summary refs log tree commit diff
path: root/synapse/api/auth.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Send the user ID matching the guest access token, since there is no Matrix ↵David Baker2016-03-071-2/+2
| | | | API to discover what user ID an access token is for.
* Allow third_party_signed to be specified on /joinDaniel Wagner-Hall2016-02-231-21/+36
|
* Fix up logcontextsErik Johnston2016-02-081-1/+3
|
* Log more diagnostics for unrecognised access tokensDaniel Wagner-Hall2016-02-021-0/+2
|
* Fix flake8 warnings for new flake8Daniel Wagner-Hall2016-02-021-1/+1
|
* Don't error on AS non-ghost user useDaniel Wagner-Hall2016-01-181-0/+2
| | | | | This will probably go away either when we fix our existing ASes, or when we kill the concept of non-ghost users.
* Pull out app service user lookupDaniel Wagner-Hall2016-01-181-31/+28
| | | | I find this a lot simpler than nested try-catches and stuff
* Require AS users to be registered before useDaniel Wagner-Hall2016-01-131-0/+5
|
* Introduce a Requester objectDaniel Wagner-Hall2016-01-111-3/+5
| | | | | | | | | This tracks data about the entity which made the request. This is instead of passing around a tuple, which requires call-site modifications every time a new piece of optional context is passed around. I tried to introduce a User object. I gave up.
* Allow guests to upgrade their accountsDaniel Wagner-Hall2016-01-051-3/+3
|
* Strip address and such out of 3pid invitesDaniel Wagner-Hall2015-12-171-1/+1
| | | | We're not meant to leak that into the graph
* Allow user to redact with an equal powerErik Johnston2015-11-261-1/+1
| | | | | Users only need their power level to be equal to the redact level for them to be allowed to redact events.
* Merge branch 'develop' into daniel/forgetroomsPaul "LeoNerd" Evans2015-11-191-8/+17
|\
| * Take a boolean not a list of lambdasDaniel Wagner-Hall2015-11-191-8/+17
| |
* | Allow users to forget roomsDaniel Wagner-Hall2015-11-171-0/+7
|/
* Always check guest = true in macaroonsSteven Hammerton2015-11-171-1/+2
|
* Share more code between macaroon validationSteven Hammerton2015-11-111-9/+10
|
* Exchange 3pid invites for m.room.member invitesDaniel Wagner-Hall2015-11-051-35/+38
|
* Allow guests to register and call /events?room_id=Daniel Wagner-Hall2015-11-041-41/+54
| | | | | | | This follows the same flows-based flow as regular registration, but as the only implemented flow has no requirements, it auto-succeeds. In the future, other flows (e.g. captcha) may be required, so clients should treat this like the regular registration flow choices.
* Reject events which are too largeDaniel Wagner-Hall2015-10-221-1/+21
| | | | SPEC-222
* Allow rejecting invitesDaniel Wagner-Hall2015-10-201-1/+5
| | | | | This is done by using the same /leave flow as you would use if you had already accepted the invite and wanted to leave.
* Stuff signed data in a standalone objectDaniel Wagner-Hall2015-10-161-7/+14
| | | | | Makes both generating it in sydent, and verifying it here, simpler at the cost of some repetition
* Add signing host and keyname to signaturesDaniel Wagner-Hall2015-10-161-5/+9
|
* Verify third party ID server certificatesDaniel Wagner-Hall2015-10-161-0/+11
|
* Remove unnecessary class-wrappingDaniel Wagner-Hall2015-10-131-3/+3
|
* Add some docstringDaniel Wagner-Hall2015-10-131-0/+15
|
* Move event contents into third_party_layout fieldDaniel Wagner-Hall2015-10-131-9/+12
|
* Add third party invites to auth_events for joinsDaniel Wagner-Hall2015-10-061-0/+5
|
* Merge branch 'develop' into daniel/3pidinvitesDaniel Wagner-Hall2015-10-051-1/+24
|\
| * Merge branch 'develop' of github.com:matrix-org/synapse into erikj/unfederatableErik Johnston2015-10-021-3/+140
| |\
| * \ Merge branch 'develop' of github.com:matrix-org/synapse into erikj/unfederatableErik Johnston2015-09-141-8/+27
| |\ \
| * | | Also check the domains for membership state_keysErik Johnston2015-09-011-0/+9
| | | |
| * | | Merge branch 'erikj/check_room_exists' into erikj/unfederatableErik Johnston2015-09-011-0/+8
| |\ \ \
| * | | | Check against sender rather than event_idErik Johnston2015-09-011-3/+3
| | | | |
| * | | | Add flag which disables federation of the roomErik Johnston2015-09-011-1/+15
| | | | |
* | | | | Implement third party identifier invitesDaniel Wagner-Hall2015-10-011-1/+32
| |_|_|/ |/| | |
* | | | Merge pull request #276 from ↵Mark Haines2015-09-211-0/+51
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | matrix-org/markjh/history_for_rooms_that_have_been_left SPEC-216: Allow users to view the history of rooms that they have left.
