diff options
author | Brendan Abolivier <babolivier@matrix.org> | 2020-03-10 13:49:11 +0000 |
---|---|---|
committer | Brendan Abolivier <babolivier@matrix.org> | 2020-03-10 13:59:22 +0000 |
commit | 6b0efe73e21a5d346111df4dd367bc39a03108bb (patch) | |
tree | 0e20756775f5c628bc33d3b5b2a5b51a425cc70e /synapse/rest/saml2/response_resource.py | |
parent | Merge pull request #7055 from matrix-org/babolivier/get_time_of_last_push_act... (diff) | |
download | synapse-6b0efe73e21a5d346111df4dd367bc39a03108bb.tar.xz |
SAML2: render a comprehensible error page if something goes wrong
If an error happened while processing a SAML AuthN response, or a client ends up doing a `GET` request to `/authn_response`, then render a customisable error page rather than a confusing error.
Diffstat (limited to 'synapse/rest/saml2/response_resource.py')
-rw-r--r-- | synapse/rest/saml2/response_resource.py | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/synapse/rest/saml2/response_resource.py b/synapse/rest/saml2/response_resource.py index 69ecc5e4b4..a545c13db7 100644 --- a/synapse/rest/saml2/response_resource.py +++ b/synapse/rest/saml2/response_resource.py @@ -14,7 +14,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -from synapse.http.server import DirectServeResource, wrap_html_request_handler +from synapse.http.server import ( + DirectServeResource, + finish_request, + wrap_html_request_handler, +) class SAML2ResponseResource(DirectServeResource): @@ -24,8 +28,20 @@ class SAML2ResponseResource(DirectServeResource): def __init__(self, hs): super().__init__() + self._error_html_content = hs.config.saml2_error_html_content self._saml_handler = hs.get_saml_handler() + async def _async_render_GET(self, request): + # We're not expecting any GET request on that resource if everything goes right, + # but some IdPs sometimes end up responding with a 302 redirect on this endpoint. + # In this case, just tell the user that something went wrong and they should + # try to authenticate again. + request.setResponseCode(400) + request.setHeader(b"Content-Type", b"text/html; charset=utf-8") + request.setHeader(b"Content-Length", b"%d" % (len(self._error_html_content),)) + request.write(self._error_html_content.encode("utf8")) + finish_request(request) + @wrap_html_request_handler async def _async_render_POST(self, request): return await self._saml_handler.handle_saml_response(request) |