diff options
author | Daniel Wagner-Hall <dawagner@gmail.com> | 2015-10-19 15:52:34 +0100 |
---|---|---|
committer | Daniel Wagner-Hall <dawagner@gmail.com> | 2015-10-19 15:52:34 +0100 |
commit | 9261ef3a15583bc8d07077ecf59c026909c3623e (patch) | |
tree | 3494e17d08a857013ca09c94dcfe8824564bc27d /synapse/api | |
parent | Merge pull request #307 from matrix-org/erikj/search (diff) | |
parent | Stuff signed data in a standalone object (diff) | |
download | synapse-9261ef3a15583bc8d07077ecf59c026909c3623e.tar.xz |
Merge pull request #312 from matrix-org/daniel/3pidinvites
Stuff signed data in a standalone object
Diffstat (limited to 'synapse/api')
-rw-r--r-- | synapse/api/auth.py | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py index 5c83aafa7d..cf19eda4e9 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -14,7 +14,8 @@ # limitations under the License. """This module contains classes for authenticating the user.""" -from nacl.exceptions import BadSignatureError +from signedjson.key import decode_verify_key_bytes +from signedjson.sign import verify_signed_json, SignatureVerifyException from twisted.internet import defer @@ -26,7 +27,6 @@ from synapse.util import third_party_invites from unpaddedbase64 import decode_base64 import logging -import nacl.signing import pymacaroons logger = logging.getLogger(__name__) @@ -416,16 +416,23 @@ class Auth(object): key_validity_url ) return False - for _, signature_block in join_third_party_invite["signatures"].items(): + signed = join_third_party_invite["signed"] + if signed["mxid"] != event.user_id: + return False + if signed["token"] != token: + return False + for server, signature_block in signed["signatures"].items(): for key_name, encoded_signature in signature_block.items(): if not key_name.startswith("ed25519:"): return False - verify_key = nacl.signing.VerifyKey(decode_base64(public_key)) - signature = decode_base64(encoded_signature) - verify_key.verify(token, signature) + verify_key = decode_verify_key_bytes( + key_name, + decode_base64(public_key) + ) + verify_signed_json(signed, server, verify_key) return True return False - except (KeyError, BadSignatureError,): + except (KeyError, SignatureVerifyException,): return False def _get_power_level_event(self, auth_events): |