diff options
author | Richard van der Hoff <github@rvanderhoff.org.uk> | 2017-12-05 09:42:46 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-12-05 09:42:46 +0000 |
commit | cc58e177f3436331381c6d3ad05f6ad17b6dc00a (patch) | |
tree | 9e4f1c084651ba9d30c5a5f383e967655227a431 /synapse/handlers/auth.py | |
parent | Merge pull request #2727 from matrix-org/rav/refactor_ui_auth_return (diff) | |
parent | Factor out a validate_user_via_ui_auth method (diff) | |
download | synapse-cc58e177f3436331381c6d3ad05f6ad17b6dc00a.tar.xz |
Merge pull request #2728 from matrix-org/rav/validate_user_via_ui_auth
Factor out a validate_user_via_ui_auth method
Diffstat (limited to 'synapse/handlers/auth.py')
-rw-r--r-- | synapse/handlers/auth.py | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index 28c80608a7..95b0cfeb48 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -89,6 +89,49 @@ class AuthHandler(BaseHandler): self._supported_login_types = frozenset(login_types) @defer.inlineCallbacks + def validate_user_via_ui_auth(self, requester, request_body, clientip): + """ + Checks that the user is who they claim to be, via a UI auth. + + This is used for things like device deletion and password reset where + the user already has a valid access token, but we want to double-check + that it isn't stolen by re-authenticating them. + + Args: + requester (Requester): The user, as given by the access token + + request_body (dict): The body of the request sent by the client + + clientip (str): The IP address of the client. + + Returns: + defer.Deferred[dict]: the parameters for this request (which may + have been given only in a previous call). + + Raises: + InteractiveAuthIncompleteError if the client has not yet completed + any of the permitted login flows + + AuthError if the client has completed a login flow, and it gives + a different user to `requester` + """ + + # we only support password login here + flows = [[LoginType.PASSWORD]] + + result, params, _ = yield self.check_auth( + flows, request_body, clientip, + ) + + user_id = result[LoginType.PASSWORD] + + # check that the UI auth matched the access token + if user_id != requester.user.to_string(): + raise AuthError(403, "Invalid auth") + + defer.returnValue(params) + + @defer.inlineCallbacks def check_auth(self, flows, clientdict, clientip): """ Takes a dictionary sent by the client in the login / registration |