summary refs log tree commit diff
diff options
context:
space:
mode:
authorDavid Baker <dave@matrix.org>2015-04-01 15:05:30 +0100
committerDavid Baker <dave@matrix.org>2015-04-01 15:05:30 +0100
commite9c908ebc09ccc050bd09692c5413124a8c3c06e (patch)
tree8e22da7bc4130e9fe54a5843e12a16b1b4327543
parentMake docs a bit more true (diff)
downloadsynapse-e9c908ebc09ccc050bd09692c5413124a8c3c06e.tar.xz
Completely replace fallback auth for C/S V2:
 * Now only the auth part goes to fallback, not the whole operation
 * Auth fallback is a normal API endpoint, not a static page
 * Params like the recaptcha pubkey can just live in the config
Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
-rw-r--r--static/client/register/style.css6
-rw-r--r--synapse/handlers/auth.py98
-rw-r--r--synapse/http/server.py7
-rw-r--r--synapse/rest/client/v2_alpha/__init__.py4
-rw-r--r--synapse/rest/client/v2_alpha/auth.py189
-rw-r--r--synapse/rest/client/v2_alpha/register.py2
6 files changed, 280 insertions, 26 deletions
diff --git a/static/client/register/style.css b/static/client/register/style.css
index a3398852b9..5a7b6eebf2 100644
--- a/static/client/register/style.css
+++ b/static/client/register/style.css
@@ -37,9 +37,13 @@ textarea, input {
     margin: auto
 }
 
+.g-recaptcha div {
+    margin: auto;
+}
+
 #registrationForm {
     text-align: left;
-    padding: 1em;
+    padding: 5px;
     margin-bottom: 40px;
     display: inline-block;
     
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 26df9fcd86..3d2461dd7d 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -20,12 +20,15 @@ from synapse.api.constants import LoginType
 from synapse.types import UserID
 from synapse.api.errors import LoginError, Codes
 from synapse.http.client import SimpleHttpClient
+
 from twisted.web.client import PartialDownloadError
 
 import logging
 import bcrypt
 import simplejson
 
+import synapse.util.stringutils as stringutils
+
 
 logger = logging.getLogger(__name__)
 
@@ -34,6 +37,11 @@ class AuthHandler(BaseHandler):
 
     def __init__(self, hs):
         super(AuthHandler, self).__init__(hs)
+        self.checkers = {
+            LoginType.PASSWORD: self._check_password_auth,
+            LoginType.RECAPTCHA: self._check_recaptcha,
+        }
+        self.sessions = {}
 
     @defer.inlineCallbacks
     def check_auth(self, flows, clientdict, clientip=None):
@@ -52,40 +60,64 @@ class AuthHandler(BaseHandler):
             If authed is false, the dictionary is the server response to the
             login request and should be passed back to the client.
         """
-        types = {
-            LoginType.PASSWORD: self.check_password_auth,
-            LoginType.RECAPTCHA: self.check_recaptcha,
-        }
 
         if not clientdict or 'auth' not in clientdict:
-            defer.returnValue((False, self.auth_dict_for_flows(flows)))
+            sess = self._get_session_info(None)
+            defer.returnValue(
+                (False, self._auth_dict_for_flows(flows, sess))
+            )
 
         authdict = clientdict['auth']
 
-        # In future: support sessions & retrieve previously succeeded
-        # login types
-        creds = {}
+        sess = self._get_session_info(
+            authdict['session'] if 'session' in authdict else None
+        )
+        if 'creds' not in sess:
+            sess['creds'] = {}
+        creds = sess['creds']
 
