Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Allowing specifying IS to use in unbind API. | Erik Johnston | 2019-04-01 | 1 | -1/+6 |
| | | | | | | | | | | By default the homeserver will use the identity server used during the binding of the 3PID to unbind the 3PID. However, we need to allow clients to explicitly ask the homeserver to unbind via a particular identity server, for the case where the 3PID was bound out of band from the homeserver. Implements MSC915. | ||||
* | Support 3PID login in password providers (#4931) | Andrew Morgan | 2019-03-26 | 1 | -1/+38 |
| | | | | | Adds a new method, check_3pid_auth, which gives password providers the chance to allow authentication with third-party identifiers such as email or msisdn. | ||||
* | Add ratelimiting on failed login attempts (#4865) | Brendan Abolivier | 2019-03-18 | 1 | -5/+23 |
| | |||||
* | Add ratelimiting on login (#4821) | Brendan Abolivier | 2019-03-15 | 1 | -0/+36 |
| | | | Add two ratelimiters on login (per-IP address and per-userID). | ||||
* | Factor SSO success handling out of CAS login (#4264) | Richard van der Hoff | 2018-12-07 | 1 | -2/+11 |
| | | | | This is mostly factoring out the post-CAS-login code to somewhere we can reuse it for other SSO flows, but it also fixes the userid mapping while we're at it. | ||||
* | Remove duplicate slashes in generated consent URLs | Travis Ralston | 2018-11-15 | 1 | -1/+1 |
| | |||||
* | Add config variables for enabling terms auth and the policy name (#4142) | Travis Ralston | 2018-11-06 | 1 | -1/+1 |
| | | | | So people can still collect consent the old way if they want to. | ||||
* | Include a version query string arg for the consent route | Travis Ralston | 2018-10-31 | 1 | -1/+4 |
| | |||||
* | Merge branch 'develop' into travis/login-terms | Travis Ralston | 2018-10-24 | 1 | -14/+4 |
|\ | |||||
| * | Correctly account for cpu usage by background threads (#4074) | Richard van der Hoff | 2018-10-23 | 1 | -14/+4 |
| | | | | | | | | | | | | | | | | | | | | Wrap calls to deferToThread() in a thing which uses a child logcontext to attribute CPU usage to the right request. While we're in the area, remove the logcontext_tracer stuff, which is never used, and afaik doesn't work. Fixes #4064 | ||||
* | | pep8 | Travis Ralston | 2018-10-15 | 1 | -1/+1 |
| | | |||||
* | | Ensure the terms params are actually provided | Travis Ralston | 2018-10-15 | 1 | -0/+1 |
| | | |||||
* | | Python is hard | Travis Ralston | 2018-10-15 | 1 | -5/+6 |
| | | |||||
* | | Update login terms structure for the proposed language support | Travis Ralston | 2018-10-12 | 1 | -4/+7 |
| | | |||||
* | | Use a flag rather than a new route for the public policy | Travis Ralston | 2018-10-03 | 1 | -1/+1 |
| | | | | | | This also means that the template now has optional parameters, which will need to be documented somehow. | ||||
* | | Supply params for terms auth stage | Travis Ralston | 2018-10-03 | 1 | -0/+9 |
| | | | | | | As per https://github.com/matrix-org/matrix-doc/pull/1692 | ||||
* | | Incorporate Dave's work for GDPR login flows | Travis Ralston | 2018-10-03 | 1 | -0/+4 |
|/ | | | As per https://github.com/vector-im/riot-web/issues/7168#issuecomment-419996117 | ||||
* | Port handlers/ to Python 3 (#3803) | Amber Brown | 2018-09-07 | 1 | -3/+5 |
| | |||||
* | Merge branch 'develop' of github.com:matrix-org/synapse into ↵ | Neil Johnson | 2018-08-15 | 1 | -3/+17 |
|\ | | | | | | | neilj/fix_off_by_1+maus | ||||
| * | Merge pull request #3667 from matrix-org/erikj/fixup_unbind | Erik Johnston | 2018-08-15 | 1 | -3/+17 |
| |\ | | | | | | | Don't fail requests to unbind 3pids for non supporting ID servers | ||||
| | * | Don't fail requests to unbind 3pids for non supporting ID servers | Erik Johnston | 2018-08-08 | 1 | -3/+17 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Older identity servers may not support the unbind 3pid request, so we shouldn't fail the requests if we received one of 400/404/501. The request still fails if we receive e.g. 500 responses, allowing clients to retry requests on transient identity server errors that otherwise do support the API. Fixes #3661 | ||||
* | | | fix off by 1s on mau | Neil Johnson | 2018-08-14 | 1 | -2/+2 |
|/ / | |||||
* | | bug fixes | Neil Johnson | 2018-08-03 | 1 | -13/+2 |
| | | |||||
* | | do mau checks based on monthly_active_users table | Neil Johnson | 2018-08-02 | 1 | -6/+4 |
|/ | |||||
