summary refs log tree commit diff
path: root/synapse/api/auth/internal.py
diff options
context:
space:
mode:
authorDavid Robertson <davidr@element.io>2023-11-23 12:35:37 +0000
committerGitHub <noreply@github.com>2023-11-23 12:35:37 +0000
commit32a59a6495f8d463f82ae52283159359a9961c25 (patch)
tree44824e6214f748c4ed576af7a4d3986e398a6983 /synapse/api/auth/internal.py
parentEnable refreshable tokens on the admin registration endpoint (#16642) (diff)
downloadsynapse-32a59a6495f8d463f82ae52283159359a9961c25.tar.xz
Keep track of `user_ips` and `monthly_active_users` when delegating auth (#16672)
* Describe `insert_client_ip`
* Pull out client_ips and MAU tracking to BaseAuth
* Define HAS_AUTHLIB once in tests

sick of copypasting

* Track ips and token usage when delegating auth
* Test that we track MAU and user_ips
* Don't track `__oidc_admin`
Diffstat (limited to 'synapse/api/auth/internal.py')
-rw-r--r--synapse/api/auth/internal.py39
1 files changed, 1 insertions, 38 deletions
diff --git a/synapse/api/auth/internal.py b/synapse/api/auth/internal.py
index 36ee9c8b8f..985cbb1278 100644
--- a/synapse/api/auth/internal.py
+++ b/synapse/api/auth/internal.py
@@ -22,7 +22,6 @@ from synapse.api.errors import (
     InvalidClientTokenError,
     MissingClientTokenError,
 )
-from synapse.http import get_request_user_agent
 from synapse.http.site import SynapseRequest
 from synapse.logging.opentracing import active_span, force_tracing, start_active_span
 from synapse.types import Requester, create_requester
@@ -48,8 +47,6 @@ class InternalAuth(BaseAuth):
         self._account_validity_handler = hs.get_account_validity_handler()
         self._macaroon_generator = hs.get_macaroon_generator()
 
-        self._track_appservice_user_ips = hs.config.appservice.track_appservice_user_ips
-        self._track_puppeted_user_ips = hs.config.api.track_puppeted_user_ips
         self._force_tracing_for_users = hs.config.tracing.force_tracing_for_users
 
     @cancellable
@@ -115,9 +112,6 @@ class InternalAuth(BaseAuth):
         Once get_user_by_req has set up the opentracing span, this does the actual work.
         """
         try:
-            ip_addr = request.get_client_ip_if_available()
-            user_agent = get_request_user_agent(request)
-
             access_token = self.get_access_token_from_request(request)
 
             # First check if it could be a request from an appservice
@@ -154,38 +148,7 @@ class InternalAuth(BaseAuth):
                             errcode=Codes.EXPIRED_ACCOUNT,
                         )
 
-            if ip_addr and (
-                not requester.app_service or self._track_appservice_user_ips
-            ):
-                # XXX(quenting): I'm 95% confident that we could skip setting the
-                # device_id to "dummy-device" for appservices, and that the only impact
-                # would be some rows which whould not deduplicate in the 'user_ips'
-                # table during the transition
-                recorded_device_id = (
-                    "dummy-device"
-                    if requester.device_id is None and requester.app_service is not None
-                    else requester.device_id
-                )
-                await self.store.insert_client_ip(
-                    user_id=requester.authenticated_entity,
-                    access_token=access_token,
-                    ip=ip_addr,
-                    user_agent=user_agent,
-                    device_id=recorded_device_id,
-                )
-
-                # Track also the puppeted user client IP if enabled and the user is puppeting
-                if (
-                    requester.user.to_string() != requester.authenticated_entity
-                    and self._track_puppeted_user_ips
-                ):
-                    await self.store.insert_client_ip(
-                        user_id=requester.user.to_string(),
-                        access_token=access_token,
-                        ip=ip_addr,
-                        user_agent=user_agent,
-                        device_id=requester.device_id,
-                    )
+            await self._record_request(request, requester)
 
             if requester.is_guest and not allow_guest:
                 raise AuthError(