summary refs log tree commit diff
path: root/synapse/handlers/auth.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Make `get_device` return None if the device doesn't exist rather than ↵reivilibre2021-12-131-3/+1
| | | | | raising an exception. (#11565) Co-authored-by: Sean Quah <8349537+squahtx@users.noreply.github.com>
* Save the OIDC session ID (sid) with the device on login (#11482)Quentin Gliech2021-12-061-3/+31
| | | As a step towards allowing back-channel logout for OIDC.
* Support expiry of refresh tokens and expiry of the overall session when ↵reivilibre2021-11-261-11/+79
| | | | refresh tokens are in use. (#11425)
* Rename `get_refresh_token_for_user_id` to `create_refresh_token_for_user_id` ↵reivilibre2021-11-181-2/+2
| | | | (#11370)
* Rename `get_access_token_for_user_id` method to ↵reivilibre2021-11-171-2/+2
| | | | `create_access_token_for_user_id` (#11369)
* Properly register all callback hooks for legacy password authentication ↵reivilibre2021-11-161-13/+13
| | | | | providers (#11340) Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
* Make minor correction to type of auth_checkers callbacks (#11253)reivilibre2021-11-041-1/+3
|
* Fix cyclic import in the module API (#11180)Brendan Abolivier2021-10-251-2/+4
| | | | | Introduced in #10548 See https://github.com/matrix-org/synapse-email-account-validity/runs/3979337154?check_suite_focus=true for an example of a module's CI choking over this issue.
* Port the Password Auth Providers module interface to the new generic ↵Azrenbeth2021-10-131-140/+388
| | | | | | interface (#10548) Co-authored-by: Azrenbeth <7782548+Azrenbeth@users.noreply.github.com> Co-authored-by: Brendan Abolivier <babolivier@matrix.org>
* Remove the deprecated BaseHandler. (#11005)Patrick Cloke2021-10-081-4/+4
| | | | | | | | The shared ratelimit function was replaced with a dedicated RequestRatelimiter class (accessible from the HomeServer object). Other properties were copied to each sub-class that inherited from BaseHandler.
* Use direct references for configuration variables (part 7). (#10959)Patrick Cloke2021-10-041-1/+1
|
* Use direct references for configuration variables (part 5). (#10897)Patrick Cloke2021-09-241-4/+6
|
* Use direct references for configuration variables (part 4). (#10893)Patrick Cloke2021-09-231-1/+1
|
* Use direct references for some configuration variables (part 3) (#10885)Patrick Cloke2021-09-231-11/+11
| | | | | | | | This avoids the overhead of searching through the various configuration classes by directly referencing the class that the attributes are in. It also improves type hints since mypy can now resolve the types of the configuration variables.
* Require type hints in the handlers module. (#10831)Patrick Cloke2021-09-201-21/+24
| | | | | | | Adds missing type hints to methods in the synapse.handlers module and requires all methods to have type hints there. This also removes the unused construct_auth_difference method from the FederationHandler.
* Name the type of token in "Invalid token" messages (#10815)David Robertson2021-09-141-1/+1
| | | | | | I had one of these error messages yesterday and assumed it was an invalid auth token (because that was an HTTP query parameter in the test) I was working on. In fact, it was an invalid next batch token for syncing.
* Use direct references for some configuration variables (#10798)Patrick Cloke2021-09-131-8/+8
| | | | Instead of proxying through the magic getter of the RootConfig object. This should be more performant (and is more explicit).
* Remove pushers when deleting 3pid from account (#10581)Azrenbeth2021-08-261-1/+4
| | | | | When a user deletes an email from their account it will now also remove all pushers for that email and that user (even if these pushers were created by a different client)
* Display an error page during failure of fallback UIA. (#10561)Callum Brown2021-08-181-9/+14
|
* Flatten the synapse.rest.client package (#10600)reivilibre2021-08-171-3/+3
|
* Use inline type hints in `handlers/` and `rest/`. (#10382)Jonathan de Jong2021-07-161-8/+8
|
* MSC2918 Refresh tokens implementation (#9450)Quentin Gliech2021-06-241-5/+127
| | | | | | | | | | This implements refresh tokens, as defined by MSC2918 This MSC has been implemented client side in Hydrogen Web: vector-im/hydrogen-web#235 The basics of the MSC works: requesting refresh tokens on login, having the access tokens expire, and using the refresh token to get a new one. Signed-off-by: Quentin Gliech <quentingliech@gmail.com>
* Always require users to re-authenticate for dangerous operations. (#10184)Patrick Cloke2021-06-161-1/+6
| | | | | | | Dangerous actions means deactivating an account, modifying an account password, or adding a 3PID. Other actions (deleting devices, uploading keys) can re-use the same UI auth session if ui_auth.session_timeout is configured.
* Change the format of access tokens away from macaroons (#5588)Richard van der Hoff2021-05-121-7/+21
|
* Fix (final) Bugbear violations (#9838)Jonathan de Jong2021-04-201-1/+1
|
* Remove redundant "coding: utf-8" lines (#9786)Jonathan de Jong2021-04-141-1/+0
| | | | | | | Part of #9744 Removes all redundant `# -*- coding: utf-8 -*-` lines from files, as python 3 automatically reads source code as utf-8 now. `Signed-off-by: Jonathan de Jong <jonathan@automatia.nl>`
* Make RateLimiter class check for ratelimit overrides (#9711)Erik Johnston2021-03-301-10/+14
| | | | | | | This should fix a class of bug where we forget to check if e.g. the appservice shouldn't be ratelimited. We also check the `ratelimit_override` table to check if the user has ratelimiting disabled. That table is really only meant to override the event sender ratelimiting, so we don't use any values from it (as they might not make sense for different rate limits), but we do infer that if ratelimiting is disabled for the user we should disabled all ratelimits. Fixes #9663
* Import HomeServer from the proper module. (#9665)Patrick Cloke2021-03-231-1/+1
|
* Return m.change_password.enabled=false if local database is disabled (#9588)Dirk Klimpel2021-03-161-0/+13
| | | | | Instead of if the user does not have a password hash. This allows a SSO user to add a password to their account, but only if the local password database is configured.