         # check auth type currently being presented
-        if 'type' not in authdict:
-            raise LoginError(400, "", Codes.MISSING_PARAM)
-        if authdict['type'] not in types:
-            raise LoginError(400, "", Codes.UNRECOGNIZED)
-        result = yield types[authdict['type']](authdict, clientip)
-        if result:
-            creds[authdict['type']] = result
+        if 'type' in authdict:
+            if authdict['type'] not in self.checkers:
+                raise LoginError(400, "", Codes.UNRECOGNIZED)
+            result = yield self.checkers[authdict['type']](authdict, clientip)
+            if result:
+                creds[authdict['type']] = result
+                self._save_session(sess)
 
         for f in flows:
             if len(set(f) - set(creds.keys())) == 0:
                 logger.info("Auth completed with creds: %r", creds)
+                self._remove_session(sess)
                 defer.returnValue((True, creds))
 
-        ret = self.auth_dict_for_flows(flows)
+        ret = self._auth_dict_for_flows(flows, sess)
         ret['completed'] = creds.keys()
         defer.returnValue((False, ret))
 
     @defer.inlineCallbacks
-    def check_password_auth(self, authdict, _):
+    def add_oob_auth(self, stagetype, authdict, clientip):
+        if stagetype not in self.checkers:
+            raise LoginError(400, "", Codes.MISSING_PARAM)
+        if 'session' not in authdict:
+            raise LoginError(400, "", Codes.MISSING_PARAM)
+
+        sess = self._get_session_info(
+            authdict['session']
+        )
+        if 'creds' not in sess:
+            sess['creds'] = {}
+        creds = sess['creds']
+
+        result = yield self.checkers[stagetype](authdict, clientip)
+        if result:
+            creds[stagetype] = result
+            self._save_session(sess)
+            defer.returnValue(True)
+        defer.returnValue(False)
+
+    @defer.inlineCallbacks
+    def _check_password_auth(self, authdict, _):
         if "user" not in authdict or "password" not in authdict:
             raise LoginError(400, "", Codes.MISSING_PARAM)
 
@@ -107,7 +139,7 @@ class AuthHandler(BaseHandler):
             raise LoginError(401, "", errcode=Codes.UNAUTHORIZED)
 
     @defer.inlineCallbacks
-    def check_recaptcha(self, authdict, clientip):
+    def _check_recaptcha(self, authdict, clientip):
         try:
             user_response = authdict["response"]
         except KeyError:
@@ -143,10 +175,10 @@ class AuthHandler(BaseHandler):
             defer.returnValue(True)
         raise LoginError(401, "", errcode=Codes.UNAUTHORIZED)
 
-    def get_params_recaptcha(self):
+    def _get_params_recaptcha(self):
         return {"public_key": self.hs.config.recaptcha_public_key}
 
-    def auth_dict_for_flows(self, flows):
+    def _auth_dict_for_flows(self, flows, session):
         public_flows = []
         for f in flows:
             hidden = False
@@ -157,7 +189,7 @@ class AuthHandler(BaseHandler):
                 public_flows.append(f)
 
         get_params = {
-            LoginType.RECAPTCHA: self.get_params_recaptcha,
+            LoginType.RECAPTCHA: self._get_params_recaptcha,
         }
 
         params = {}
@@ -168,6 +200,30 @@ class AuthHandler(BaseHandler):
                     params[stage] = get_params[stage]()
 
         return {
+            "session": session['id'],
             "flows": [{"stages": f} for f in public_flows],
             "params": params
         }
+
+    def _get_session_info(self, session_id):
+        if session_id not in self.sessions:
+            session_id = None
+
+        if not session_id:
+            # create a new session
+            while session_id is None or session_id in self.sessions:
+                session_id = stringutils.random_string(24)
+            self.sessions[session_id] = {
+                "id": session_id,
+            }
+
+        return self.sessions[session_id]
+
+    def _save_session(self, session):
+        # TODO: Persistent storage
+        logger.debug("Saving session %s", session)
+        self.sessions[session["id"]] = session
+
+    def _remove_session(self, session):
+        logger.debug("Removing session %s", session)
+        del self.sessions[session["id"]]
diff --git a/synapse/http/server.py b/synapse/http/server.py
index 30c3aa5cac..76c561d105 100644
--- a/synapse/http/server.py
+++ b/synapse/http/server.py
@@ -170,9 +170,12 @@ class JsonResource(HttpServer, resource.Resource):
                     request.method, request.path
                 )
 
