diff options
| author | Patrick Cloke <clokep@users.noreply.github.com> | 2023-05-19 08:06:54 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-19 08:06:54 -0400 |
| commit | 89a23c940672944acd98db58085cdc38191515a8 (patch) | |
| tree | 5b4036752f374f873f3a5474a6d1effb03d6a491 /tests/rest/client | |
| parent | Remove experimental configuration flags & unstable values for faster joins (#... (diff) | |
| download | synapse-89a23c940672944acd98db58085cdc38191515a8.tar.xz | |
Do not allow deactivated users to login with JWT. (#15624)
To improve the organization of this code it moves the JWT login checks to a separate handler and then fixes the bug (and a deprecation warning).
Diffstat (limited to 'tests/rest/client')
| -rw-r--r-- | tests/rest/client/test_login.py | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/tests/rest/client/test_login.py b/tests/rest/client/test_login.py index 62acf4f44e..dc32982e22 100644 --- a/tests/rest/client/test_login.py +++ b/tests/rest/client/test_login.py @@ -42,7 +42,7 @@ from tests.test_utils.html_parsers import TestHtmlParser from tests.unittest import HomeserverTestCase, override_config, skip_unless try: - from authlib.jose import jwk, jwt + from authlib.jose import JsonWebKey, jwt HAS_JWT = True except ImportError: @@ -1054,6 +1054,22 @@ class JWTTestCase(unittest.HomeserverTestCase): self.assertEqual(channel.json_body["errcode"], "M_FORBIDDEN") self.assertEqual(channel.json_body["error"], "Token field for JWT is missing") + def test_deactivated_user(self) -> None: + """Logging in as a deactivated account should error.""" + user_id = self.register_user("kermit", "monkey") + self.get_success( + self.hs.get_deactivate_account_handler().deactivate_account( + user_id, erase_data=False, requester=create_requester(user_id) + ) + ) + + channel = self.jwt_login({"sub": "kermit"}) + self.assertEqual(channel.code, 403, msg=channel.result) + self.assertEqual(channel.json_body["errcode"], "M_USER_DEACTIVATED") + self.assertEqual( + channel.json_body["error"], "This account has been deactivated" + ) + # The JWTPubKeyTestCase is a complement to JWTTestCase where we instead use # RSS256, with a public key configured in synapse as "jwt_secret", and tokens @@ -1121,7 +1137,7 @@ class JWTPubKeyTestCase(unittest.HomeserverTestCase): def jwt_encode(self, payload: Dict[str, Any], secret: str = jwt_privatekey) -> str: header = {"alg": "RS256"} if secret.startswith("-----BEGIN RSA PRIVATE KEY-----"): - secret = jwk.dumps(secret, kty="RSA") + secret = JsonWebKey.import_key(secret, {"kty": "RSA"}) result: bytes = jwt.encode(header, payload, secret) return result.decode("ascii") |