* Convert Requester to attrs (#9586)Richard van der Hoff2021-03-101-2/+3
| | | | | | ... because namedtuples suck Fix up a couple of other annotations to keep mypy happy.
* Record the SSO Auth Provider in the login token (#9510)Richard van der Hoff2021-03-041-10/+58
| | | This great big stack of commits is a a whole load of hoop-jumping to make it easier to store additional values in login tokens, and then to actually store the SSO Identity Provider in the login token. (Making use of that data will follow in a subsequent PR.)
* Use the proper Request in type hints. (#9515)Patrick Cloke2021-03-011-2/+2
| | | | This also pins the Twisted version in the mypy job for CI until proper type hints are fixed throughout Synapse.
* Update black, and run auto formatting over the codebase (#9381)Eric Eastwood2021-02-161-9/+25
| | | | | | | - Update black version to the latest - Run black auto formatting over the codebase - Run autoformatting according to [`docs/code_style.md `](https://github.com/matrix-org/synapse/blob/80d6dc9783aa80886a133756028984dbf8920168/docs/code_style.md) - Update `code_style.md` docs around installing black to use the correct version
* Social login UI polish (#9301)Richard van der Hoff2021-02-031-2/+14
|
* Merge branch 'social_login' into developRichard van der Hoff2021-02-011-1/+3
|\
| * Improve styling and wording of SSO UIA templates (#9286)Richard van der Hoff2021-02-011-1/+3
| | | | | | fixes #9171
* | Merge branch 'social_login' into developRichard van der Hoff2021-02-011-1/+23
|\|
| * Improve styling and wording of SSO redirect confirm template (#9272)Richard van der Hoff2021-02-011-1/+23
| |
* | Prevent email UIA failures from raising a LoginError (#9265)Andrew Morgan2021-02-011-10/+0
|/ | | | | | | Context, Fixes: https://github.com/matrix-org/synapse/issues/9263 In the past to fix an issue with old Riots re-requesting threepid validation tokens, we raised a `LoginError` during UIA instead of `InteractiveAuthIncompleteError`. This is now breaking the way Tchap logs in - which isn't standard, but also isn't disallowed by the spec. An easy fix is just to remove the 4 year old workaround.
* Fix bugs in handling clientRedirectUrl, and improve OIDC tests (#9127, #9128)Richard van der Hoff2021-01-181-2/+2
| | | | | | | | | | | | | | | | * Factor out a common TestHtmlParser Looks like I'm doing this in a few different places. * Improve OIDC login test Complete the OIDC login flow, rather than giving up halfway through. * Ensure that OIDC login works with multiple OIDC providers * Fix bugs in handling clientRedirectUrl - don't drop duplicate query-params, or params with no value - allow utf-8 in query-params
* Move `complete_sso_ui_auth` into SSOHandlerRichard van der Hoff2021-01-131-25/+0
| | | | | since we're hacking on this code anyway, may as well move it out of the cluttered AuthHandler.
* UI Auth via SSO: redirect the user to an appropriate SSO. (#9081)Richard van der Hoff2021-01-121-18/+64
| | | | | | | If we have integrations with multiple identity providers, when the user does a UI Auth, we need to redirect them to the right one. There are a few steps to this. First of all we actually need to store the userid of the user we are trying to validate in the UIA session, since the /auth/sso/fallback/web request is unauthenticated. Then, once we get the /auth/sso/fallback/web request, we can fish the user id out of the session, and use it to look up the external id mappings, and hence pick an SSO provider for them.
* Kill off `HomeServer.get_ip_from_request()` (#9080)Richard van der Hoff2021-01-121-7/+2
| | | Homeserver.get_ip_from_request() used to be a bit more complicated, but now it is totally redundant. Let's get rid of it.
* Remove SynapseRequest.get_user_agent (#9069)Richard van der Hoff2021-01-121-3/+3
| | | | | | | | | | | SynapseRequest is in danger of becoming a bit of a dumping-ground for "useful stuff relating to Requests", which isn't really its intention (its purpose is to override render, finished and connectionLost to set up the LoggingContext and write the right entries to the request log). Putting utility functions inside SynapseRequest means that lots of our code ends up requiring a SynapseRequest when there is nothing synapse-specific about the Request at all, and any old twisted.web.iweb.IRequest will do. This increases code coupling and makes testing more difficult. In short: move get_user_agent out to a utility function.
* Allow re-using a UI auth validation for a period of time (#8970)Patrick Cloke2020-12-181-8/+24
|
* Merge remote-tracking branch 'origin/erikj/as_mau_block' into developErik Johnston2020-12-181-1/+7
|\
| * Correctly handle AS registerations and add testErik Johnston2020-12-171-1/+7
| |
* | Fix startup failure with localdb_enabled: False (#8937)Richard van der Hoff2020-12-141-14/+12
| |
* | Allow spam-checker modules to be provide async methods. (#8890)David Teller2020-12-111-4/+4
| | | | | | | | Spam checker modules can now provide async methods. This is implemented in a backwards-compatible manner.
* | Honour AS ratelimit settings for /login requests (#8920)Erik Johnston2020-12-111-3/+4
| | | | | | | | Fixes #8846.
* | Simplify the flow for SSO UIA (#8881)Richard van der Hoff2020-12-081-5/+6
| | | | | | | | | | | | | | | | | | * SsoHandler: remove inheritance from BaseHandler * Simplify the flow for SSO UIA We don't need to do all the magic for mapping users when we are doing UIA, so let's factor that out.
* | UIA: offer only available auth flowsRichard van der Hoff2020-12-021-15/+43
|/ | | | | | | During user-interactive auth, do not offer password auth to users with no password, nor SSO auth to users with no SSO. Fixes #7559.
* Create a `PasswordProvider` wrapper object (#8849)Richard van der Hoff2020-12-021-55/+148
| | | | The idea here is to abstract out all the conditional code which tests which methods a given password provider has, to provide a consistent interface.
