summary refs log tree commit diff
path: root/synapse/api/auth.py
diff options
context:
space:
mode:
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r--synapse/api/auth.py19
1 files changed, 13 insertions, 6 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py

index adb7d64482..e36313e2fb 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# Copyright 2014, 2015 OpenMarket Ltd
+# Copyright 2014 - 2016 OpenMarket Ltd
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@ from twisted.internet import defer
 
 from synapse.api.constants import EventTypes, Membership, JoinRules
 from synapse.api.errors import AuthError, Codes, SynapseError, EventSizeError
-from synapse.types import RoomID, UserID, EventID
+from synapse.types import Requester, RoomID, UserID, EventID
 from synapse.util.logutils import log_function
 from unpaddedbase64 import decode_base64
 
@@ -528,13 +528,20 @@ class Auth(object):
                             403,
                             "Application service cannot masquerade as this user."
                         )
+                    if not (yield self.store.get_user_by_id(user_id)):
+                        raise AuthError(
+                            403,
+                            "Application service has not registered this user"
+                        )
 
                 if not user_id:
                     raise KeyError
 
                 request.authenticated_entity = user_id
 
-                defer.returnValue((UserID.from_string(user_id), "", False))
+                defer.returnValue(
+                    Requester(UserID.from_string(user_id), "", False)
+                )
                 return
             except KeyError:
                 pass  # normal users won't have the user_id query parameter set.
@@ -564,7 +571,7 @@ class Auth(object):
 
             request.authenticated_entity = user.to_string()
 
-            defer.returnValue((user, token_id, is_guest,))
+            defer.returnValue(Requester(user, token_id, is_guest))
         except KeyError:
             raise AuthError(
                 self.TOKEN_NOT_FOUND_HTTP_STATUS, "Missing access token.",
@@ -583,7 +590,7 @@ class Auth(object):
             AuthError if no user by that token exists or the token is invalid.
         """
         try:
-            ret = yield self._get_user_from_macaroon(token)
+            ret = yield self.get_user_from_macaroon(token)
         except AuthError:
             # TODO(daniel): Remove this fallback when all existing access tokens
             # have been re-issued as macaroons.
@@ -591,7 +598,7 @@ class Auth(object):
         defer.returnValue(ret)
 
     @defer.inlineCallbacks
-    def _get_user_from_macaroon(self, macaroon_str):
+    def get_user_from_macaroon(self, macaroon_str):
         try:
             macaroon = pymacaroons.Macaroon.deserialize(macaroon_str)
             self.validate_macaroon(macaroon, "access", False)
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-06-01 13:19:10 +0000