summary refs log tree commit diff
path: root/synapse/handlers/auth.py
diff options
context:
space:
mode:
Diffstat (limited to 'synapse/handlers/auth.py')
-rw-r--r--synapse/handlers/auth.py64
1 files changed, 43 insertions, 21 deletions
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 3d2461dd7d..2cc54707a2 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -20,6 +20,7 @@ from synapse.api.constants import LoginType
 from synapse.types import UserID
 from synapse.api.errors import LoginError, Codes
 from synapse.http.client import SimpleHttpClient
+from synapse.util.async import run_on_reactor
 
 from twisted.web.client import PartialDownloadError
 
@@ -40,6 +41,7 @@ class AuthHandler(BaseHandler):
         self.checkers = {
             LoginType.PASSWORD: self._check_password_auth,
             LoginType.RECAPTCHA: self._check_recaptcha,
+            LoginType.EMAIL_IDENTITY: self._check_email_identity,
         }
         self.sessions = {}
 
@@ -54,24 +56,37 @@ class AuthHandler(BaseHandler):
             authdict: The dictionary from the client root level, not the
                       'auth' key: this method prompts for auth if none is sent.
         Returns:
-            A tuple of authed, dict where authed is true if the client
-            has successfully completed an auth flow. If it is true, the dict
-            contains the authenticated credentials of each stage.
-            If authed is false, the dictionary is the server response to the
-            login request and should be passed back to the client.
+            A tuple of authed, dict, dict where authed is true if the client
+            has successfully completed an auth flow. If it is true, the first
+            dict contains the authenticated credentials of each stage.
+
+            If authed is false, the first dictionary is the server response to
+            the login request and should be passed back to the client.
+
+            In either case, the second dict contains the parameters for this
+            request (which may have been given only in a previous call).
         """
 
-        if not clientdict or 'auth' not in clientdict:
-            sess = self._get_session_info(None)
+        authdict = None
+        sid = None
+        if clientdict and 'auth' in clientdict:
+            authdict = clientdict['auth']
+            del clientdict['auth']
+            if 'session' in authdict:
+                sid = authdict['session']
+        sess = self._get_session_info(sid)
+
+        if len(clientdict) > 0:
+            sess['clientdict'] = clientdict
+            self._save_session(sess)
+        elif 'clientdict' in sess:
+            clientdict = sess['clientdict']
+
+        if not authdict:
             defer.returnValue(
-                (False, self._auth_dict_for_flows(flows, sess))
+                (False, self._auth_dict_for_flows(flows, sess), clientdict)
             )
 
-        authdict = clientdict['auth']
-
-        sess = self._get_session_info(
-            authdict['session'] if 'session' in authdict else None
-        )
         if 'creds' not in sess:
             sess['creds'] = {}
         creds = sess['creds']
@@ -89,11 +104,11 @@ class AuthHandler(BaseHandler):
             if len(set(f) - set(creds.keys())) == 0:
                 logger.info("Auth completed with creds: %r", creds)
                 self._remove_session(sess)
-                defer.returnValue((True, creds))
+                defer.returnValue((True, creds, clientdict))
 
         ret = self._auth_dict_for_flows(flows, sess)
         ret['completed'] = creds.keys()
-        defer.returnValue((False, ret))
+        defer.returnValue((False, ret, clientdict))
 
     @defer.inlineCallbacks
     def add_oob_auth(self, stagetype, authdict, clientip):
@@ -175,18 +190,25 @@ class AuthHandler(BaseHandler):
             defer.returnValue(True)
         raise LoginError(401, "", errcode=Codes.UNAUTHORIZED)
 
+    @defer.inlineCallbacks
+    def _check_email_identity(self, authdict, _):
+        yield run_on_reactor()
+
+        threepidCreds = authdict['threepidCreds']
+        identity_handler = self.hs.get_handlers().identity_handler
+
+        logger.debug("Getting validated threepid. threepidcreds: %r" % (threepidCreds,))
+        threepid = yield identity_handler.threepid_from_creds(threepidCreds)
+
+        defer.returnValue(threepid)
+
     def _get_params_recaptcha(self):
         return {"public_key": self.hs.config.recaptcha_public_key}
 
     def _auth_dict_for_flows(self, flows, session):
         public_flows = []
         for f in flows:
-            hidden = False
-            for stagetype in f:
-                if stagetype in LoginType.HIDDEN_TYPES:
-                    hidden = True
-            if not hidden:
-                public_flows.append(f)
+            public_flows.append(f)
 
         get_params = {
             LoginType.RECAPTCHA: self._get_params_recaptcha,