Stop putting a time caveat on access tokens

The 'time' caveat on the access tokens was something of a lie, since we weren't enforcing it; more pertinently its presence stops us ever adding useful time caveats. Let's move in the right direction by not lying in our caveats.
author: Richard van der Hoff <richard@matrix.org> 2016-11-28 09:55:21 +0000
committer: Richard van der Hoff <richard@matrix.org> 2016-11-29 16:49:41 +0000
commit: 1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd (patch)
tree: 1aa5d1b54239c730c32cab8d05abf405cd6e2ff9 /synapse/handlers
parent: Merge pull request #1655 from matrix-org/rav/remove_redundant_macaroon_checks (diff)
download: synapse-1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd.tar.xz
2 files changed, 8 insertions, 8 deletions
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index a2866af431..20aaec36a4 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -538,14 +538,15 @@ class AuthHandler(BaseHandler):
                                                    device_id)
         defer.returnValue(refresh_token)
 
-    def generate_access_token(self, user_id, extra_caveats=None,
-                              duration_in_ms=(60 * 60 * 1000)):
+    def generate_access_token(self, user_id, extra_caveats=None):
         extra_caveats = extra_caveats or []
         macaroon = self._generate_base_macaroon(user_id)
         macaroon.add_first_party_caveat("type = access")
-        now = self.hs.get_clock().time_msec()
-        expiry = now + duration_in_ms
-        macaroon.add_first_party_caveat("time < %d" % (expiry,))
+        # Include a nonce, to make sure that each login gets a different
+        # access token.
+        macaroon.add_first_party_caveat("nonce = %s" % (
+            stringutils.random_string_with_symbols(16),
+        ))
         for caveat in extra_caveats:
             macaroon.add_first_party_caveat(caveat)
         return macaroon.serialize()
diff --git a/synapse/handlers/register.py b/synapse/handlers/register.py
index 7e119f13b1..886fec8701 100644
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@@ -369,7 +369,7 @@ class RegistrationHandler(BaseHandler):
         defer.returnValue(data)
 
     @defer.inlineCallbacks
-    def get_or_create_user(self, requester, localpart, displayname, duration_in_ms,
+    def get_or_create_user(self, requester, localpart, displayname,
                            password_hash=None):
         """Creates a new user if the user does not exist,
         else revokes all previous access tokens and generates a new one.
@@ -399,8 +399,7 @@ class RegistrationHandler(BaseHandler):
 
         user = UserID(localpart, self.hs.hostname)
         user_id = user.to_string()
-        token = self.auth_handler().generate_access_token(
-            user_id, None, duration_in_ms)
+        token = self.auth_handler().generate_access_token(user_id)
 
         if need_register:
             yield self.store.register(
author	Richard van der Hoff <richard@matrix.org>	2016-11-28 09:55:21 +0000
committer	Richard van der Hoff <richard@matrix.org>	2016-11-29 16:49:41 +0000
commit	1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd (patch)
tree	1aa5d1b54239c730c32cab8d05abf405cd6e2ff9 /synapse/handlers
parent	Merge pull request #1655 from matrix-org/rav/remove_redundant_macaroon_checks (diff)
download	synapse-1c4f05db41eab20f8be4ac2dac0f7e86b0b7e1fd.tar.xz