summary refs log tree commit diff
path: root/synapse/api/auth.py
diff options
context:
space:
mode:
authorDaniel Wagner-Hall <dawagner@gmail.com>2015-11-19 15:00:14 -0500
committerDaniel Wagner-Hall <dawagner@gmail.com>2015-11-19 15:00:14 -0500
commit95c3306798e1ca6429f3f52797a5d1b6ce7d6f37 (patch)
treeb43e191ea43c44a12b4c60c5a3a2ff09bc814e79 /synapse/api/auth.py
parentIgnore forgotten rooms in v2 sync (diff)
parentMerge branch 'develop' into daniel/forgetrooms (diff)
downloadsynapse-95c3306798e1ca6429f3f52797a5d1b6ce7d6f37.tar.xz
Merge branch 'daniel/forgetrooms' of github.com:matrix-org/synapse into daniel/forgetrooms
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r--synapse/api/auth.py25
1 files changed, 17 insertions, 8 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 6eaa1150a3..4fdc779b4b 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -594,10 +594,7 @@ class Auth(object):
     def _get_user_from_macaroon(self, macaroon_str):
         try:
             macaroon = pymacaroons.Macaroon.deserialize(macaroon_str)
-            self.validate_macaroon(
-                macaroon, "access",
-                [lambda c: c.startswith("time < ")]
-            )
+            self.validate_macaroon(macaroon, "access", False)
 
             user_prefix = "user_id = "
             user = None
@@ -645,22 +642,34 @@ class Auth(object):
                 errcode=Codes.UNKNOWN_TOKEN
             )
 
-    def validate_macaroon(self, macaroon, type_string, additional_validation_functions):
+    def validate_macaroon(self, macaroon, type_string, verify_expiry):
+        """
+        validate that a Macaroon is understood by and was signed by this server.
+
+        Args:
+            macaroon(pymacaroons.Macaroon): The macaroon to validate
+            type_string(str): The kind of token this is (e.g. "access", "refresh")
+            verify_expiry(bool): Whether to verify whether the macaroon has expired.
+                This should really always be True, but no clients currently implement
+                token refresh, so we can't enforce expiry yet.
+        """
         v = pymacaroons.Verifier()
         v.satisfy_exact("gen = 1")
         v.satisfy_exact("type = " + type_string)
         v.satisfy_general(lambda c: c.startswith("user_id = "))
         v.satisfy_exact("guest = true")
+        if verify_expiry:
+            v.satisfy_general(self._verify_expiry)
+        else:
+            v.satisfy_general(lambda c: c.startswith("time < "))
 
-        for validation_function in additional_validation_functions:
-            v.satisfy_general(validation_function)
         v.verify(macaroon, self.hs.config.macaroon_secret_key)
 
         v = pymacaroons.Verifier()
         v.satisfy_general(self._verify_recognizes_caveats)
         v.verify(macaroon, self.hs.config.macaroon_secret_key)
 
-    def verify_expiry(self, caveat):
+    def _verify_expiry(self, caveat):
         prefix = "time < "
         if not caveat.startswith(prefix):
             return False