* | Merge pull request #3630 from matrix-org/neilj/mau_sign_in_log_in_limits | Neil Johnson | 2018-08-01 | 1 | -1/+18 |
|\ | | | | | Initial impl of capping MAU | ||||
| * | count_monthly_users() async | Neil Johnson | 2018-08-01 | 1 | -4/+7 |
| | | |||||
| * | coding style | Neil Johnson | 2018-07-31 | 1 | -1/+2 |
| | | |||||
| * | limit register and sign in on number of monthly users | Neil Johnson | 2018-07-30 | 1 | -0/+13 |
| | | |||||
* | | Python 3: Convert some unicode/bytes uses (#3569) | Amber Brown | 2018-08-02 | 1 | -9/+20 |
|/ | |||||
* | run isort | Amber Brown | 2018-07-09 | 1 | -12/+14 |
| | |||||
* | Attempt to be more performant on PyPy (#3462) | Amber Brown | 2018-06-28 | 1 | -2/+3 |
| | |||||
* | Pass around the reactor explicitly (#3385) | Amber Brown | 2018-06-22 | 1 | -10/+20 |
| | |||||
* | Remove run_on_reactor (#3395) | Amber Brown | 2018-06-14 | 1 | -6/+2 |
| | |||||
* | Merge pull request #3276 from matrix-org/dbkr/unbind | David Baker | 2018-06-11 | 1 | -0/+9 |
|\ | | | | | Remove email addresses / phone numbers from ID servers when they're removed from synapse | ||||
| * | Missing yield | David Baker | 2018-06-04 | 1 | -1/+1 |
| | | |||||
| * | pep8 | David Baker | 2018-05-24 | 1 | -1/+2 |
| | | |||||
| * | Unbind 3pids when they're deleted too | David Baker | 2018-05-24 | 1 | -0/+8 |
| | | |||||
* | | Consistently use six's iteritems and wrap lazy keys/values in list() if ↵ | Amber Brown | 2018-05-31 | 1 | -3/+3 |
|/ | | | | they're not meant to be lazy (#3307) | ||||
* | use bcrypt.checkpw | Krombel | 2018-03-05 | 1 | -2/+4 |
| | | | | | | | | in bcrypt 3.1.0 checkpw got introduced (already 2 years ago) This makes use of that with enhancements which might get introduced by that Signed-Off-by: Matthias Kesler <krombel@krombel.de> | ||||
* | Merge pull request #2773 from matrix-org/erikj/hash_bg | Erik Johnston | 2018-01-10 | 1 | -8/+16 |
|\ | | | | | Do bcrypt hashing in a background thread | ||||
| * | Do bcrypt hashing in a background thread | Erik Johnston | 2018-01-10 | 1 | -8/+16 |
| | | |||||
* | | support custom login types for validating users | Richard van der Hoff | 2017-12-05 | 1 | -24/+57 |
| | | | | | | | | | | Wire the custom login type support from password providers into the UI-auth user-validation flows. | ||||
* | | Factor out a validate_user_via_ui_auth method | Richard van der Hoff | 2017-12-05 | 1 | -0/+43 |
| | | | | | | | | Collect together all the places that validate a logged-in user via UI auth. | ||||
* | | Refactor UI auth implementation | Richard van der Hoff | 2017-12-05 | 1 | -17/+29 |
|/ | | | | | Instead of returning False when auth is incomplete, throw an exception which can be caught with a wrapper. | ||||
* | Move set_password into its own handler | Richard van der Hoff | 2017-11-29 | 1 | -16/+0 |
| | | | | | | Non-functional refactoring to move set_password. This means that we'll be able to properly deactivate devices and access tokens without introducing a dependency loop. | ||||
* | Move deactivate_account into its own handler | Richard van der Hoff | 2017-11-29 | 1 | -16/+0 |
| | | | | | | Non-functional refactoring to move deactivate_account. This means that we'll be able to properly deactivate devices and access tokens without introducing a dependency loop. | ||||
* | Remove pushers when deleting access tokens | Richard van der Hoff | 2017-11-29 | 1 | -4/+12 |
| | | | | | Whenever an access token is invalidated, we should remove the associated pushers. | ||||
* | Fix auth handler #2678 | Jurek | 2017-11-16 | 1 | -1/+1 |
| | |||||
* | Factor _AccountHandler proxy out to ModuleApi | Richard van der Hoff | 2017-11-02 | 1 | -69/+3 |
| | | | | | We're going to need to use this from places that aren't password auth, so let's move it to a proper class. | ||||
* | Merge pull request #2624 from matrix-org/rav/password_provider_notify_logout | David Baker | 2017-11-02 | 1 | -2/+24 |
|\ | | | | | Notify auth providers on logout | ||||
| * | Notify auth providers on logout | Richard van der Hoff | 2017-11-01 | 1 | -2/+24 |
| | | | | | | | | Provide a hook by which auth providers can be notified of logouts. | ||||
* | | Merge pull request #2623 from matrix-org/rav/callbacks_for_auth_providers | David Baker | 2017-11-02 | 1 | -6/+11 |
|\ \ | | | | | | | Allow password_auth_providers to return a callback | ||||
| * | | Fix user-interactive password auth | Richard van der Hoff | 2017-11-01 | 1 | -1/+3 |
