Disable account related endpoints when using OAuth delegation

author: Quentin Gliech <quenting@element.io> 2023-05-10 16:08:43 +0200
committer: Patrick Cloke <clokep@users.noreply.github.com> 2023-05-30 09:43:06 -0400
commit: 31691d61511d41286272d779727502e396ce86eb (patch)
tree: 54be19a491abb565e5d4e9eb8394d627d69c2e36 /synapse/handlers
parent: Actually enforce guest + return www-authenticate header (diff)
download: synapse-31691d61511d41286272d779727502e396ce86eb.tar.xz
1 files changed, 7 insertions, 1 deletions
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index d001f2fb2f..a53984be33 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -274,6 +274,8 @@ class AuthHandler:
         # response.
         self._extra_attributes: Dict[str, SsoLoginExtraAttributes] = {}
 
+        self.oauth_delegation_enabled = hs.config.auth.oauth_delegation_enabled
+
     async def validate_user_via_ui_auth(
         self,
         requester: Requester,
@@ -322,8 +324,12 @@ class AuthHandler:
 
             LimitExceededError if the ratelimiter's failed request count for this
                 user is too high to proceed
-
         """
+        if self.oauth_delegation_enabled:
+            raise SynapseError(
+                HTTPStatus.INTERNAL_SERVER_ERROR, "UIA shouldn't be used with MSC3861"
+            )
+
         if not requester.access_token_id:
             raise ValueError("Cannot validate a user without an access token")
         if can_skip_ui_auth and self._ui_auth_session_timeout:
author	Quentin Gliech <quenting@element.io>	2023-05-10 16:08:43 +0200
committer	Patrick Cloke <clokep@users.noreply.github.com>	2023-05-30 09:43:06 -0400
commit	31691d61511d41286272d779727502e396ce86eb (patch)
tree	54be19a491abb565e5d4e9eb8394d627d69c2e36 /synapse/handlers
parent	Actually enforce guest + return www-authenticate header (diff)
download	synapse-31691d61511d41286272d779727502e396ce86eb.tar.xz