* Support "identifier" dicts in UIA (#8848)Richard van der Hoff2020-12-011-24/+161
| | | | | | | | | | The spec requires synapse to support `identifier` dicts for `m.login.password` user-interactive auth, which it did not (instead, it required an undocumented `user` parameter.) To fix this properly, we need to pull the code that interprets `identifier` into `AuthHandler.validate_login` so that it can be called from the UIA code. Fixes #5665.
* Don't offer password login when it is disabled (#8835)Richard van der Hoff2020-12-011-1/+9
| | | Fix a minor bug where we would offer "m.login.password" login if a custom auth provider supported it, even if password login was disabled.
* Add admin API for logging in as a user (#8617)Erik Johnston2020-11-171-4/+20
|
* Catch exceptions in password_providers (#8636)Nicolai Søborg2020-11-111-4/+9
| | | Signed-off-by: Nicolai Søborg <git@xn--sb-lka.org>
* Add ability for access tokens to belong to one user but grant access to ↵Erik Johnston2020-10-291-4/+4
| | | | | | | | | | another user. (#8616) We do it this way round so that only the "owner" can delete the access token (i.e. `/logout/all` by the "owner" also deletes that token, but `/logout/all` by the "target user" doesn't). A future PR will add an API for creating such a token. When the target user and authenticated entity are different the `Processed request` log line will be logged with a: `{@admin:server as @bob:server} ...`. I'm not convinced by that format (especially since it adds spaces in there, making it harder to use `cut -d ' '` to chop off the start of log lines). Suggestions welcome.
* Add type hints to application services. (#8655)Patrick Cloke2020-10-281-7/+16
|
* Fix typos and spelling errors. (#8639)Patrick Cloke2020-10-231-1/+1
|
* Fix handling of User-Agent headers with bad utf-8. (#8632)Erik Johnston2020-10-231-3/+1
|
* Fix mypy error: auth handler "checkpw" internal function type mismatch (#8569)Jonathan de Jong2020-10-191-3/+5
|
* Remove the deprecated Handlers object (#8494)Patrick Cloke2020-10-091-1/+1
| | | All handlers now available via get_*_handler() methods on the HomeServer.
* Combine `SpamCheckerApi` with the more generic `ModuleApi`. (#8464)Richard van der Hoff2020-10-071-0/+7
| | | | | Lots of different module apis is not easy to maintain. Rather than adding yet another ModuleApi(hs, hs.get_auth_handler()) incantation, first add an hs.get_module_api() method and use it where possible.
* Allow background tasks to be run on a separate worker. (#8369)Patrick Cloke2020-10-021-1/+1
|
* Allow additional SSO properties to be passed to the client (#8413)Patrick Cloke2020-09-301-1/+59
|
* Simplify super() calls to Python 3 syntax. (#8344)Patrick Cloke2020-09-181-1/+1
| | | | | | | This converts calls like super(Foo, self) -> super(). Generated with: sed -i "" -Ee 's/super\([^\(]+\)/super()/g' **/*.py
* Use slots in attrs classes where possible (#8296)Patrick Cloke2020-09-141-1/+1
| | | | | slots use less memory (and attribute access is faster) while slightly limiting the flexibility of the class attributes. This focuses on objects which are instantiated "often" and for short periods of time.
* Stop sub-classing object (#8249)Patrick Cloke2020-09-041-1/+1
|
* Move and refactor LoginRestServlet helper methods (#8182)Andrew Morgan2020-08-281-1/+87
| | | | | | | This is split out from https://github.com/matrix-org/synapse/pull/7438, which had gotten rather large. `LoginRestServlet` has a couple helper methods, `login_submission_legacy_convert` and `login_id_thirdparty_from_phone`. They're primarily used for converting legacy user login submissions to "identifier" dicts ([see spec](https://matrix.org/docs/spec/client_server/r0.6.1#post-matrix-client-r0-login)). Identifying information such as usernames or 3PID information used to be top-level in the login body. They're now supposed to be put inside an [identifier](https://matrix.org/docs/spec/client_server/r0.6.1#identifier-types) parameter instead. #7438's purpose is to allow using the new identifier parameter during User-Interactive Authentication, which is currently handled in AuthHandler. That's why I've moved these helper methods there. I also moved the refactoring of these method from #7438 as they're relevant.
* Allow denying or shadow banning registrations via the spam checker (#8034)Patrick Cloke2020-08-201-0/+8
|
* Use the default templates when a custom template file cannot be found (#8037)Andrew Morgan2020-08-171-7/+5
| | | Fixes https://github.com/matrix-org/synapse/issues/6583
* Improve performance of the register endpoint (#8009)Patrick Cloke2020-08-061-7/+12
|
* Update the auth providers to be async. (#7935)Patrick Cloke2020-07-231-1/+6
|
* isort 5 compatibility (#7786)Will Hunt2020-07-051-2/+1
| | | The CI appears to use the latest version of isort, which is a problem when isort gets a major version bump. Rather than try to pin the version, I've done the necessary to make isort5 happy with synapse.
* Fix inconsistent handling of upper and lower cases of email addresses. (#7021)Dirk Klimpel2020-07-031-2/+3
| | | fixes #7016
* Merge branch 'master' into developPatrick Cloke2020-07-021-23/+7
|\
| * Ensure that HTML pages served from Synapse include headers to avoid embedding.Patrick Cloke2020-07-021-23/+7
| |
* | Fix a typo when comparing the URI & method during UI Auth. (#7689)Patrick Cloke2020-06-121-1/+1
|/
* Performance improvements and refactor of Ratelimiter (#7595)Andrew Morgan2020-06-051-16/+8
| | | | | | | | | | While working on https://github.com/matrix-org/synapse/issues/5665 I found myself digging into the `Ratelimiter` class and seeing that it was both: * Rather undocumented, and * causing a *lot* of config checks This PR attempts to refactor and comment the `Ratelimiter` class, as well as encourage config file accesses to only be done at instantiation. Best to be reviewed commit-by-commit.
* Support UI Authentication for OpenID Connect accounts (#7457)Patrick Cloke2020-05-151-1/+3
|
* Merge tag 'v1.13.0rc2' into developRichard van der Hoff2020-05-141-19/+18
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.13.0rc2 (2020-05-14) ============================== Bugfixes -------- - Fix a long-standing bug which could cause messages not to be sent over federation, when state events with state keys matching user IDs (such as custom user statuses) were received. ([\#7376](https://github.com/matrix-org/synapse/issues/7376)) - Restore compatibility with non-compliant clients during the user interactive authentication process, fixing a problem introduced in v1.13.0rc1. ([\#7483](https://github.com/matrix-org/synapse/issues/7483)) Internal Changes ---------------- - Fix linting errors in new version of Flake8. ([\#7470](https://github.com/matrix-org/synapse/issues/7470))
| * Do not validate that the client dict is stable during UI Auth. (#7483)Patrick Cloke2020-05-131-19/+18
| | | | | | | | This backs out some of the validation for the client dictionary and logs if this changes during a user interactive authentication session instead.
* | Merge branch 'release-v1.13.0' into developAndrew Morgan2020-05-111-14/+40
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * release-v1.13.0: Don't UPGRADE database rows RST indenting Put rollback instructions in upgrade notes Fix changelog typo Oh yeah, RST Absolute URL it is then Fix upgrade notes link Provide summary of upgrade issues in changelog. Fix ) Move next version notes from changelog to upgrade notes Changelog fixes 1.13.0rc1 Documentation on setting up redis (#7446) Rework UI Auth session validation for registration (#7455) Fix errors from malformed log line (#7454) Drop support for redis.dbid (#7450)
| * Rework UI Auth session validation for registration (#7455)Patrick Cloke2020-05-081-14/+40
| | | | | | | | Be less strict about validation of UI authentication sessions during registration to match client expecations.
* | Implement OpenID Connect-based login (#7256)Quentin Gliech2020-05-081-2/+2
|/
* Persist user interactive authentication sessions (#7302)Patrick Cloke2020-04-301-114/+61
| | | | | By persisting the user interactive authentication sessions to the database, this fixes situations where a user hits different works throughout their auth session and also allows sessions to persist through restarts of Synapse.
* Reject unknown UI auth sessions (instead of silently generating a new one) ↵Patrick Cloke2020-04-201-65/+94
| | | | (#7268)
* Use a template for the SSO success page to allow for customization. (#7279)Patrick Cloke2020-04-171-32/+12
|
* Convert auth handler to async/await (#7261)Patrick Cloke2020-04-151-92/+81
|
* Do not allow a deactivated user to login via SSO. (#7240)Patrick Cloke2020-04-091-4/+30
|
* Support CAS in UI Auth flows. (#7186)Patrick Cloke2020-04-031-2/+2
|
* Support SAML in the user interactive authentication workflow. (#7102)Patrick Cloke2020-04-011-4/+112
|
* Validate that the session is not modified during UI-Auth (#7068)Patrick Cloke2020-03-261-4/+33
|
* Add type annotations and comments to auth handler (#7063)Patrick Cloke2020-03-121-89/+104
|
* Factor out complete_sso_login and expose it to the Module APIBrendan Abolivier2020-03-031-0/+74
|
* Admin api to add an email address (#6789)Dirk Klimpel2020-02-071-0/+8
|
* Merge pull request #6335 from matrix-org/erikj/rc_login_cleanupsBrendan Abolivier2019-11-201-53/+31
|\ | | | | Only do `rc_login` ratelimiting on succesful login.
| * Apply suggestions from code reviewErik Johnston2019-11-181-2/+2
| | | | | | | | Co-Authored-By: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Co-Authored-By: Brendan Abolivier <babolivier@matrix.org>
| * Add failed auth ratelimiting to UIAErik Johnston2019-11-061-1/+32
| |
| * Only do `rc_login` ratelimiting on succesful login.Erik Johnston2019-11-061-54/+1
| | | | | | | | | | | | | | | | | | | | | | | | We were doing this in a number of places which meant that some login code paths incremented the counter multiple times. It was also applying ratelimiting to UIA endpoints, which was probably not intentional. In particular, some custom auth modules were calling `check_user_exists`, which incremented the counters, meaning that people would fail to login sometimes.
* | Replace instance variations of homeserver with correct case/spacingAndrew Morgan2019-11-121-2/+2
|/
* Remove usage of deprecated logger.warn method from codebase (#6271)Andrew Morgan2019-10-311-3/+3
| | | Replace every instance of `logger.warn` with `logger.warning` as the former is deprecated.
* Stop advertising unsupported flows for registration (#6107)Richard van der Hoff2019-09-251-1/+10
| | | | | | | If email or msisdn verification aren't supported, let's stop advertising them for registration. Fixes #6100.
* Refactor the user-interactive auth handling (#6105)Richard van der Hoff2019-09-251-131/+10
| | | | | | | Pull the checkers out to their own classes, rather than having them lost in a massive 1000-line class which does everything. This is also preparation for some more intelligent advertising of flows, as per #6100
* Use account_threepid_delegate for 3pid validationAndrew Morgan2019-09-101-1/+10
|
* Allow Synapse to send registration emails + choose Synapse or an external ↵Andrew Morgan2019-09-061-26/+8
| | | | | | | | | | | | | | | | server to handle 3pid validation (#5987) This is a combination of a few different PRs, finally all being merged into `develop`: * #5875 * #5876 * #5868 (This one added the `/versions` flag but the flag itself was actually [backed out](https://github.com/matrix-org/synapse/commit/891afb57cbdf9867f2848341b29c75d6f35eef5a#diff-e591d42d30690ffb79f63bb726200891) in #5969. What's left is just giving /versions access to the config file, which could be useful in the future) * #5835 * #5969 * #5940 Clients should not actually use the new registration functionality until https://github.com/matrix-org/synapse/pull/5972 is merged. UPGRADE.rst, changelog entries and config file changes should all be reviewed closely before this PR is merged.
* Remove unnecessary parentheses around return statements (#5931)Andrew Morgan2019-08-301-4/+4
| | | | | Python will return a tuple whether there are parentheses around the returned values or not. I'm just sick of my editor complaining about this all over the place :)
* Remove non-functional 'expire_access_token' setting (#5782)Richard van der Hoff2019-07-301-1/+1
| | | | | | | | The `expire_access_token` didn't do what it sounded like it should do. What it actually did was make Synapse enforce the 'time' caveat on macaroons used as access tokens, but since our access token macaroons never contained such a caveat, it was always a no-op. (The code to add 'time' caveats was removed back in v0.18.5, in #1656)
* Replace returnValue with return (#5736)Amber Brown2019-07-231-22/+22
|
* Return a different error from Invalid Password when a user is deactivated ↵Andrew Morgan2019-07-151-0/+9
| | | | | (#5674) Return `This account has been deactivated` instead of `Invalid password` when a user is deactivated.
* Implement access token expiry (#5660)Richard van der Hoff2019-07-121-3/+14
| | | | Record how long an access token is valid for, and raise a soft-logout once it expires.
* Inline issue_access_token (#5659)Richard van der Hoff2019-07-111-7/+3
| | | | | | | | this is only used in one place, so it's clearer if we inline it and reduce the API surface. Also, fixes a buglet where we would create an access token even if we were about to block the user (we would never return the AT, so the user could never use it, but it was still created and added to the db.)
* Move logging utilities out of the side drawer of util/ and into logging/ (#5606)Amber Brown2019-07-041-3/+3
|
* Added possibilty to disable local password authentication (#5092)Daniel Hoffend2019-06-271-1/+1
| | | | | Signed-off-by: Daniel Hoffend <dh@dotlan.net>
* Run Black. (#5482)Amber Brown2019-06-201-145/+121
|
* Fix defaults on checking threepidsErik Johnston2019-06-101-0/+1
|
* Add ability to perform password reset via email without trusting the ↵Andrew Morgan2019-06-061-12/+52
| | | | | | | | | | | | identity server (#5377) Sends password reset emails from the homeserver instead of proxying to the identity server. This is now the default behaviour for security reasons. If you wish to continue proxying password reset requests to the identity server you must now enable the email.trust_identity_server_for_password_resets option. This PR is a culmination of 3 smaller PRs which have each been separately reviewed: * #5308 * #5345 * #5368
* Allowing specifying IS to use in unbind API.Erik Johnston2019-04-011-1/+6
| | | | | | | | | | By default the homeserver will use the identity server used during the binding of the 3PID to unbind the 3PID. However, we need to allow clients to explicitly ask the homeserver to unbind via a particular identity server, for the case where the 3PID was bound out of band from the homeserver. Implements MSC915.
* Support 3PID login in password providers (#4931)Andrew Morgan2019-03-261-1/+38
| | | | | Adds a new method, check_3pid_auth, which gives password providers the chance to allow authentication with third-party identifiers such as email or msisdn.
* Add ratelimiting on failed login attempts (#4865)Brendan Abolivier2019-03-181-5/+23
|
* Add ratelimiting on login (#4821)Brendan Abolivier2019-03-151-0/+36
| | | Add two ratelimiters on login (per-IP address and per-userID).
* Factor SSO success handling out of CAS login (#4264)Richard van der Hoff2018-12-071-2/+11
| | | | This is mostly factoring out the post-CAS-login code to somewhere we can reuse it for other SSO flows, but it also fixes the userid mapping while we're at it.
* Remove duplicate slashes in generated consent URLsTravis Ralston2018-11-151-1/+1
|
* Add config variables for enabling terms auth and the policy name (#4142)Travis Ralston2018-11-061-1/+1
| | | | So people can still collect consent the old way if they want to.
* Include a version query string arg for the consent routeTravis Ralston2018-10-311-1/+4
|
* Merge branch 'develop' into travis/login-termsTravis Ralston2018-10-241-14/+4
|\
| * Correctly account for cpu usage by background threads (#4074)Richard van der Hoff2018-10-231-14/+4
| | | | | | | | | | | | | | | | | | | | Wrap calls to deferToThread() in a thing which uses a child logcontext to attribute CPU usage to the right request. While we're in the area, remove the logcontext_tracer stuff, which is never used, and afaik doesn't work. Fixes #4064
* | pep8Travis Ralston2018-10-151-1/+1
| |
* | Ensure the terms params are actually providedTravis Ralston2018-10-151-0/+1
| |
* | Python is hardTravis Ralston2018-10-151-5/+6
| |
* | Update login terms structure for the proposed language supportTravis Ralston2018-10-121-4/+7
| |
* | Use a flag rather than a new route for the public policyTravis Ralston2018-10-031-1/+1
| | | | | | This also means that the template now has optional parameters, which will need to be documented somehow.
* | Supply params for terms auth stageTravis Ralston2018-10-031-0/+9
| | | | | | As per https://github.com/matrix-org/matrix-doc/pull/1692
* | Incorporate Dave's work for GDPR login flowsTravis Ralston2018-10-031-0/+4
|/ | | As per https://github.com/vector-im/riot-web/issues/7168#issuecomment-419996117
* Port handlers/ to Python 3 (#3803)Amber Brown2018-09-071-3/+5
|
* Merge branch 'develop' of github.com:matrix-org/synapse into ↵Neil Johnson2018-08-151-3/+17
|\ | | | | | | neilj/fix_off_by_1+maus
| * Merge pull request #3667 from matrix-org/erikj/fixup_unbindErik Johnston2018-08-151-3/+17
| |\ | | | | | | Don't fail requests to unbind 3pids for non supporting ID servers
| | * Don't fail requests to unbind 3pids for non supporting ID serversErik Johnston2018-08-081-3/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Older identity servers may not support the unbind 3pid request, so we shouldn't fail the requests if we received one of 400/404/501. The request still fails if we receive e.g. 500 responses, allowing clients to retry requests on transient identity server errors that otherwise do support the API. Fixes #3661
* | | fix off by 1s on mauNeil Johnson2018-08-141-2/+2
|/ /
* | bug fixesNeil Johnson2018-08-031-13/+2
| |
* | do mau checks based on monthly_active_users tableNeil Johnson2018-08-021-6/+4
|/
* Merge pull request #3630 from matrix-org/neilj/mau_sign_in_log_in_limitsNeil Johnson2018-08-011-1/+18
|\ | | | | Initial impl of capping MAU
| * count_monthly_users() asyncNeil Johnson2018-08-011-4/+7
| |
| * coding styleNeil Johnson2018-07-311-1/+2
| |
| * limit register and sign in on number of monthly usersNeil Johnson2018-07-301-0/+13
| |
* | Python 3: Convert some unicode/bytes uses (#3569)Amber Brown2018-08-021-9/+20
|/
* run isortAmber Brown2018-07-091-12/+14
|
* Attempt to be more performant on PyPy (#3462)Amber Brown2018-06-281-2/+3
|
* Pass around the reactor explicitly (#3385)Amber Brown2018-06-221-10/+20
|
* Remove run_on_reactor (#3395)Amber Brown2018-06-141-6/+2
|
* Merge pull request #3276 from matrix-org/dbkr/unbindDavid Baker2018-06-111-0/+9
|\ | | | | Remove email addresses / phone numbers from ID servers when they're removed from synapse
| * Missing yieldDavid Baker2018-06-041-1/+1
| |
| * pep8David Baker2018-05-241-1/+2
| |
| * Unbind 3pids when they're deleted tooDavid Baker2018-05-241-0/+8
| |
* | Consistently use six's iteritems and wrap lazy keys/values in list() if ↵Amber Brown2018-05-311-3/+3
|/ | | | they're not meant to be lazy (#3307)
* use bcrypt.checkpwKrombel2018-03-051-2/+4
| | | | | | | | in bcrypt 3.1.0 checkpw got introduced (already 2 years ago) This makes use of that with enhancements which might get introduced by that Signed-Off-by: Matthias Kesler <krombel@krombel.de>
* Merge pull request #2773 from matrix-org/erikj/hash_bgErik Johnston2018-01-101-8/+16
|\ | | | | Do bcrypt hashing in a background thread
| * Do bcrypt hashing in a background threadErik Johnston2018-01-101-8/+16
| |
* | support custom login types for validating usersRichard van der Hoff2017-12-051-24/+57
| | | | | | | | | | Wire the custom login type support from password providers into the UI-auth user-validation flows.
* | Factor out a validate_user_via_ui_auth methodRichard van der Hoff2017-12-051-0/+43
| | | | | | | | Collect together all the places that validate a logged-in user via UI auth.
* | Refactor UI auth implementationRichard van der Hoff2017-12-051-17/+29
|/ | | | | Instead of returning False when auth is incomplete, throw an exception which can be caught with a wrapper.
* Move set_password into its own handlerRichard van der Hoff2017-11-291-16/+0
| | | | | | Non-functional refactoring to move set_password. This means that we'll be able to properly deactivate devices and access tokens without introducing a dependency loop.
* Move deactivate_account into its own handlerRichard van der Hoff2017-11-291-16/+0
| | | | | | Non-functional refactoring to move deactivate_account. This means that we'll be able to properly deactivate devices and access tokens without introducing a dependency loop.
* Remove pushers when deleting access tokensRichard van der Hoff2017-11-291-4/+12
| | | | | Whenever an access token is invalidated, we should remove the associated pushers.
* Fix auth handler #2678Jurek2017-11-161-1/+1
|
* Factor _AccountHandler proxy out to ModuleApiRichard van der Hoff2017-11-021-69/+3
| | | | | We're going to need to use this from places that aren't password auth, so let's move it to a proper class.
* Merge pull request #2624 from matrix-org/rav/password_provider_notify_logoutDavid Baker2017-11-021-2/+24
|\ | | | | Notify auth providers on logout
| * Notify auth providers on logoutRichard van der Hoff2017-11-011-2/+24
| | | | | | | | Provide a hook by which auth providers can be notified of logouts.
* | Merge pull request #2623 from matrix-org/rav/callbacks_for_auth_providersDavid Baker2017-11-021-6/+11
|\ \ | | | | | | Allow password_auth_providers to return a callback
| * | Fix user-interactive password authRichard van der Hoff2017-11-011-1/+3
| | | | | | | | | | | | this got broken in the previous commit
| * | Allow password_auth_providers to return a callbackRichard van der Hoff2017-11-011-5/+8
| |/ | | | | | | ... so that they have a way to record access tokens.
* | Merge pull request #2622 from matrix-org/rav/db_access_for_auth_providersDavid Baker2017-11-021-0/+16
|\ \ | |/ |/| Let auth providers get to the database
| * Let auth providers get to the databaseRichard van der Hoff2017-10-311-0/+16
| | | | | | | | Somewhat open to abuse, but also somewhat unavoidable :/
* | Merge pull request #2620 from matrix-org/rav/auth_non_passwordRichard van der Hoff2017-11-011-22/+96
|\ \ | | | | | | Let password auth providers handle arbitrary login types
| * | Let password auth providers handle arbitrary login typesRichard van der Hoff2017-11-011-22/+96
| |/ | | | | | | | | Provide a hook where password auth providers can say they know about other login types, and get passed the relevant parameters
* | Merge remote-tracking branch 'origin/develop' into ↵David Baker2017-11-011-9/+6
|\ \ | | | | | | | | | rav/refactor_accesstoken_delete
| * | Break dependency of auth_handler on device_handlerRichard van der Hoff2017-11-011-9/+6
| |/ | | | | | | | | | | | | | | | | I'm going to need to make the device_handler depend on the auth_handler, so I need to break this dependency to avoid a cycle. It turns out that the auth_handler was only using the device_handler in one place which was an edge case which we can more elegantly handle by throwing an error rather than fixing it up.
* / Move access token deletion into auth handlerRichard van der Hoff2017-11-011-2/+47
|/ | | | | | | Also move duplicated deactivation code into the auth handler. I want to add some hooks when we deactivate an access token, so let's bring it all in here so that there's somewhere to put it.
* Refactor some logic from LoginRestServlet into AuthHandlerRichard van der Hoff2017-10-311-28/+52
| | | | | | | | | | | | | | I'm going to need some more flexibility in handling login types in password auth providers, so as a first step, move some stuff from LoginRestServlet into AuthHandler. In particular, we pass everything other than SAML, JWT and token logins down to the AuthHandler, which now has responsibility for checking the login type and fishing the password out of the login dictionary, as well as qualifying the user_id if need be. Ideally SAML, JWT and token would go that way too, but there's no real need for it right now and I'm trying to minimise impact. This commit *should* be non-functional.
* Allow ASes to deactivate their own usersRichard van der Hoff2017-10-271-1/+1
|
* Remove pointless create() methodRichard van der Hoff2017-10-201-1/+1
| | | | | It just calls the constructor, so we may as well kill it rather than having random codepaths.
* Use an ExpiringCache for storing registration sessionsErik Johnston2017-06-291-11/+10
| | | | | This is because pruning them was a significant performance drain on matrix.org
* Support registration / login with phone numberDavid Baker2017-03-131-7/+25
| | | | Changes from https://github.com/matrix-org/synapse/pull/1971
* Revert "Support registration & login with phone number"Erik Johnston2017-03-131-25/+7
|
* Fix log lineDavid Baker2017-03-081-1/+1
|
* Factor out msisdn canonicalisationDavid Baker2017-03-081-1/+1
| | | | Plus a couple of other minor fixes
* Fix pep8David Baker2017-03-081-1/+1
|
* Just return the deferred straight offDavid Baker2017-03-011-4/+2
| | | | | defer.returnValue doth not maketh a generator: it would need a yield to be a generator, and this doesn't need a yield.
* WIP support for msisdn 3pid proxy methodsDavid Baker2017-02-141-5/+25
|
* Fix email push in pusher workerErik Johnston2017-02-021-36/+44
| | | | | | This was broken when device list updates were implemented, as Mailer could no longer instantiate an AuthHandler due to a dependency on federation sending.
* Fix another comment typoDavid Baker2016-12-211-1/+1
|
* Add /account/3pid/delete endpointDavid Baker2016-12-201-0/+11
| | | | Also fix a typo in a comment
* fix ability to change password to a non-ascii oneMatthew Hodgson2016-12-181-2/+2
| | | | https://github.com/vector-im/riot-web/issues/2658
* Merge pull request #1649 from matrix-org/dbkr/log_ui_auth_argsErik Johnston2016-12-051-1/+9
|\ | | | | Log the args that we have on UI auth completion
| * Clarify that creds doesn not contain passwords.David Baker2016-11-241-1/+3
| |
| * Log the args that we have on UI auth completionDavid Baker2016-11-241-1/+7
| | | | | | | | | | This will be super helpful for debugging if we have more registration woes.
* | Rip out more refresh_token codeRichard van der Hoff2016-11-301-10/+0
| | | | | | | | | | | | | | | | We might as well treat all refresh_tokens as invalid. Just return a 403 from /tokenrefresh, so that we don't have a load of dead, untestable code hanging around. Still TODO: removing the table from the schema.
* | Merge branch 'develop' into rav/no_more_refresh_tokensRichard van der Hoff2016-11-301-5/+6
|\ \
| * | Stop putting a time caveat on access tokensRichard van der Hoff2016-11-291-5/+6
| |/ | | | | | | | | | | | | | | The 'time' caveat on the access tokens was something of a lie, since we weren't enforcing it; more pertinently its presence stops us ever adding useful time caveats. Let's move in the right direction by not lying in our caveats.
* / Stop generating refresh tokensRichard van der Hoff2016-11-281-16/+4
|/ | | | | | | Since we're not doing refresh tokens any more, we should start killing off the dead code paths. /tokenrefresh itself is a bit of a thornier subject, since there might be apps out there using it, but we can at least not generate refresh tokens on new logins.
* Use external ldap auth pacakgeErik Johnston2016-11-151-0/+2
|
* Don't error on non-ascii passwordsDavid Baker2016-11-031-1/+1
|
* Convert emails to lowercase when storingDavid Baker2016-10-191-0/+12
| | | | And db migration sql to convert existing addresses.
* Merge pull request #1155 from matrix-org/erikj/pluggable_pwd_authErik Johnston2016-10-121-295/+39
|\ | | | | Implement pluggable password auth
| * Implement pluggable password authErik Johnston2016-10-031-295/+39
| | | | | | | | | | | | Allows delegating the password auth to an external module. This also moves the LDAP auth to using this system, allowing it to be removed from the synapse tree entirely in the future.
* | Work around email-spamming Riot bugRichard van der Hoff2016-10-111-3/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | 5d9546f9 introduced a change to synapse behaviour, in that failures in the interactive-auth process would return the flows and params data as well as an error code (as specced in https://github.com/matrix-org/matrix-doc/pull/397). That change exposed a bug in Riot which would make it request a new validation token (and send a new email) each time it got a 401 with a `flows` parameter (see https://github.com/vector-im/vector-web/issues/2447 and the fix at https://github.com/matrix-org/matrix-react-sdk/pull/510). To preserve compatibility with broken versions of Riot, grandfather in the old behaviour for the email validation stage.
* | Merge pull request #1160 from matrix-org/rav/401_on_password_failRichard van der Hoff2016-10-071-32/+52
|\ \ | |/ |/| Interactive Auth: Return 401 from for incorrect password
| * Interactive Auth: Return 401 from for incorrect passwordRichard van der Hoff2016-10-071-32/+52
| | | | | | | | | | | | | | | | | | This requires a bit of fettling, because I want to return a helpful error message too but we don't want to distinguish between unknown user and invalid password. To avoid hardcoding the error message into 15 places in the code, I've had to refactor a few methods to return None instead of throwing. Fixes https://matrix.org/jira/browse/SYN-744
* | Restructure ldap authenticationMartin Weinelt2016-09-291-87/+192
|/ | | | | | | | - properly parse return values of ldap bind() calls - externalize authentication methods - change control flow to be more error-resilient - unbind ldap connections in many places - improve log messages and loglevels
* Refactor user_delete_access_tokens. Invalidate get_user_by_access_token to ↵Erik Johnston2016-08-151-3/+3
| | | | slaves.
* Log the value which is observed in the first place.Daniel Ehlers2016-08-141-1/+1
| | | | | | | | The name 'result' is of bool type and has no len property, resulting in a TypeError. Futhermore in the flow control conn.response is observed and hence should be reported. Signed-off-by: Daniel Ehlers <sargon@toppoint.de>
* Fix AttributeError when bind_dn is not defined.Daniel Ehlers2016-08-141-1/+1
| | | | | | | | | In case one does not define bind_dn in ldap configuration, filter attribute is not declared. Since auth code only uses ldap_filter attribute when according LDAP mode is selected, it is safe to only declare the attribute in that case. Signed-off-by: Daniel Ehlers <sargon@toppoint.de>
* /login: Respond with a 403 when we get an invalid m.login.tokenRichard van der Hoff2016-08-091-3/+3
|
* Fix login with m.login.tokenRichard van der Hoff2016-08-081-13/+4
| | | | | login with token (as used by CAS auth) was broken by 067596d, such that it always returned a 401.
* Implement deleting devicesRichard van der Hoff2016-07-261-2/+20
|
* Use get to avoid KeyErrorsDavid Baker2016-07-221-1/+1
|
* Log the hostname the reCAPTCHA was completed onDavid Baker2016-07-221-2/+11
| | | | This could be useful information to have in the logs. Also comment about how & why we don't verify the hostname.
* Type annotationsRichard van der Hoff2016-07-191-0/+4
| | | | | Add some type annotations to help PyCharm (in particular) to figure out the types of a bunch of things.
* Add device_id support to /loginRichard van der Hoff2016-07-181-8/+11
| | | | | | | | | | | | | Add a 'devices' table to the storage, as well as a 'device_id' column to refresh_tokens. Allow the client to pass a device_id, and initial_device_display_name, to /login. If login is successful, then register the device in the devices table if it wasn't known already. If no device_id was supplied, make one up. Associate the device_id with the access token and refresh token, so that we can get at it again later. Ensure that the device_id is copied from the refresh token to the access_token when the token is refreshed.
* Refactor login flowRichard van der Hoff2016-07-181-47/+59
| | | | | | | | | | Make sure that we have the canonical user_id *before* calling get_login_tuple_for_user_id. Replace login_with_password with a method which just validates the password, and have the caller call get_login_tuple_for_user_id. This brings the password flow into line with the other flows, and will give us a place to register the device_id if necessary.
* Bug fix: expire invalid access tokensNegar Fazeli2016-07-131-2/+3
|
* Fix password configKent Shikama2016-07-051-2/+2
|
* Fix pep8Kent Shikama2016-07-051-1/+2
|
* Add pepper to password hashingKent Shikama2016-07-051-2/+3
| | | | Signed-off-by: Kent Shikama <kent@kentshikama.com>
* Rework ldap integration with ldap3Martin Weinelt2016-06-221-33/+170
| | | | | | | | | | | | | | | | | | | Use the pure-python ldap3 library, which eliminates the need for a system dependency. Offer both a `search` and `simple_bind` mode, for more sophisticated ldap scenarios. - `search` tries to find a matching DN within the `user_base` while employing the `user_filter`, then tries the bind when a single matching DN was found. - `simple_bind` tries the bind against a specific DN by combining the localpart and `user_base` Offer support for STARTTLS on a plain connection. The configuration was changed to reflect these new possibilities. Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
* Fix TypeError in call to bcrypt.hashpwSalvatore LaMendola2016-06-161-1/+1
| | | | | | | | - At the very least, this TypeError caused logins to fail on my own running instance of Synapse, and the simple (explicit) UTF-8 conversion resolved login errors for me. Signed-off-by: Salvatore LaMendola <salvatore.lamendola@gmail.com>
* Email unsubscribing that may in theory, workDavid Baker2016-06-021-0/+5
| | | | Were it not for that fact that you can't use the base handler in the pusher because it pulls in the world. Comitting while I fix that on a different branch.
* Send down correct error response if user not foundErik Johnston2016-05-271-2/+7
|
* Merge pull request #741 from negzi/create_user_with_expiryErik Johnston2016-05-131-2/+2
|\ | | | | Create user with expiry
| * Create user with expiryNegi Fazeli2016-05-131-2/+2
| | | | | | | | | | | | - Add unittests for client, api and handler Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com>
* | Correctly handle NULL password hashes from the databaseErik Johnston2016-05-111-1/+4
|/
* Simplify _check_passwordErik Johnston2016-04-151-5/+9
|
* Fix check_password rather than inverting the meaning of ↵Mark Haines2016-04-141-9/+12
| | | | _check_local_password (#730)
* Fix login to error for nonexistent usersDavid Baker2016-04-141-1/+1
| | | | Fixes SYN-680
* fix check for failed authenticationChristoph Witzany2016-04-061-2/+4
|
* remove lineChristoph Witzany2016-04-061-1/+0
|
* make tests for ldap more specific to not be fooled by MocksChristoph Witzany2016-04-061-3/+3
|
* output ldap version for info and to pacify pep8Christoph Witzany2016-04-061-0/+2
|
* conditionally import ldapChristoph Witzany2016-04-061-2/+5
|
* fix pep8Christoph Witzany2016-04-061-2/+1
|
* fix exception handlingChristoph Witzany2016-04-061-2/+2
|
* code styleChristoph Witzany2016-04-061-6/+13
|
* add tls property and twist my head around twistedChristoph Witzany2016-04-061-15/+29
|
* move LDAP authentication to AuthenticationHandlerChristoph Witzany2016-04-061-6/+48
|
* Use google style doc strings.Mark Haines2016-04-011-9/+17
| | | | | | | pycharm supports them so there is no need to use the other format. Might as well convert the existing strings to reduce the risk of people accidentally cargo culting the wrong doc string format.
* Make registration idempotent, part 2: be idempotent if the client specifies ↵David Baker2016-03-161-0/+14
| | | | a username.
* pep8David Baker2016-03-161-1/+2
|
* time_msec()David Baker2016-03-161-1/+1
|
* string with symbols is a bit too symboly.David Baker2016-03-161-1/+1
|