diff options
| author | Richard van der Hoff <richard@matrix.org> | 2016-11-30 07:36:32 +0000 |
|---|---|---|
| committer | Richard van der Hoff <richard@matrix.org> | 2016-11-30 07:36:32 +0000 |
| commit | 4febfe47f03a97578e186fa6cae28c29ad8327cb (patch) | |
| tree | 6a9a5edfb2eec7f5a177cf1a4b6bedd20d46bdcf | |
| parent | Stop putting a time caveat on access tokens (diff) | |
| download | synapse-4febfe47f03a97578e186fa6cae28c29ad8327cb.tar.xz | |
Comments
Update comments in verify_macaroon
| -rw-r--r-- | synapse/api/auth.py | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 77ff55cddf..b8c2917f21 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -790,9 +790,6 @@ class Auth(object): type_string(str): The kind of token required (e.g. "access", "refresh", "delete_pusher") verify_expiry(bool): Whether to verify whether the macaroon has expired. - This should really always be True, but there exist access tokens - in the wild which expire when they should not, so we can't - enforce expiry yet. user_id (str): The user_id required """ v = pymacaroons.Verifier() @@ -805,6 +802,15 @@ class Auth(object): v.satisfy_exact("type = " + type_string) v.satisfy_exact("user_id = %s" % user_id) v.satisfy_exact("guest = true") + + # verify_expiry should really always be True, but there exist access + # tokens in the wild which expire when they should not, so we can't + # enforce expiry yet (so we have to allow any caveat starting with + # 'time < ' in access tokens). + # + # On the other hand, short-term login tokens (as used by CAS login, for + # example) have an expiry time which we do want to enforce. + if verify_expiry: v.satisfy_general(self._verify_expiry) else: |