summary refs log tree commit diff
path: root/synapse/api/auth.py
diff options
context:
space:
mode:
authorErik Johnston <erik@matrix.org>2016-07-08 14:11:37 +0100
committerErik Johnston <erik@matrix.org>2016-07-08 14:11:37 +0100
commit58930da52b073f16199b8f7fbe07075ff5f45d36 (patch)
treeba6bb7e4d34492d115d08e111a51f18abb969a3d /synapse/api/auth.py
parentMerge pull request #911 from matrix-org/erikj/purge_history (diff)
parentMerge branch 'hotfixes-v0.16.1' (diff)
downloadsynapse-58930da52b073f16199b8f7fbe07075ff5f45d36.tar.xz
Merge branch 'master' of github.com:matrix-org/synapse into develop
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r--synapse/api/auth.py15
1 files changed, 10 insertions, 5 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 31e1abb964..a4d658a9d0 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -637,17 +637,22 @@ class Auth(object):
         try:
             macaroon = pymacaroons.Macaroon.deserialize(macaroon_str)
 
-            self.validate_macaroon(macaroon, rights, self.hs.config.expire_access_token)
-
             user_prefix = "user_id = "
             user = None
+            user_id = None
             guest = False
             for caveat in macaroon.caveats:
                 if caveat.caveat_id.startswith(user_prefix):
-                    user = UserID.from_string(caveat.caveat_id[len(user_prefix):])
+                    user_id = caveat.caveat_id[len(user_prefix):]
+                    user = UserID.from_string(user_id)
                 elif caveat.caveat_id == "guest = true":
                     guest = True
 
+            self.validate_macaroon(
+                macaroon, rights, self.hs.config.expire_access_token,
+                user_id=user_id,
+            )
+
             if user is None:
                 raise AuthError(
                     self.TOKEN_NOT_FOUND_HTTP_STATUS, "No user caveat in macaroon",
@@ -692,7 +697,7 @@ class Auth(object):
                 errcode=Codes.UNKNOWN_TOKEN
             )
 
-    def validate_macaroon(self, macaroon, type_string, verify_expiry):
+    def validate_macaroon(self, macaroon, type_string, verify_expiry, user_id):
         """
         validate that a Macaroon is understood by and was signed by this server.
 
@@ -707,7 +712,7 @@ class Auth(object):
         v = pymacaroons.Verifier()
         v.satisfy_exact("gen = 1")
         v.satisfy_exact("type = " + type_string)
-        v.satisfy_general(lambda c: c.startswith("user_id = "))
+        v.satisfy_exact("user_id = %s" % user_id)
         v.satisfy_exact("guest = true")
         if verify_expiry:
             v.satisfy_general(self._verify_expiry)