diff options
author | reivilibre <oliverw@matrix.org> | 2022-05-05 13:39:59 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-05-05 13:39:59 +0100 |
commit | 07fa53ec40106b97ba2c12a2dcc5446325e5fb61 (patch) | |
tree | dca43eaa3fb5e735617730c94cb0f6f9c51d15a1 /synapse/api/auth.py | |
parent | Use `docker/metadata-action` to generate docker image tags (#12573) (diff) | |
download | synapse-07fa53ec40106b97ba2c12a2dcc5446325e5fb61.tar.xz |
Improve comments and error messages around access tokens. (#12577)
Diffstat (limited to '')
-rw-r--r-- | synapse/api/auth.py | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index f6202ef7a5..931750668e 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -417,7 +417,8 @@ class Auth: """ if rights == "access": - # first look in the database + # First look in the database to see if the access token is present + # as an opaque token. r = await self.store.get_user_by_access_token(token) if r: valid_until_ms = r.valid_until_ms @@ -434,7 +435,8 @@ class Auth: return r - # otherwise it needs to be a valid macaroon + # If the token isn't found in the database, then it could still be a + # macaroon, so we check that here. try: user_id, guest = self._parse_and_validate_macaroon(token, rights) @@ -482,8 +484,12 @@ class Auth: TypeError, ValueError, ) as e: - logger.warning("Invalid macaroon in auth: %s %s", type(e), e) - raise InvalidClientTokenError("Invalid macaroon passed.") + logger.warning( + "Invalid access token in auth: %s %s.", + type(e), + e, + ) + raise InvalidClientTokenError("Invalid access token passed.") def _parse_and_validate_macaroon( self, token: str, rights: str = "access" @@ -504,10 +510,7 @@ class Auth: try: macaroon = pymacaroons.Macaroon.deserialize(token) except Exception: # deserialize can throw more-or-less anything - # doesn't look like a macaroon: treat it as an opaque token which - # must be in the database. - # TODO: it would be nice to get rid of this, but apparently some - # people use access tokens which aren't macaroons + # The access token doesn't look like a macaroon. raise _InvalidMacaroonException() try: |