| * | | | Clarify which event is returned by check_user_was_in_roomMark Haines2015-09-211-2/+3
| | | | |
| * | | | Allow rooms/{roomId}/state for a room that has been leftMark Haines2015-09-091-1/+2
| | | | |
| * | | | Allow room initialSync for users that have left the room, returning a ↵Mark Haines2015-09-091-0/+49
| | | | | | | | | | | | | | | | | | | | snapshot of how the room was when they left it
* | | | | Merge pull request #256 from matrix-org/authDaniel Wagner-Hall2015-09-141-3/+89
|\ \ \ \ \ | |_|_|_|/ |/| | | | Attempt to validate macaroons
| * | | | s/user_id/user/g for consistencyDaniel Wagner-Hall2015-09-011-10/+10
| | | | |
| * | | | Attempt to validate macaroonsDaniel Wagner-Hall2015-08-261-9/+95
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A couple of weird caveats: * If we can't validate your macaroon, we fall back to checking that your access token is in the DB, and ignoring the failure * Even if we can validate your macaroon, we still have to hit the DB to get the access token ID, which we pretend is a device ID all over the codebase. This mostly adds the interesting code, and points out the two pieces we need to delete (and necessary conditions) in order to fix the above caveats.
* | | | Merge pull request #265 from matrix-org/erikj/check_room_existsErik Johnston2015-09-141-0/+8
|\ \ \ \ | |_|/ / |/| | / | | |/ | |/| Check room exists when authenticating an event
| * | Fix testsErik Johnston2015-09-011-1/+1
| | |
| * | Check room exists when authenticating an event, by asserting they reference ↵Erik Johnston2015-09-011-0/+8
| |/ | | | | | | a creation event
* | Check domain of events properlyDaniel Wagner-Hall2015-09-011-1/+3
| | | | | | | | Federated servers still need to delegate authority to owning servers
* | Allow users to redact their own eventsDaniel Wagner-Hall2015-08-281-8/+25
|/
* Stop looking up "admin", which we never readDaniel Wagner-Hall2015-08-251-3/+1
|
* Re-wrap lineDaniel Wagner-Hall2015-08-251-3/+1
|
* Remove completely unused concepts from codebaseDaniel Wagner-Hall2015-08-251-10/+7
| | | | | | | | | | Removes device_id and ClientInfo device_id is never actually written, and the matrix.org DB has no non-null entries for it. Right now, it's just cluttering up code. This doesn't remove the columns from the database, because that's fiddly.
* s/by_token/by_access_token/gDaniel Wagner-Hall2015-08-201-3/+3
| | | | We're about to have two kinds of token, access and refresh
* Set request.authenticated_entity for application servicesErik Johnston2015-08-181-0/+3
|
* Add missing space because linterDaniel Wagner-Hall2015-08-111-1/+1
|
* Minor docs cleanupDaniel Wagner-Hall2015-08-111-2/+7
|
* Remove redundant if-guardDaniel Wagner-Hall2015-08-111-13/+12
| | | | The startswith("@") does the job
* Merge branch 'develop' of github.com:matrix-org/synapse into ↵Erik Johnston2015-07-131-1/+2
|\ | | | | | | erikj/power_level_sanity
| * Add m.room.history_visibility to newly created rooms' m.room.power_levelsErik Johnston2015-07-061-0/+1
| |
| * Add m.room.history_visibility to list of auth eventsErik Johnston2015-07-031-1/+1
| |
* | Sanitize power level checksErik Johnston2015-07-101-15/+21
| |
* | You shouldn't be able to ban/kick users with higher power levelsErik Johnston2015-07-101-2/+5
|/
* Log more when we have processed the requestErik Johnston2015-06-151-0/+2
|
* TypoErik Johnston2015-05-011-1/+1
|
* Remove some run_on_reactorsErik Johnston2015-05-011-3/+0
|
* Don't log all auth events every time we call auth.checkErik Johnston2015-05-011-1/+4
|
* Don't wait for storage of access_tokenErik Johnston2015-05-011-1/+1
|
* Merge pull request #126 from matrix-org/csauthMark Haines2015-04-281-19/+27
|\ | | | | Client / Server Auth Refactor
| * Merge branch 'develop' into csauthDavid Baker2015-04-241-58/+30
| |\ | | | | | | | | | | | | Conflicts: synapse/http/server.py
| * | Add an error code to 'missing token' response.David Baker2015-04-231-1/+2
| | |
| * | Merge branch 'develop' into csauthDavid Baker2015-04-171-14/+11
| |\ \
| * | | unused importDavid Baker2015-03-241-1/+1
| | | |
| * | | 1) Pushers are now associated with an access tokenDavid Baker2015-03-241-18/+25
| | | | | | | | | | | | | | | | 2) Change places where we mean unauthenticated to 401, not 403, in C/S v2: hack so it stays as 403 in v1 because web client relies on it.
