summary refs log tree commit diff
diff options
context:
space:
mode:
authorRichard van der Hoff <richard@matrix.org>2016-10-11 11:34:40 +0100
committerRichard van der Hoff <richard@matrix.org>2016-10-11 11:34:40 +0100
commitfa74fcf5120998e0bdb030638ce391914198f648 (patch)
tree438f1dd520902e40ebc1cb4c29db225033e0dd52
parentMerge pull request #1160 from matrix-org/rav/401_on_password_fail (diff)
downloadsynapse-fa74fcf5120998e0bdb030638ce391914198f648.tar.xz
Work around email-spamming Riot bug
5d9546f9 introduced a change to synapse behaviour, in that failures in the
interactive-auth process would return the flows and params data as well as an
error code (as specced in https://github.com/matrix-org/matrix-doc/pull/397).

That change exposed a bug in Riot which would make it request a new validation
token (and send a new email) each time it got a 401 with a `flows` parameter
(see https://github.com/vector-im/vector-web/issues/2447 and the fix at
https://github.com/matrix-org/matrix-react-sdk/pull/510).

To preserve compatibility with broken versions of Riot, grandfather in the old
behaviour for the email validation stage.
-rw-r--r--synapse/handlers/auth.py17
1 files changed, 14 insertions, 3 deletions
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 51888d1f97..6b8de1e7cf 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -150,14 +150,25 @@ class AuthHandler(BaseHandler):
         # check auth type currently being presented
         errordict = {}
         if 'type' in authdict:
-            if authdict['type'] not in self.checkers:
+            login_type = authdict['type']
+            if login_type not in self.checkers:
                 raise LoginError(400, "", Codes.UNRECOGNIZED)
             try:
-                result = yield self.checkers[authdict['type']](authdict, clientip)
+                result = yield self.checkers[login_type](authdict, clientip)
                 if result:
-                    creds[authdict['type']] = result
+                    creds[login_type] = result
                     self._save_session(session)
             except LoginError, e:
+                if login_type == LoginType.EMAIL_IDENTITY:
+                    # riot used to have a bug where it would request a new
+                    # validation token (thus sending a new email) each time it
+                    # got a 401 with a 'flows' field.
+                    # (https://github.com/vector-im/vector-web/issues/2447).
+                    #
+                    # Grandfather in the old behaviour for now to avoid
+                    # breaking old riot deployments.
+                    raise e
+
                 # this step failed. Merge the error dict into the response
                 # so that the client can have another go.
                 errordict = e.error_dict()