diff options
author | Mark Haines <mark.haines@matrix.org> | 2015-10-21 15:48:34 +0100 |
---|---|---|
committer | Mark Haines <mark.haines@matrix.org> | 2015-10-21 15:48:34 +0100 |
commit | 5201c661082cb66e544c968ab3d5d97278509774 (patch) | |
tree | 1a23e19f9be1c6139fbff4052b416261d6aadcd6 /synapse/api | |
parent | Doc string for the SyncHandler.typing_by_room method (diff) | |
parent | Merge pull request #316 from matrix-org/markjh/v2_sync_archived (diff) | |
download | synapse-5201c661082cb66e544c968ab3d5d97278509774.tar.xz |
Merge branch 'develop' into markjh/v2_sync_typing
Conflicts: synapse/handlers/sync.py
Diffstat (limited to 'synapse/api')
-rw-r--r-- | synapse/api/auth.py | 27 |
1 files changed, 19 insertions, 8 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 5c83aafa7d..494c8ac3d4 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -14,7 +14,8 @@ # limitations under the License. """This module contains classes for authenticating the user.""" -from nacl.exceptions import BadSignatureError +from signedjson.key import decode_verify_key_bytes +from signedjson.sign import verify_signed_json, SignatureVerifyException from twisted.internet import defer @@ -26,7 +27,6 @@ from synapse.util import third_party_invites from unpaddedbase64 import decode_base64 import logging -import nacl.signing import pymacaroons logger = logging.getLogger(__name__) @@ -308,7 +308,11 @@ class Auth(object): ) if Membership.JOIN != membership: - # JOIN is the only action you can perform if you're not in the room + if (caller_invited + and Membership.LEAVE == membership + and target_user_id == event.user_id): + return True + if not caller_in_room: # caller isn't joined raise AuthError( 403, @@ -416,16 +420,23 @@ class Auth(object): key_validity_url ) return False - for _, signature_block in join_third_party_invite["signatures"].items(): + signed = join_third_party_invite["signed"] + if signed["mxid"] != event.user_id: + return False + if signed["token"] != token: + return False + for server, signature_block in signed["signatures"].items(): for key_name, encoded_signature in signature_block.items(): if not key_name.startswith("ed25519:"): return False - verify_key = nacl.signing.VerifyKey(decode_base64(public_key)) - signature = decode_base64(encoded_signature) - verify_key.verify(token, signature) + verify_key = decode_verify_key_bytes( + key_name, + decode_base64(public_key) + ) + verify_signed_json(signed, server, verify_key) return True return False - except (KeyError, BadSignatureError,): + except (KeyError, SignatureVerifyException,): return False def _get_power_level_event(self, auth_events): |