diff options
author | Erik Johnston <erik@matrix.org> | 2016-07-08 13:22:32 +0100 |
---|---|---|
committer | Erik Johnston <erik@matrix.org> | 2016-07-08 13:22:32 +0100 |
commit | 0870588c203f87b3cd23091918f43299923db13d (patch) | |
tree | e2f8aa68d95d1cbac551a6767b72832d988e8d02 /synapse/api/auth.py | |
parent | Merge pull request #886 from matrix-org/markjh/async_commit (diff) | |
parent | Bump version and changelog (diff) | |
download | synapse-0870588c203f87b3cd23091918f43299923db13d.tar.xz |
Merge branch 'hotfixes-v0.16.1' v0.16.1-r1
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r-- | synapse/api/auth.py | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 31e1abb964..a4d658a9d0 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -637,17 +637,22 @@ class Auth(object): try: macaroon = pymacaroons.Macaroon.deserialize(macaroon_str) - self.validate_macaroon(macaroon, rights, self.hs.config.expire_access_token) - user_prefix = "user_id = " user = None + user_id = None guest = False for caveat in macaroon.caveats: if caveat.caveat_id.startswith(user_prefix): - user = UserID.from_string(caveat.caveat_id[len(user_prefix):]) + user_id = caveat.caveat_id[len(user_prefix):] + user = UserID.from_string(user_id) elif caveat.caveat_id == "guest = true": guest = True + self.validate_macaroon( + macaroon, rights, self.hs.config.expire_access_token, + user_id=user_id, + ) + if user is None: raise AuthError( self.TOKEN_NOT_FOUND_HTTP_STATUS, "No user caveat in macaroon", @@ -692,7 +697,7 @@ class Auth(object): errcode=Codes.UNKNOWN_TOKEN ) - def validate_macaroon(self, macaroon, type_string, verify_expiry): + def validate_macaroon(self, macaroon, type_string, verify_expiry, user_id): """ validate that a Macaroon is understood by and was signed by this server. @@ -707,7 +712,7 @@ class Auth(object): v = pymacaroons.Verifier() v.satisfy_exact("gen = 1") v.satisfy_exact("type = " + type_string) - v.satisfy_general(lambda c: c.startswith("user_id = ")) + v.satisfy_exact("user_id = %s" % user_id) v.satisfy_exact("guest = true") if verify_expiry: v.satisfy_general(self._verify_expiry) |