-                code, response = yield callback(request, *args)
+                callback_return = yield callback(request, *args)
+                if callback_return is not None:
+                    code, response = callback_return
+
+                    self._send_response(request, code, response)
 
-                self._send_response(request, code, response)
                 response_timer.inc_by(
                     self.clock.time_msec() - start, request.method, servlet_classname
                 )
diff --git a/synapse/rest/client/v2_alpha/__init__.py b/synapse/rest/client/v2_alpha/__init__.py
index 98189ead26..86e4bc729e 100644
--- a/synapse/rest/client/v2_alpha/__init__.py
+++ b/synapse/rest/client/v2_alpha/__init__.py
@@ -17,7 +17,8 @@ from . import (
     sync,
     filter,
     password,
-    register
+    register,
+    auth
 )
 
 from synapse.http.server import JsonResource
@@ -36,3 +37,4 @@ class ClientV2AlphaRestResource(JsonResource):
         filter.register_servlets(hs, client_resource)
         password.register_servlets(hs, client_resource)
         register.register_servlets(hs, client_resource)
+        auth.register_servlets(hs, client_resource)
diff --git a/synapse/rest/client/v2_alpha/auth.py b/synapse/rest/client/v2_alpha/auth.py
new file mode 100644
index 0000000000..7a518e226f
--- /dev/null
+++ b/synapse/rest/client/v2_alpha/auth.py
@@ -0,0 +1,189 @@
+# -*- coding: utf-8 -*-
+# Copyright 2015 OpenMarket Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from twisted.internet import defer
+
+from synapse.api.constants import LoginType
+from synapse.api.errors import SynapseError
+from synapse.api.urls import CLIENT_V2_ALPHA_PREFIX
+from synapse.http.servlet import RestServlet
+
+from ._base import client_v2_pattern
+
+import logging
+
+
+logger = logging.getLogger(__name__)
+
+RECAPTCHA_TEMPLATE = """
+<html>
+<head>
+<title>Authentication</title>
+<meta name='viewport' content='width=device-width, initial-scale=1,
+    user-scalable=no, minimum-scale=1.0, maximum-scale=1.0'>
+<script src="https://www.google.com/recaptcha/api.js"
+    async defer></script>
+<script src="//code.jquery.com/jquery-1.11.2.min.js"></script>
+<link rel="stylesheet" href="/_matrix/static/client/register/style.css">
+<script>
+function captchaDone() {
+    $('#registrationForm').submit();
+}
+</script>
+</head>
+<body>
+<form id="registrationForm" method="post" action="%(myurl)s">
+    <div>
+        <p>
+        Hello! We need to prevent computer programs and other automated
+        things from creating accounts on this server.
+        </p>
+        <p>
+        Please verify that you're not a robot.
+        </p>
+        <input type="hidden" name="session" value="%(session)s" />
+        <div class="g-recaptcha"
+            data-sitekey="%(sitekey)s"
+            data-callback="captchaDone">
+        </div>
+        <noscript>
+        <input type="submit" value="All Done" />
+        </noscript>
+        </div>
+    </div>
+</form>
+</body>
+</html>
+"""
+
+SUCCESS_TEMPLATE = """
+<html>
+<head>
+<title>Success!</title>
+<meta name='viewport' content='width=device-width, initial-scale=1,
+    user-scalable=no, minimum-scale=1.0, maximum-scale=1.0'>
+<link rel="stylesheet" href="/_matrix/static/client/register/style.css">
+<script>
+if (window.onAuthDone != undefined) {
+    window.onAuthDone();
+}
+</script>
+</head>
+<body>
+    <div>
+        <p>Thank you</p>
+        <p>You may now close this window and return to the application</p>
+    </div>
+</body>
+</html>
+"""
+
+class AuthRestServlet(RestServlet):
+    """
+    Handles Client / Server API authentication in any situations where it
+    cannot be handled in the normal flow (with requests to the same endpoint).
+    Current use is for web fallback auth.
+    """
+    PATTERN = client_v2_pattern("/auth/(?P<stagetype>[\w\.]*)/fallback/web")
+
