diff options
author | Richard van der Hoff <richard@matrix.org> | 2016-11-30 07:36:32 +0000 |
---|---|---|
committer | Richard van der Hoff <richard@matrix.org> | 2016-11-30 07:36:32 +0000 |
commit | 4febfe47f03a97578e186fa6cae28c29ad8327cb (patch) | |
tree | 6a9a5edfb2eec7f5a177cf1a4b6bedd20d46bdcf /synapse/api/auth.py | |
parent | Stop putting a time caveat on access tokens (diff) | |
download | synapse-4febfe47f03a97578e186fa6cae28c29ad8327cb.tar.xz |
Comments
Update comments in verify_macaroon
Diffstat (limited to '')
-rw-r--r-- | synapse/api/auth.py | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 77ff55cddf..b8c2917f21 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -790,9 +790,6 @@ class Auth(object): type_string(str): The kind of token required (e.g. "access", "refresh", "delete_pusher") verify_expiry(bool): Whether to verify whether the macaroon has expired. - This should really always be True, but there exist access tokens - in the wild which expire when they should not, so we can't - enforce expiry yet. user_id (str): The user_id required """ v = pymacaroons.Verifier() @@ -805,6 +802,15 @@ class Auth(object): v.satisfy_exact("type = " + type_string) v.satisfy_exact("user_id = %s" % user_id) v.satisfy_exact("guest = true") + + # verify_expiry should really always be True, but there exist access + # tokens in the wild which expire when they should not, so we can't + # enforce expiry yet (so we have to allow any caveat starting with + # 'time < ' in access tokens). + # + # On the other hand, short-term login tokens (as used by CAS login, for + # example) have an expiry time which we do want to enforce. + if verify_expiry: v.satisfy_general(self._verify_expiry) else: |