diff options
author | Richard van der Hoff <richard@matrix.org> | 2016-11-28 09:55:21 +0000 |
---|---|---|
committer | Richard van der Hoff <richard@matrix.org> | 2016-11-29 16:49:41 +0000 |
commit | 1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd (patch) | |
tree | 1aa5d1b54239c730c32cab8d05abf405cd6e2ff9 /synapse/api/auth.py | |
parent | Merge pull request #1655 from matrix-org/rav/remove_redundant_macaroon_checks (diff) | |
download | synapse-1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd.tar.xz |
Stop putting a time caveat on access tokens
The 'time' caveat on the access tokens was something of a lie, since we weren't enforcing it; more pertinently its presence stops us ever adding useful time caveats. Let's move in the right direction by not lying in our caveats.
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r-- | synapse/api/auth.py | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 1ab27da941..77ff55cddf 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -810,6 +810,10 @@ class Auth(object): else: v.satisfy_general(lambda c: c.startswith("time < ")) + # access_tokens and refresh_tokens include a nonce for uniqueness: any + # value is acceptable + v.satisfy_general(lambda c: c.startswith("nonce = ")) + v.verify(macaroon, self.hs.config.macaroon_secret_key) def _verify_expiry(self, caveat): |