+    def __init__(self, hs):
+        super(AuthRestServlet, self).__init__()
+        self.hs = hs
+        self.auth = hs.get_auth()
+        self.auth_handler = hs.get_handlers().auth_handler
+        self.registration_handler = hs.get_handlers().registration_handler
+
+    @defer.inlineCallbacks
+    def on_GET(self, request, stagetype):
+        yield
+        if stagetype == LoginType.RECAPTCHA:
+            if ('session' not in request.args or
+                    len(request.args['session']) == 0):
+                raise SynapseError(400, "No session supplied")
+
+            session = request.args["session"][0]
+
+            html = RECAPTCHA_TEMPLATE % {
+                'session': session,
+                'myurl': "%s/auth/%s/fallback/web" % (
+                    CLIENT_V2_ALPHA_PREFIX, LoginType.RECAPTCHA
+                ),
+                'sitekey': self.hs.config.recaptcha_public_key,
+            }
+            html_bytes = html.encode("utf8")
+            request.setResponseCode(200)
+            request.setHeader(b"Content-Type", b"text/html; charset=utf-8")
+            request.setHeader(b"Server", self.hs.version_string)
+            request.setHeader(b"Content-Length", b"%d" % (len(html_bytes),))
+
+            request.write(html_bytes)
+            request.finish()
+            defer.returnValue(None)
+        else:
+            raise SynapseError(404, "Unknown auth stage type")
+
+    @defer.inlineCallbacks
+    def on_POST(self, request, stagetype):
+        yield
+        if stagetype == "m.login.recaptcha":
+            if ('g-recaptcha-response' not in request.args or
+                    len(request.args['g-recaptcha-response'])) == 0:
+                raise SynapseError(400, "No captcha response supplied")
+            if ('session' not in request.args or
+                    len(request.args['session'])) == 0:
+                raise SynapseError(400, "No session supplied")
+
+            session = request.args['session'][0]
+
+            authdict = {
+                'response': request.args['g-recaptcha-response'][0],
+                'session': session,
+            }
+
+            success = yield self.auth_handler.add_oob_auth(
+                LoginType.RECAPTCHA,
+                authdict,
+                self.hs.get_ip_from_request(request)
+            )
+
+            if success:
+                html = SUCCESS_TEMPLATE
+            else:
+                html = RECAPTCHA_TEMPLATE % {
+                    'session': session,
+                    'myurl': "%s/auth/%s/fallback/web" % (
+                        CLIENT_V2_ALPHA_PREFIX, LoginType.RECAPTCHA
+                    ),
+                    'sitekey': self.hs.config.recaptcha_public_key,
+                }
+            html_bytes = html.encode("utf8")
+            request.setResponseCode(200)
+            request.setHeader(b"Content-Type", b"text/html; charset=utf-8")
+            request.setHeader(b"Server", self.hs.version_string)
+            request.setHeader(b"Content-Length", b"%d" % (len(html_bytes),))
+
+            request.write(html_bytes)
+            request.finish()
+
+            defer.returnValue(None)
+        else:
+            raise SynapseError(404, "Unknown auth stage type")
+
+    def on_OPTIONS(self, _):
+        return 200, {}
+
+
+def register_servlets(hs, http_server):
+    AuthRestServlet(hs).register(http_server)
diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py
index 4a53e03743..537918ea27 100644
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@@ -45,7 +45,7 @@ class RegisterRestServlet(RestServlet):
             [LoginType.RECAPTCHA],
             [LoginType.EMAIL_IDENTITY, LoginType.RECAPTCHA],
             [LoginType.APPLICATION_SERVICE]
-        ], body)
+        ], body, self.hs.get_ip_from_request(request))
 
         if not authed:
             defer.returnValue((401, result))