summary refs log tree commit diff
path: root/synapse/api/auth.py
diff options
context:
space:
mode:
authorRichard van der Hoff <richard@matrix.org>2016-11-28 09:55:21 +0000
committerRichard van der Hoff <richard@matrix.org>2016-11-29 16:49:41 +0000
commit1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd (patch)
tree1aa5d1b54239c730c32cab8d05abf405cd6e2ff9 /synapse/api/auth.py
parentMerge pull request #1655 from matrix-org/rav/remove_redundant_macaroon_checks (diff)
downloadsynapse-1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd.tar.xz
Stop putting a time caveat on access tokens
The 'time' caveat on the access tokens was something of a lie, since we weren't
enforcing it; more pertinently its presence stops us ever adding useful time
caveats.

Let's move in the right direction by not lying in our caveats.
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r--synapse/api/auth.py4
1 files changed, 4 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 1ab27da941..77ff55cddf 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -810,6 +810,10 @@ class Auth(object):
         else:
             v.satisfy_general(lambda c: c.startswith("time < "))
 
+        # access_tokens and refresh_tokens include a nonce for uniqueness: any
+        # value is acceptable
+        v.satisfy_general(lambda c: c.startswith("nonce = "))
+
         v.verify(macaroon, self.hs.config.macaroon_secret_key)
 
     def _verify_expiry(self, caveat):