summary refs log tree commit diff
diff options
context:
space:
mode:
authorBen Banfield-Zanin <benbz@matrix.org>2020-09-29 17:16:55 +0100
committerBen Banfield-Zanin <benbz@matrix.org>2020-09-29 17:16:55 +0100
commit2506e36cf574d68fdb3059552f55ecda3ef62f20 (patch)
tree3767f4b7a394311f3776b26ad725952b08e0baca
parentMerge remote-tracking branch 'origin/anoa/info-mainline-no-check-password-res... (diff)
parentMake use of new argument to eliminate IS checks outside of registration (diff)
downloadsynapse-github/bbz/info-mainline-1.20.1.tar.xz
Merge remote-tracking branch 'origin/anoa/3pid_check_invite_exemption' into bbz/info-mainline-1.20.1 github/bbz/info-mainline-1.20.1 bbz/info-mainline-1.20.1
-rw-r--r--synapse/rest/client/v2_alpha/register.py8
-rw-r--r--synapse/util/threepids.py25
2 files changed, 28 insertions, 5 deletions
diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py
index ae1a8c4e6c..c589dd6c78 100644
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@@ -117,7 +117,7 @@ class EmailRegisterRequestTokenRestServlet(RestServlet):
         send_attempt = body["send_attempt"]
         next_link = body.get("next_link")  # Optional param
 
-        if not await check_3pid_allowed(self.hs, "email", email):
+        if not await check_3pid_allowed(self.hs, "email", email, during_registration=True):
             raise SynapseError(
                 403,
                 "You currently can't create an account with this email address",
@@ -192,7 +192,7 @@ class MsisdnRegisterRequestTokenRestServlet(RestServlet):
 
         msisdn = phone_number_to_msisdn(country, phone_number)
 
-        if not await check_3pid_allowed(self.hs, "msisdn", msisdn):
+        if not await check_3pid_allowed(self.hs, "msisdn", msisdn, during_registration=True):
             raise SynapseError(
                 403,
                 "Phone numbers are not authorized to register on this server",
@@ -535,7 +535,9 @@ class RegisterRestServlet(RestServlet):
                     medium = auth_result[login_type]["medium"]
                     address = auth_result[login_type]["address"]
 
-                    if not await check_3pid_allowed(self.hs, medium, address):
+                    if not await check_3pid_allowed(
+                        self.hs, medium, address, during_registration=True
+                    ):
                         raise SynapseError(
                             403,
                             "Third party identifiers (email/phone numbers)"
diff --git a/synapse/util/threepids.py b/synapse/util/threepids.py
index bd63b9107e..527d873935 100644
--- a/synapse/util/threepids.py
+++ b/synapse/util/threepids.py
@@ -19,7 +19,7 @@ import re
 logger = logging.getLogger(__name__)
 
 
-async def check_3pid_allowed(hs, medium, address):
+async def check_3pid_allowed(hs, medium, address, during_registration: bool = False):
     """Checks whether a given format of 3PID is allowed to be used on this HS
 
     Args:
@@ -27,11 +27,19 @@ async def check_3pid_allowed(hs, medium, address):
         medium (str): 3pid medium - e.g. email, msisdn
         address (str): address within that medium (e.g. "wotan@matrix.org")
             msisdns need to first have been canonicalised
+        during_registration: Whether this request has been made while registering a new
+            user.
     Returns:
         bool: whether the 3PID medium/address is allowed to be added to this HS
     """
 
-    if hs.config.check_is_for_allowed_local_3pids:
+    if hs.config.check_is_for_allowed_local_3pids and during_registration:
+        # If this 3pid is being approved as part of registering a new user,
+        # we'll want to make sure the 3pid has been invited by someone already.
+        #
+        # We condition on registration so that user 3pids do not require an invite while
+        # doing tasks other than registration, such as resetting their password or adding a
+        # second email to their account.
         data = await hs.get_simple_http_client().get_json(
             "https://%s%s" % (
                 hs.config.check_is_for_allowed_local_3pids,
@@ -39,6 +47,10 @@ async def check_3pid_allowed(hs, medium, address):
             ),
             {'medium': medium, 'address': address}
         )
+        logger.info(
+            "Received internal-info data for medium '%s', address '%s': %s",
+            medium, address, data,
+        )
 
         # Check for invalid response
         if 'hs' not in data and 'shadow_hs' not in data:
@@ -49,10 +61,19 @@ async def check_3pid_allowed(hs, medium, address):
             data.get('hs') != hs.config.server_name
             and data.get('shadow_hs') != hs.config.server_name
         ):
+            logger.info(
+                "%s did not match %s or %s did not match %s",
+                data.get("hs"), hs.config.server_name,
+                data.get("shadow_hs"), hs.config.server_name,
+            )
             return False
 
         if data.get('requires_invite', False) and not data.get('invited', False):
             # Requires an invite but hasn't been invited
+            logger.info(
+                "3PID check failed due to 'required_invite' = '%s' and 'invited' = '%s'",
+                data.get('required_invite'), data.get("invited"),
+            )
             return False
 
         return True