* | | | Merge branch 'develop' into invite_power_levelPaul "LeoNerd" Evans2015-04-271-36/+12
|\ \ \ \ | | |_|/ | |/| |
| * | | Neater fetching of user's auth level in a room - squash to int() at access ↵Paul "LeoNerd" Evans2015-04-221-35/+12
| | | | | | | | | | | | | | | | time (SYN-353)
| * | | Appease pep8Paul "LeoNerd" Evans2015-04-221-1/+0
| | | |
* | | | Also remember to check 'invite' level for changesPaul "LeoNerd" Evans2015-04-211-0/+1
| | | |
* | | | Initial implementation of an 'invite' power_levelPaul "LeoNerd" Evans2015-04-211-0/+7
|/ / /
* | | Much neater fetching of defined powerlevels from m.room.power_levels state eventPaul "LeoNerd" Evans2015-04-211-31/+21
| | |
* | | Remove debugging print statement accidentally committedPaul "LeoNerd" Evans2015-04-211-1/+0
| | |
* | | Sanitise a user's powerlevel to an int() before numerical comparison, ↵Paul "LeoNerd" Evans2015-04-211-0/+7
| |/ |/| | | | | because otherwise Python is "helpful" with it (SYN-351)
* | Neater implementation of membership change auth checks, ensuring we can't ↵Paul "LeoNerd" Evans2015-04-151-18/+10
| | | | | | | | forget to check if the calling user is a member of the room
* | Ensure that non-room-members cannot ban others, even if they do have enough ↵Paul "LeoNerd" Evans2015-04-151-0/+5
| | | | | | | | powerlevel (SYN-343)
* | Fix a bug which causes a send event level of 0 to not be honoured.Kegan Dougal2015-04-071-1/+1
|/ | | | | Caused by a bad if check, which incorrectly executes for both 0 and None, when None was the original intent.
* @cached() annotate get_user_by_token() - achieves a minor DB performance ↵Paul "LeoNerd" Evans2015-03-171-1/+1
| | | | improvement
* Remove concept of context.auth_events, instead use context.current_stateErik Johnston2015-03-161-6/+0
|
* Make context.auth_events grap auth events from current state. Otherwise auth ↵Erik Johnston2015-03-161-1/+7
| | | | is wrong.
* Respect ban membershipErik Johnston2015-03-161-5/+17
|
* Merge branch 'develop' into application-servicesKegan Dougal2015-02-111-7/+14
|\
| * During room intial sync, only calculate current state once.Erik Johnston2015-02-091-7/+14
| |
* | Modify auth.get_user_by_req for authing appservices directly.Kegan Dougal2015-02-091-18/+16
| | | | | | | | | | | | Add logic to map the appservice token to the autogenned appservice user ID. Add unit tests for all forms of get_user_by_req (user/appservice, valid/bad/missing tokens)
* | Grant ASes the ability to create alias in their own namespace.Kegan Dougal2015-02-061-0/+12
| | | | | | | | | | | | Add a new errcode type M_EXCLUSIVE when users try to create aliases inside AS namespaces, and when ASes try to create aliases outside their own namespace.
* | Fix unit tests.Kegan Dougal2015-02-051-0/+6
| |
* | Add CS extension for masquerading as users within the namespaces specified ↵Kegan Dougal2015-02-051-0/+23
|/ | | | by the AS.
* Change context.auth_events to what the auth_events would be bases on ↵Erik Johnston2015-02-041-6/+6
| | | | context.current_state, rather than based on the auth_events from the event.
