summary refs log tree commit diff
diff options
context:
space:
mode:
authorRichard van der Hoff <richard@matrix.org>2016-11-30 07:36:32 +0000
committerRichard van der Hoff <richard@matrix.org>2016-11-30 07:36:32 +0000
commit4febfe47f03a97578e186fa6cae28c29ad8327cb (patch)
tree6a9a5edfb2eec7f5a177cf1a4b6bedd20d46bdcf
parentStop putting a time caveat on access tokens (diff)
downloadsynapse-4febfe47f03a97578e186fa6cae28c29ad8327cb.tar.xz
Comments
Update comments in verify_macaroon
-rw-r--r--synapse/api/auth.py12
1 files changed, 9 insertions, 3 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 77ff55cddf..b8c2917f21 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -790,9 +790,6 @@ class Auth(object):
             type_string(str): The kind of token required (e.g. "access", "refresh",
                               "delete_pusher")
             verify_expiry(bool): Whether to verify whether the macaroon has expired.
-                This should really always be True, but there exist access tokens
-                in the wild which expire when they should not, so we can't
-                enforce expiry yet.
             user_id (str): The user_id required
         """
         v = pymacaroons.Verifier()
@@ -805,6 +802,15 @@ class Auth(object):
         v.satisfy_exact("type = " + type_string)
         v.satisfy_exact("user_id = %s" % user_id)
         v.satisfy_exact("guest = true")
+
+        # verify_expiry should really always be True, but there exist access
+        # tokens in the wild which expire when they should not, so we can't
+        # enforce expiry yet (so we have to allow any caveat starting with
+        # 'time < ' in access tokens).
+        #
+        # On the other hand, short-term login tokens (as used by CAS login, for
+        # example) have an expiry time which we do want to enforce.
+
         if verify_expiry:
             v.satisfy_general(self._verify_expiry)
         else: