| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
This is intended as an amendment to #5674 as using M_UNKNOWN as the errcode makes it hard for clients to differentiate between an invalid password and a deactivated user (the problem we were trying to solve in the first place).
M_UNKNOWN was originally chosen as it was presumed than an MSC would have to be carried out to add a new code, but as Synapse often is the testing bed for new MSC implementations, it makes sense to try it out first in the wild and then add it into the spec if it is successful. Thus this PR return a new M_USER_DEACTIVATED code when a deactivated user attempts to login.
|
|
|
|
|
| |
(#5674)
Return `This account has been deactivated` instead of `Invalid password` when a user is deactivated.
|
|
|
|
| |
Record how long an access token is valid for, and raise a soft-logout once it
expires.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First of all, let's get rid of `TOKEN_NOT_FOUND_HTTP_STATUS`. It was a hack we
did at one point when it was possible to return either a 403 or a 401 if the
creds were missing. We always return a 401 in these cases now (thankfully), so
it's not needed.
Let's also stop abusing `AuthError` for these cases. Honestly they have nothing
that relates them to the other places that `AuthError` is used, other than the
fact that they are loosely under the 'Auth' banner. It makes no sense for them
to share exception classes.
Instead, let's add a couple of new exception classes: `InvalidClientTokenError`
and `MissingClientTokenError`, for the `M_UNKNOWN_TOKEN` and `M_MISSING_TOKEN`
cases respectively - and an `InvalidClientCredentialsError` base class for the
two of them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
identity server (#5377)
Sends password reset emails from the homeserver instead of proxying to the identity server. This is now the default behaviour for security reasons. If you wish to continue proxying password reset requests to the identity server you must now enable the email.trust_identity_server_for_password_resets option.
This PR is a culmination of 3 smaller PRs which have each been separately reviewed:
* #5308
* #5345
* #5368
|
|
|
|
|
|
|
| |
If we remove support for a particular room version, we should behave more
gracefully. This should make client requests fail with a 400 rather than a 500,
and will ignore individiual PDUs in a federation transaction, rather than the
whole transaction.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Correctly retry and back off if we get a HTTPerror response
* Refactor request sending to have better excpetions
MatrixFederationHttpClient blindly reraised exceptions to the caller
without differentiating "expected" failures (e.g. connection timeouts
etc) versus more severe problems (e.g. programming errors).
This commit adds a RequestSendFailed exception that is raised when
"expected" failures happen, allowing the TransactionQueue to log them as
warnings while allowing us to log other exceptions as actual exceptions.
|
| |
|
| |
|
|\ |
|
| | |
|
| | |
|
|\| |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
AuthError in all cases
|
| |
| |
| |
| |
| |
| | |
return AuthError in all cases"
This reverts commit 0d43f991a19840a224d3dac78d79f13d78212ee6.
|
| |
| |
| |
| | |
AuthError in all cases
|
| | |
|
| |\ |
|
| | |
| | |
| | |
| | |
| | |
| | | |
Reject make_join requests from servers which do not support the room version.
Also include the room version in the response.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is the first tranche of support for room versioning. It includes:
* setting the default room version in the config file
* new room_version param on the createRoom API
* storing the version of newly-created rooms in the m.room.create event
* fishing the version of existing rooms out of the m.room.create event
|
| |/ |
|
| | |
|
|/ |
|
|\
| |
| | |
Clean up handling of errors from outbound requests
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This code brings the SimpleHttpClient into line with the
MatrixFederationHttpClient by having it raise HttpResponseExceptions when a
request fails (rather than trying to parse for matrix errors and maybe raising
MatrixCodeMessageException).
Then, whenever we were checking for MatrixCodeMessageException and turning them
into SynapseErrors, we now need to check for HttpResponseExceptions and call
to_synapse_error.
|
| |
| |
| |
| |
| |
| |
| |
| | |
This commit replaces SynapseError.from_http_response_exception with
HttpResponseException.to_synapse_error.
The new method actually returns a ProxiedRequestError, which allows us to pass
through additional metadata from the API call.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We really shouldn't be sending all CodeMessageExceptions back over the C-S API;
it will include things like 401s which we shouldn't proxy.
That means that we need to explicitly turn a few HttpResponseExceptions into
SynapseErrors in the federation layer.