* Keep around the old (buggy) version of the prune_event function so that we ↵Erik Johnston2015-02-031-2/+0
| | | | can use it to check signatures for events on old servers
* Fix bug where we superfluously asked for current state. Change API of ↵Erik Johnston2015-01-301-0/+2
| | | | /query_auth/ so that we don't duplicate events in the response.
* Merge branch 'develop' of github.com:matrix-org/synapse into rejectionsErik Johnston2015-01-301-3/+8
|\ | | | | | | | | | | Conflicts: synapse/storage/__init__.py synapse/storage/schema/delta/v12.sql
| * Rename ClientID to ClientInfo since it is a pair of IDs rather than a single ↵Mark Haines2015-01-281-2/+2
| | | | | | | | identifier
| * Add a : to the doc string after the type of the return valueMark Haines2015-01-281-1/+1
| |
| * Extract the id token of the token when authing users, include the token and ↵Mark Haines2015-01-281-3/+5
| | | | | | | | device_id in the internal meta data for the event along with the transaction id when sending events
| * Return the device_id from get_auth_by_reqMark Haines2015-01-281-2/+5
| |
* | Start implementing auth conflict resErik Johnston2015-01-281-17/+21
|/
* Replace hs.parse_userid with UserID.from_stringMark Haines2015-01-231-4/+5
|
* SYN-154: Tweak how the m.room.create check is done.Kegan Dougal2015-01-071-10/+1
| | | | | Don't perform the check in auth.is_host_in_room but instead do it in _do_join and also assert that there are no m.room.members in the room before doing so.
* SYN-154: Better error messages when joining an unknown room by ID.Kegan Dougal2015-01-071-1/+10
| | | | | | The simple fix doesn't work here because room creation also involves unknown room IDs. The check relies on the presence of m.room.create for rooms being created, whereas bogus room IDs have no state events at all.
* Update copyright noticesMark Haines2015-01-061-1/+1
|
* Make auth module use EventTypes constantsErik Johnston2014-12-121-27/+23
|
* Fix stream test. Make sure we add join to auth_events for invitiationsErik Johnston2014-12-121-0/+6
|
* Remove unused importErik Johnston2014-12-081-1/+0
|
* Various typos and bug fixes.Erik Johnston2014-12-081-7/+9
|
* Start making more things use EventContext rather than event.*Erik Johnston2014-12-051-13/+20
|
* Begin converting things to use the new Event structureErik Johnston2014-12-041-9/+2
|
* WIP for new way of managing events.Erik Johnston2014-12-031-6/+7
|
* Fix bugs when joining a remote room that has dodgy event graphs. This should ↵Erik Johnston2014-11-271-2/+8
| | | | also fix the number of times a HS will trigger a GET /event/
* Fix bugs in invite/join dances.Erik Johnston2014-11-251-70/+68
| | | | | We now do more implement more of the auth on the events so that we don't reject valid events.
* Add missing None checkErik Johnston2014-11-241-1/+1
|
* Fix pep8 codestyle warningsMark Haines2014-11-201-1/+1
|
* Only users can set state events which have their own user_idErik Johnston2014-11-191-0/+20
|
* Null check when determining default power levelsMark Haines2014-11-181-1/+2
|
* Fix auth to correctly handle initial creation of roomsErik Johnston2014-11-181-3/+21
|
* Fix bugs with invites/joins across federatiom.Erik Johnston2014-11-121-3/+16
| | | | | Both in terms of auth and not trying to fetch missing PDUs for invites, joins etc.
* Add an EventValidator. Fix bugs in auth ++ storageErik Johnston2014-11-101-5/+11
|
* PEP8Erik Johnston2014-11-101-2/+1
|
* Fix backfill to work. Add auth to backfill requestErik Johnston2014-11-101-0/+6
|
* Notify users about invites.Erik Johnston2014-11-101-7/+9
|
* Fix invite authErik Johnston2014-11-101-3/+5
|
* Fix joining over federationErik Johnston2014-11-071-2/+51
|
* Start implementing auth chainsErik Johnston2014-11-071-2/+1
|
* Neaten things up a bitErik Johnston2014-11-071-5/+2
|
* Amalgamate all power levels.Erik Johnston2014-11-061-149/+72
| | | | | Remove concept of reqired power levels, something similiar can be done using the new power level event.
* Fix auth checks to all use the given old_event_stateErik Johnston2014-11-051-24/+31
|
* Fix bug in redaction auth.Erik Johnston2014-10-311-2/+2
| | | | | This caused a 500 when sending a redaction due to a typo in a method invocation.
* Fix bug where people could join private roomsErik Johnston2014-10-171-39/+47
|
* Use state groups to get current state. Make join dance actually work.Erik Johnston2014-10-171-0/+5
|
* Finish implementing the new join dance.Erik Johnston2014-10-171-0/+9
|
* Start implementing the invite/join dance. Continue moving auth to use ↵Erik Johnston2014-10-161-10/+6
| | | | event.state_events
* Begin making auth use event.old_state_eventsErik Johnston2014-10-151-43/+70
|
* Update docstringErik Johnston2014-09-291-1/+1
|
* SYN-48: Implement WHOIS rest servletErik Johnston2014-09-291-9/+19
|
* Add auth check to test if a user is an admin or not.Erik Johnston2014-09-291-0/+3
|
* SYN-48: Track User-Agents as well as IPs for client devices.Erik Johnston2014-09-291-1/+10
|
* Track the IP users connect with. Add an admin column to users table.Erik Johnston2014-09-261-1/+9
|
* Merge branch 'deletions' of github.com:matrix-org/synapse into developErik Johnston2014-09-251-3/+31
|\
| * Rename deletions to redactionsErik Johnston2014-09-241-9/+9
| |
| * SYN-12: Implement auth for deletion by adding a 'delete_level' on the ops ↵Erik Johnston2014-09-231-3/+31
| | | | | | | | | | | | levels event SYN-12 # comment Auth has been added.
* | SYN-70: And fix another bug where I can't typeErik Johnston2014-09-241-1/+1
| |
* | SYN-70: Fix typoErik Johnston2014-09-241-1/+1
|/
* Validate power levels event changes. Change error messages to be more ↵Erik Johnston2014-09-051-10/+37
| | | | helpful. Fix bug where we checked the wrong power levels
* Generate m.room.aliases event when the HS creates a room aliasErik Johnston2014-09-051-1/+6
|
* AUth the contents of power level eventsErik Johnston2014-09-051-1/+72
|
* Change the default power levels to be 0, 50 and 100Erik Johnston2014-09-051-2/+2
|
* fix the copyright holder from matrix.org to OpenMarket Ltd, as matrix.org ↵Matthew Hodgson2014-09-031-1/+1
| | | | hasn't been incorporated in time for launch.
* Fix bug where we didn't correctly store the ops power levels event.Erik Johnston2014-09-021-0/+5
|
* Implement auth for kicking.Erik Johnston2014-09-021-3/+10
|
* Add all the necessary checks to make banning work.Erik Johnston2014-09-011-2/+38
|
* Add beginnings of ban support.Erik Johnston2014-09-011-0/+19
|
* Implement power level lists, default power levels and ↵Erik Johnston2014-09-011-12/+84
| | | | send_evnet_level/add_state_level events.
* add _get_room_member, fix datastore methodsMark Haines2014-08-271-1/+3
|
* Merge branch 'develop' into storage_transactionsMark Haines2014-08-271-0/+2
|\
| * Modified /join/$identifier to support $identifier being a room ID in ↵Kegan Dougal2014-08-271-0/+2
| | | | | | | | addition to a room alias.
* | Merge branch 'develop' into storage_transactionsMark Haines2014-08-261-19/+20
|\| | | | | | | | | | | | | Conflicts: synapse/api/auth.py synapse/handlers/room.py synapse/storage/__init__.py
| * Fix pyflakes errorsMark Haines2014-08-261-2/+1
| |
| * Removed member list servlet: now using generic state paths.Kegan Dougal2014-08-261-5/+7
| |
| * Impl: /rooms/roomid/state/eventtype/state_key - Renamed RoomTopicRestServlet ↵Kegan Dougal2014-08-221-8/+8
| | | | | | | | to RoomStateEventRestServlet. Support generic state event sending.
* | Take a snapshot of the state of the room before performing updatesMark Haines2014-08-221-5/+11
|/
* Added M_UNKNOWN_TOKEN error code and send it when there is an unrecognised ↵Kegan Dougal2014-08-141-2/+3
| | | | access_token
* fix whitespaceMatthew Hodgson2014-08-141-0/+1
|
* add in whitespace after copyright statements to improve legibilityMatthew Hodgson2014-08-131-0/+1
|
* Reference Matrix Home Servermatrix.org2014-08-121-0/+164