diff options
| author | Hugh Nimmo-Smith <hughns@matrix.org> | 2022-11-17 14:34:11 +0000 |
|---|---|---|
| committer | Patrick Cloke <clokep@users.noreply.github.com> | 2023-05-30 09:43:06 -0400 |
| commit | 5fe96082d09d1af3dc33b62b6a47a6baca02703c (patch) | |
| tree | 45f176244f811d9ff34a69511be6ffda8b7230c7 /synapse/api/auth | |
| parent | Initial tests for OAuth delegation (diff) | |
| download | synapse-5fe96082d09d1af3dc33b62b6a47a6baca02703c.tar.xz | |
Actually enforce guest + return www-authenticate header
Diffstat (limited to 'synapse/api/auth')
| -rw-r--r-- | synapse/api/auth/oauth_delegated.py | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/synapse/api/auth/oauth_delegated.py b/synapse/api/auth/oauth_delegated.py index cfa178218c..9cb6eb7f79 100644 --- a/synapse/api/auth/oauth_delegated.py +++ b/synapse/api/auth/oauth_delegated.py @@ -25,7 +25,12 @@ from twisted.web.client import readBody from twisted.web.http_headers import Headers from synapse.api.auth.base import BaseAuth -from synapse.api.errors import AuthError, InvalidClientTokenError, StoreError +from synapse.api.errors import ( + AuthError, + InvalidClientTokenError, + OAuthInsufficientScopeError, + StoreError, +) from synapse.http.site import SynapseRequest from synapse.logging.context import make_deferred_yieldable from synapse.types import Requester, UserID, create_requester @@ -152,7 +157,16 @@ class OAuthDelegatedAuth(BaseAuth): allow_expired: bool = False, ) -> Requester: access_token = self.get_access_token_from_request(request) - return await self.get_user_by_access_token(access_token, allow_expired) + + # TODO: we probably want to assert the allow_guest inside this call so that we don't provision the user if they don't have enough permission: + requester = await self.get_user_by_access_token(access_token, allow_expired) + + if not allow_guest and requester.is_guest: + raise OAuthInsufficientScopeError( + ["urn:matrix:org.matrix.msc2967.client:api:*"] + ) + + return requester async def get_user_by_access_token( self, |