Merge branch 'develop' into rav/no_more_refresh_tokens

author: Richard van der Hoff <richard@matrix.org> 2016-11-30 17:10:04 +0000
committer: Richard van der Hoff <richard@matrix.org> 2016-11-30 17:10:04 +0000
commit: dc4b23e1a102071227288bb9d2ad77611f0d34c8 (patch)
tree: c1147b1f393c416daa7fd8855850e42caf9d9956 /synapse/api
parent: Stop generating refresh tokens (diff)
parent: Merge pull request #1660 from matrix-org/rav/better_content_type_validation (diff)
download: synapse-dc4b23e1a102071227288bb9d2ad77611f0d34c8.tar.xz
1 files changed, 18 insertions, 4 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 1ab27da941..b17025c7ce 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -39,6 +39,9 @@ AuthEventTypes = (
     EventTypes.ThirdPartyInvite,
 )
 
+# guests always get this device id.
+GUEST_DEVICE_ID = "guest_device"
+
 
 class Auth(object):
     """
@@ -717,7 +720,8 @@ class Auth(object):
                     "user": user,
                     "is_guest": True,
                     "token_id": None,
-                    "device_id": None,
+                    # all guests get the same device id
+                    "device_id": GUEST_DEVICE_ID,
                 }
             elif rights == "delete_pusher":
                 # We don't store these tokens in the database
@@ -790,9 +794,6 @@ class Auth(object):
             type_string(str): The kind of token required (e.g. "access", "refresh",
                               "delete_pusher")
             verify_expiry(bool): Whether to verify whether the macaroon has expired.
-                This should really always be True, but there exist access tokens
-                in the wild which expire when they should not, so we can't
-                enforce expiry yet.
             user_id (str): The user_id required
         """
         v = pymacaroons.Verifier()
@@ -805,11 +806,24 @@ class Auth(object):
         v.satisfy_exact("type = " + type_string)
         v.satisfy_exact("user_id = %s" % user_id)
         v.satisfy_exact("guest = true")
+
+        # verify_expiry should really always be True, but there exist access
+        # tokens in the wild which expire when they should not, so we can't
+        # enforce expiry yet (so we have to allow any caveat starting with
+        # 'time < ' in access tokens).
+        #
+        # On the other hand, short-term login tokens (as used by CAS login, for
+        # example) have an expiry time which we do want to enforce.
+
         if verify_expiry:
             v.satisfy_general(self._verify_expiry)
         else:
             v.satisfy_general(lambda c: c.startswith("time < "))
 
+        # access_tokens and refresh_tokens include a nonce for uniqueness: any
+        # value is acceptable
+        v.satisfy_general(lambda c: c.startswith("nonce = "))
+
         v.verify(macaroon, self.hs.config.macaroon_secret_key)
 
     def _verify_expiry(self, caveat):
author	Richard van der Hoff <richard@matrix.org>	2016-11-30 17:10:04 +0000
committer	Richard van der Hoff <richard@matrix.org>	2016-11-30 17:10:04 +0000
commit	dc4b23e1a102071227288bb9d2ad77611f0d34c8 (patch)
tree	c1147b1f393c416daa7fd8855850e42caf9d9956 /synapse/api
parent	Stop generating refresh tokens (diff)
parent	Merge pull request #1660 from matrix-org/rav/better_content_type_validation (diff)
download	synapse-dc4b23e1a102071227288bb9d2ad77611f0d34c8.tar.xz