_client_dict",
+        )
+
     async def set_ui_auth_session_data(self, session_id: str, key: str, value: Any):
         """
         Store a key-value pair into the sessions data associated with this
diff --git a/tests/rest/client/v2_alpha/test_auth.py b/tests/rest/client/v2_alpha/test_auth.py

index 587be7b2e7..efc20f86aa 100644
--- a/tests/rest/client/v2_alpha/test_auth.py
+++ b/tests/rest/client/v2_alpha/test_auth.py
@@ -182,6 +182,9 @@ class FallbackAuthTests(unittest.HomeserverTestCase):
         self.render(request)
         self.assertEqual(channel.code, 403)
 
+    # This behavior is currently disabled.
+    test_cannot_change_operation.skip = True
+
     def test_complete_operation_unknown_session(self):
         """
         Attempting to mark an invalid session as complete should error.