diff options
author | Patrick Cloke <clokep@users.noreply.github.com> | 2021-06-16 11:07:28 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-16 11:07:28 -0400 |
commit | 76f9c701c3920d83c0fe8f08b9197e2e92e12dad (patch) | |
tree | eea41aae32a58a9484d27b975982143b41d65231 /synapse/rest/client | |
parent | A guide to the request log lines format. (#8436) (diff) | |
download | synapse-76f9c701c3920d83c0fe8f08b9197e2e92e12dad.tar.xz |
Always require users to re-authenticate for dangerous operations. (#10184)
Dangerous actions means deactivating an account, modifying an account password, or adding a 3PID. Other actions (deleting devices, uploading keys) can re-use the same UI auth session if ui_auth.session_timeout is configured.
Diffstat (limited to 'synapse/rest/client')
-rw-r--r-- | synapse/rest/client/v2_alpha/devices.py | 6 | ||||
-rw-r--r-- | synapse/rest/client/v2_alpha/keys.py | 3 |
2 files changed, 9 insertions, 0 deletions
diff --git a/synapse/rest/client/v2_alpha/devices.py b/synapse/rest/client/v2_alpha/devices.py index 9af05f9b11..8b9674db06 100644 --- a/synapse/rest/client/v2_alpha/devices.py +++ b/synapse/rest/client/v2_alpha/devices.py @@ -86,6 +86,9 @@ class DeleteDevicesRestServlet(RestServlet): request, body, "remove device(s) from your account", + # Users might call this multiple times in a row while cleaning up + # devices, allow a single UI auth session to be re-used. + can_skip_ui_auth=True, ) await self.device_handler.delete_devices( @@ -135,6 +138,9 @@ class DeviceRestServlet(RestServlet): request, body, "remove a device from your account", + # Users might call this multiple times in a row while cleaning up + # devices, allow a single UI auth session to be re-used. + can_skip_ui_auth=True, ) await self.device_handler.delete_device(requester.user.to_string(), device_id) diff --git a/synapse/rest/client/v2_alpha/keys.py b/synapse/rest/client/v2_alpha/keys.py index 4a28f2c072..33cf8de186 100644 --- a/synapse/rest/client/v2_alpha/keys.py +++ b/synapse/rest/client/v2_alpha/keys.py @@ -277,6 +277,9 @@ class SigningKeyUploadServlet(RestServlet): request, body, "add a device signing key to your account", + # Allow skipping of UI auth since this is frequently called directly + # after login and it is silly to ask users to re-auth immediately. + can_skip_ui_auth=True, ) result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body) |