summary refs log tree commit diff
path: root/synapse/handlers/auth.py
diff options
context:
space:
mode:
authorRichard van der Hoff <github@rvanderhoff.org.uk>2017-12-05 09:42:46 +0000
committerGitHub <noreply@github.com>2017-12-05 09:42:46 +0000
commitcc58e177f3436331381c6d3ad05f6ad17b6dc00a (patch)
tree9e4f1c084651ba9d30c5a5f383e967655227a431 /synapse/handlers/auth.py
parentMerge pull request #2727 from matrix-org/rav/refactor_ui_auth_return (diff)
parentFactor out a validate_user_via_ui_auth method (diff)
downloadsynapse-cc58e177f3436331381c6d3ad05f6ad17b6dc00a.tar.xz
Merge pull request #2728 from matrix-org/rav/validate_user_via_ui_auth
Factor out a validate_user_via_ui_auth method
Diffstat (limited to 'synapse/handlers/auth.py')
-rw-r--r--synapse/handlers/auth.py43
1 files changed, 43 insertions, 0 deletions
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 28c80608a7..95b0cfeb48 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -89,6 +89,49 @@ class AuthHandler(BaseHandler):
         self._supported_login_types = frozenset(login_types)
 
     @defer.inlineCallbacks
+    def validate_user_via_ui_auth(self, requester, request_body, clientip):
+        """
+        Checks that the user is who they claim to be, via a UI auth.
+
+        This is used for things like device deletion and password reset where
+        the user already has a valid access token, but we want to double-check
+        that it isn't stolen by re-authenticating them.
+
+        Args:
+            requester (Requester): The user, as given by the access token
+
+            request_body (dict): The body of the request sent by the client
+
+            clientip (str): The IP address of the client.
+
+        Returns:
+            defer.Deferred[dict]: the parameters for this request (which may
+                have been given only in a previous call).
+
+        Raises:
+            InteractiveAuthIncompleteError if the client has not yet completed
+                any of the permitted login flows
+
+            AuthError if the client has completed a login flow, and it gives
+                a different user to `requester`
+        """
+
+        # we only support password login here
+        flows = [[LoginType.PASSWORD]]
+
+        result, params, _ = yield self.check_auth(
+            flows, request_body, clientip,
+        )
+
+        user_id = result[LoginType.PASSWORD]
+
+        # check that the UI auth matched the access token
+        if user_id != requester.user.to_string():
+            raise AuthError(403, "Invalid auth")
+
+        defer.returnValue(params)
+
+    @defer.inlineCallbacks
     def check_auth(self, flows, clientdict, clientip):
         """
         Takes a dictionary sent by the client in the login / registration