Generate guest access token on 3pid invites

This means that following the same link across multiple sessions or devices can re-use the same guest account. Note that this is somewhat of an abuse vector; we can't throw up captchas on this flow, so this is a way of registering ephemeral accounts for spam, whose sign-up we don't rate limit.
author: Daniel Wagner-Hall <daniel@matrix.org> 2016-02-24 14:41:25 +0000
committer: review.rocks <nobody@review.rocks> 2016-02-24 14:41:25 +0000
commit: 33300673b7a6f79802f691ac121e720cb44c0dfc (patch)
tree: e093e52c405849706fc2b6d55cb74259eac2a64f /synapse/handlers
parent: Ignore invalid POST bodies when joining rooms (diff)
download: synapse-33300673b7a6f79802f691ac121e720cb44c0dfc.tar.xz
2 files changed, 23 insertions, 0 deletions
diff --git a/synapse/handlers/register.py b/synapse/handlers/register.py
index f8959e5d82..6d155d57e7 100644
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@@ -349,3 +349,18 @@ class RegistrationHandler(BaseHandler):
 
     def auth_handler(self):
         return self.hs.get_handlers().auth_handler
+
+    @defer.inlineCallbacks
+    def guest_access_token_for(self, medium, address, inviter_user_id):
+        access_token = yield self.store.get_3pid_guest_access_token(medium, address)
+        if access_token:
+            defer.returnValue(access_token)
+
+        _, access_token = yield self.register(
+            generate_token=True,
+            make_guest=True
+        )
+        access_token = yield self.store.save_or_get_3pid_guest_access_token(
+            medium, address, access_token, inviter_user_id
+        )
+        defer.returnValue(access_token)
diff --git a/synapse/handlers/room.py b/synapse/handlers/room.py
index eb9700a35b..d2de23a6cc 100644
--- a/synapse/handlers/room.py
+++ b/synapse/handlers/room.py
@@ -848,6 +848,13 @@ class RoomMemberHandler(BaseHandler):
                 user.
         """
 
+        registration_handler = self.hs.get_handlers().registration_handler
+        guest_access_token = yield registration_handler.guest_access_token_for(
+            medium=medium,
+            address=address,
+            inviter_user_id=inviter_user_id,
+        )
+
         is_url = "%s%s/_matrix/identity/api/v1/store-invite" % (
             id_server_scheme, id_server,
         )
@@ -864,6 +871,7 @@ class RoomMemberHandler(BaseHandler):
                 "sender": inviter_user_id,
                 "sender_display_name": inviter_display_name,
                 "sender_avatar_url": inviter_avatar_url,
+                "guest_access_token": guest_access_token,
             }
         )
         # TODO: Check for success
author	Daniel Wagner-Hall <daniel@matrix.org>	2016-02-24 14:41:25 +0000
committer	review.rocks <nobody@review.rocks>	2016-02-24 14:41:25 +0000
commit	33300673b7a6f79802f691ac121e720cb44c0dfc (patch)
tree	e093e52c405849706fc2b6d55cb74259eac2a64f /synapse/handlers
parent	Ignore invalid POST bodies when joining rooms (diff)
download	synapse-33300673b7a6f79802f691ac121e720cb44c0dfc.tar.xz