The effect of the latter is that the matrix errcode will get passed through
correctly to calling clients, which might help with some of the random
M_UNKNOWN errors when trying to join rooms.
|
|/ |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Returns an M_CONSENT_NOT_GIVEN error (cf
https://github.com/matrix-org/matrix-doc/issues/1252) if consent is not yet
given.
|
|
|
|
|
|
| |
There's more where that came from
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
|
|
|
| |
Let's use simplejson rather than json, for consistency.
|
|
|
|
|
|
| |
Add federation_domain_whitelist
gives a way to restrict which domains your HS is allowed to federate with.
useful mainly for gracefully preventing a private but internet-connected HS from trying to federate to the wider public Matrix network
|
|
|
|
|
| |
lets homeservers specify a whitelist for 3PIDs that users are allowed to associate with.
Typically useful for stopping people from registering with non-work emails
|
|
|
|
|
| |
Instead of returning False when auth is incomplete, throw an exception which
can be caught with a wrapper.
|
|
|
|
|
| |
Parse json errors from get_json client methods and throw special
errors.
|
|
|
|
|
|
|
| |
- don't blindly proxy all HTTPRequestExceptions
- log unexpected exceptions at error
- avoid `isinstance`
- improve docs on `from_http_response_exception`
|
|
|
|
|
| |
Give CodeMessageException back its `msg` attribute, and use that to hold the
HTTP status message for HttpResponseException.
|
|
|
|
|
|
|
|
|
|
|
| |
When we proxy a media request to a remote server, add a query-param, which will
tell the remote server to 404 if it doesn't recognise the server_name.
This should fix a routing loop where the server keeps forwarding back to
itself.
Also improves the error handling on remote media fetches, so that we don't
always return a rather obscure 502.
|
| |
|
| |
|
|
|
|
|
|
| |
Don't send requestToken request to untrusted ID servers
Also correct the THREEPID_IN_USE error to add the M_ prefix. This is a backwards incomaptible change, but the only thing using this is the angular client which is now unmaintained, so it's probably better to just do this now.
|
|
|
|
|
|
| |
This reverts commit cf81375b94c4763766440471e632fc4b103450ab.
It subtly violates a guest joining auth check
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There's at least one more to merge in.
Side-effects:
* Stop reporting None as displayname and avatar_url in some cases
* Joining a room by alias populates guest-ness in join event
* Remove unspec'd PUT version of /join/<room_id_or_alias> which has not
been called on matrix.org according to logs
* Stop recording access_token_id on /join/room_id - currently we don't
record it on /join/room_alias; I can try to thread it through at some
point.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
This follows the same flows-based flow as regular registration, but as
the only implemented flow has no requirements, it auto-succeeds. In the
future, other flows (e.g. captcha) may be required, so clients should
treat this like the regular registration flow choices.
|
|
|
|
| |
SPEC-222
|
|
|
|
| |
creating error objects that aren't raised so it's probably a bit too confusing to keep
|
| |
|
|
|
|
| |
email is in use on this Home Server.
|
|\
| |
| |
| |
| | |
Conflicts:
synapse/http/server.py
|
| | |
|
| | |
|
|/ |
|
|
|
|
|
|
| |
Add a new errcode type M_EXCLUSIVE when users try to create aliases inside
AS namespaces, and when ASes try to create aliases outside their own
namespace.
|
|
|
|
| |
'send_join' to accept iterables of destinations
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\ |
|
| | |
|
|\|
| |
| |
| |
| |
| |
| | |
Conflicts:
synapse/api/errors.py
synapse/server.py
synapse/storage/__init__.py
|
| |
| |
| |
| | |
file that a server will download from a remote server
|
|\| |
|
| |
| |
| |
| | |
clients shouldn't cause ERROR level logging. Fix sql logging to use 'repr' rather than 'str'
|
|/
|
|
| |
stdout currently!)
|
| |
|
| |
|
| |
|
|
|
|
| |
support. Missing reloading a new captcha on the web client / displaying a sensible error message.
|
|
|
|
| |
and for the recaptcha private key.
|
|
|
|
| |
hasn't been incorporated in time for launch.
|
| |
|
| |
|
| |
|
|
|
|
| |
access_token
|
| |
|
| |
|
|
|