summary refs log tree commit diff
path: root/synapse
diff options
context:
space:
mode:
authorNegar Fazeli <negar.fazeli@ericsson.com>2016-07-08 16:53:18 +0200
committerNegar Fazeli <negar.fazeli@ericsson.com>2016-07-13 15:00:37 +0200
commit0136a522b18a734db69171d60566f501c0ced663 (patch)
tree0828758ba08b5eba36d0442a9785ebf9341b2033 /synapse
parentMerge pull request #914 from matrix-org/markjh/upgrade (diff)
downloadsynapse-0136a522b18a734db69171d60566f501c0ced663.tar.xz
Bug fix: expire invalid access tokens
Diffstat (limited to '')
-rw-r--r--synapse/api/auth.py3
-rw-r--r--synapse/handlers/auth.py5
-rw-r--r--synapse/handlers/register.py6
-rw-r--r--synapse/rest/client/v1/register.py2
4 files changed, 10 insertions, 6 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index a4d658a9d0..521a52e001 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -629,7 +629,10 @@ class Auth(object):
         except AuthError:
             # TODO(daniel): Remove this fallback when all existing access tokens
             # have been re-issued as macaroons.
+            if self.hs.config.expire_access_token:
+                raise
             ret = yield self._look_up_user_by_access_token(token)
+
         defer.returnValue(ret)
 
     @defer.inlineCallbacks
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index e259213a36..5a0ed9d6b9 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -637,12 +637,13 @@ class AuthHandler(BaseHandler):
         yield self.store.add_refresh_token_to_user(user_id, refresh_token)
         defer.returnValue(refresh_token)
 
-    def generate_access_token(self, user_id, extra_caveats=None):
+    def generate_access_token(self, user_id, extra_caveats=None,
+                              duration_in_ms=(60 * 60 * 1000)):
         extra_caveats = extra_caveats or []
         macaroon = self._generate_base_macaroon(user_id)
         macaroon.add_first_party_caveat("type = access")
         now = self.hs.get_clock().time_msec()
-        expiry = now + (60 * 60 * 1000)
+        expiry = now + duration_in_ms
         macaroon.add_first_party_caveat("time < %d" % (expiry,))
         for caveat in extra_caveats:
             macaroon.add_first_party_caveat(caveat)
diff --git a/synapse/handlers/register.py b/synapse/handlers/register.py
index 8c3381df8a..6b33b27149 100644
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@@ -360,7 +360,7 @@ class RegistrationHandler(BaseHandler):
         defer.returnValue(data)
 
     @defer.inlineCallbacks
-    def get_or_create_user(self, localpart, displayname, duration_seconds,
+    def get_or_create_user(self, localpart, displayname, duration_in_ms,
                            password_hash=None):
         """Creates a new user if the user does not exist,
         else revokes all previous access tokens and generates a new one.
@@ -390,8 +390,8 @@ class RegistrationHandler(BaseHandler):
 
         user = UserID(localpart, self.hs.hostname)
         user_id = user.to_string()
-        token = self.auth_handler().generate_short_term_login_token(
-            user_id, duration_seconds)
+        token = self.auth_handler().generate_access_token(
+            user_id, None, duration_in_ms)
 
         if need_register:
             yield self.store.register(
diff --git a/synapse/rest/client/v1/register.py b/synapse/rest/client/v1/register.py
index ce7099b18f..8e1f1b7845 100644
--- a/synapse/rest/client/v1/register.py
+++ b/synapse/rest/client/v1/register.py
@@ -429,7 +429,7 @@ class CreateUserRestServlet(ClientV1RestServlet):
         user_id, token = yield handler.get_or_create_user(
             localpart=localpart,
             displayname=displayname,
-            duration_seconds=duration_seconds,
+            duration_in_ms=(duration_seconds * 1000),
             password_hash=password_hash
         )