Validate that the session is not modified during UI-Auth (#7068)

author: Patrick Cloke <clokep@users.noreply.github.com> 2020-03-26 07:39:34 -0400
committer: GitHub <noreply@github.com> 2020-03-26 07:39:34 -0400
commit: 1c1242acba9694a3a4b1eb3b14ec0bac11ee4ff8 (patch)
tree: d1f850c22a7c141d6c2199916b4b5b011a4ae754 /synapse/rest/client/v2_alpha/account.py
parent: Remove unused captcha_bypass_secret option (#7137) (diff)
download: synapse-1c1242acba9694a3a4b1eb3b14ec0bac11ee4ff8.tar.xz
1 files changed, 7 insertions, 4 deletions
diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py
index 631cc74cb4..b1249b664c 100644
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@@ -234,13 +234,16 @@ class PasswordRestServlet(RestServlet):
         if self.auth.has_access_token(request):
             requester = await self.auth.get_user_by_req(request)
             params = await self.auth_handler.validate_user_via_ui_auth(
-                requester, body, self.hs.get_ip_from_request(request)
+                requester, request, body, self.hs.get_ip_from_request(request),
             )
             user_id = requester.user.to_string()
         else:
             requester = None
             result, params, _ = await self.auth_handler.check_auth(
-                [[LoginType.EMAIL_IDENTITY]], body, self.hs.get_ip_from_request(request)
+                [[LoginType.EMAIL_IDENTITY]],
+                request,
+                body,
+                self.hs.get_ip_from_request(request),
             )
 
             if LoginType.EMAIL_IDENTITY in result:
@@ -308,7 +311,7 @@ class DeactivateAccountRestServlet(RestServlet):
             return 200, {}
 
         await self.auth_handler.validate_user_via_ui_auth(
-            requester, body, self.hs.get_ip_from_request(request)
+            requester, request, body, self.hs.get_ip_from_request(request),
         )
         result = await self._deactivate_account_handler.deactivate_account(
             requester.user.to_string(), erase, id_server=body.get("id_server")
@@ -656,7 +659,7 @@ class ThreepidAddRestServlet(RestServlet):
         assert_valid_client_secret(client_secret)
 
         await self.auth_handler.validate_user_via_ui_auth(
-            requester, body, self.hs.get_ip_from_request(request)
+            requester, request, body, self.hs.get_ip_from_request(request),
         )
 
         validation_session = await self.identity_handler.validate_threepid_session(
author	Patrick Cloke <clokep@users.noreply.github.com>	2020-03-26 07:39:34 -0400
committer	GitHub <noreply@github.com>	2020-03-26 07:39:34 -0400
commit	1c1242acba9694a3a4b1eb3b14ec0bac11ee4ff8 (patch)
tree	d1f850c22a7c141d6c2199916b4b5b011a4ae754 /synapse/rest/client/v2_alpha/account.py
parent	Remove unused captcha_bypass_secret option (#7137) (diff)
download	synapse-1c1242acba9694a3a4b1eb3b14ec0bac11ee4ff8.tar.xz