diff options
author | Quentin Gliech <quenting@element.io> | 2022-06-14 15:12:08 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-14 09:12:08 -0400 |
commit | fe1daad67237c2154a3d8d8cdf6c603f0d33682e (patch) | |
tree | 82aba1f5c2a88a5759444d04a56acda35e5a8cc1 /tests/api/test_auth.py | |
parent | Fix Complement runs always being Postgres (#13034) (diff) | |
download | synapse-fe1daad67237c2154a3d8d8cdf6c603f0d33682e.tar.xz |
Move the "email unsubscribe" resource, refactor the macaroon generator & simplify the access token verification logic. (#12986)
This simplifies the access token verification logic by removing the `rights` parameter which was only ever used for the unsubscribe link in email notifications. The latter has been moved under the `/_synapse` namespace, since it is not a standard API. This also makes the email verification link more secure, by embedding the app_id and pushkey in the macaroon and verifying it. This prevents the user from tampering the query parameters of that unsubscribe link. Macaroon generation is refactored: - Centralised all macaroon generation and verification logic to the `MacaroonGenerator` - Moved to `synapse.utils` - Changed the constructor to require only a `Clock`, hostname, and a secret key (instead of a full `Homeserver`). - Added tests for all methods.
Diffstat (limited to 'tests/api/test_auth.py')
-rw-r--r-- | tests/api/test_auth.py | 15 |
1 files changed, 5 insertions, 10 deletions
diff --git a/tests/api/test_auth.py b/tests/api/test_auth.py index 54af9089e9..dfcfaf79b6 100644 --- a/tests/api/test_auth.py +++ b/tests/api/test_auth.py @@ -313,9 +313,7 @@ class AuthTestCase(unittest.HomeserverTestCase): self.assertEqual(self.store.insert_client_ip.call_count, 2) def test_get_user_from_macaroon(self): - self.store.get_user_by_access_token = simple_async_mock( - TokenLookupResult(user_id="@baldrick:matrix.org", device_id="device") - ) + self.store.get_user_by_access_token = simple_async_mock(None) user_id = "@baldrick:matrix.org" macaroon = pymacaroons.Macaroon( @@ -323,17 +321,14 @@ class AuthTestCase(unittest.HomeserverTestCase): identifier="key", key=self.hs.config.key.macaroon_secret_key, ) + # "Legacy" macaroons should not work for regular users not in the database macaroon.add_first_party_caveat("gen = 1") macaroon.add_first_party_caveat("type = access") macaroon.add_first_party_caveat("user_id = %s" % (user_id,)) - user_info = self.get_success( - self.auth.get_user_by_access_token(macaroon.serialize()) + serialized = macaroon.serialize() + self.get_failure( + self.auth.get_user_by_access_token(serialized), InvalidClientTokenError ) - self.assertEqual(user_id, user_info.user_id) - - # TODO: device_id should come from the macaroon, but currently comes - # from the db. - self.assertEqual(user_info.device_id, "device") def test_get_guest_user_from_macaroon(self): self.store.get_user_by_id = simple_async_mock({"is_guest": True}) |