| | | | | | | | | | | | | this got broken in the previous commit | ||||
| * | | Allow password_auth_providers to return a callback | Richard van der Hoff | 2017-11-01 | 1 | -5/+8 |
| |/ | | | | | | | ... so that they have a way to record access tokens. | ||||
* | | Merge pull request #2622 from matrix-org/rav/db_access_for_auth_providers | David Baker | 2017-11-02 | 1 | -0/+16 |
|\ \ | |/ |/| | Let auth providers get to the database | ||||
| * | Let auth providers get to the database | Richard van der Hoff | 2017-10-31 | 1 | -0/+16 |
| | | | | | | | | Somewhat open to abuse, but also somewhat unavoidable :/ | ||||
* | | Merge pull request #2620 from matrix-org/rav/auth_non_password | Richard van der Hoff | 2017-11-01 | 1 | -22/+96 |
|\ \ | | | | | | | Let password auth providers handle arbitrary login types | ||||
| * | | Let password auth providers handle arbitrary login types | Richard van der Hoff | 2017-11-01 | 1 | -22/+96 |
| |/ | | | | | | | | | Provide a hook where password auth providers can say they know about other login types, and get passed the relevant parameters | ||||
* | | Merge remote-tracking branch 'origin/develop' into ↵ | David Baker | 2017-11-01 | 1 | -9/+6 |
|\ \ | | | | | | | | | | rav/refactor_accesstoken_delete | ||||
| * | | Break dependency of auth_handler on device_handler | Richard van der Hoff | 2017-11-01 | 1 | -9/+6 |
| |/ | | | | | | | | | | | | | | | | | I'm going to need to make the device_handler depend on the auth_handler, so I need to break this dependency to avoid a cycle. It turns out that the auth_handler was only using the device_handler in one place which was an edge case which we can more elegantly handle by throwing an error rather than fixing it up. | ||||
* / | Move access token deletion into auth handler | Richard van der Hoff | 2017-11-01 | 1 | -2/+47 |
|/ | | | | | | | Also move duplicated deactivation code into the auth handler. I want to add some hooks when we deactivate an access token, so let's bring it all in here so that there's somewhere to put it. | ||||
* | Refactor some logic from LoginRestServlet into AuthHandler | Richard van der Hoff | 2017-10-31 | 1 | -28/+52 |
| | | | | | | | | | | | | | | I'm going to need some more flexibility in handling login types in password auth providers, so as a first step, move some stuff from LoginRestServlet into AuthHandler. In particular, we pass everything other than SAML, JWT and token logins down to the AuthHandler, which now has responsibility for checking the login type and fishing the password out of the login dictionary, as well as qualifying the user_id if need be. Ideally SAML, JWT and token would go that way too, but there's no real need for it right now and I'm trying to minimise impact. This commit *should* be non-functional. | ||||
* | Allow ASes to deactivate their own users | Richard van der Hoff | 2017-10-27 | 1 | -1/+1 |
| | |||||
* | Remove pointless create() method | Richard van der Hoff | 2017-10-20 | 1 | -1/+1 |
| | | | | | It just calls the constructor, so we may as well kill it rather than having random codepaths. | ||||
* | Use an ExpiringCache for storing registration sessions | Erik Johnston | 2017-06-29 | 1 | -11/+10 |
| | | | | | This is because pruning them was a significant performance drain on matrix.org | ||||
* | Support registration / login with phone number | David Baker | 2017-03-13 | 1 | -7/+25 |
| | | | | Changes from https://github.com/matrix-org/synapse/pull/1971 | ||||
* | Revert "Support registration & login with phone number" | Erik Johnston | 2017-03-13 | 1 | -25/+7 |
| | |||||
* | Fix log line | David Baker | 2017-03-08 | 1 | -1/+1 |
| | |||||
* | Factor out msisdn canonicalisation | David Baker | 2017-03-08 | 1 | -1/+1 |
| | | | | Plus a couple of other minor fixes | ||||
* | Fix pep8 | David Baker | 2017-03-08 | 1 | -1/+1 |
| | |||||
* | Just return the deferred straight off | David Baker | 2017-03-01 | 1 | -4/+2 |
| | | | | | defer.returnValue doth not maketh a generator: it would need a yield to be a generator, and this doesn't need a yield. | ||||
* | WIP support for msisdn 3pid proxy methods | David Baker | 2017-02-14 | 1 | -5/+25 |
| | |||||
* | Fix email push in pusher worker | Erik Johnston | 2017-02-02 | 1 | -36/+44 |
| | | | | | | This was broken when device list updates were implemented, as Mailer could no longer instantiate an AuthHandler due to a dependency on federation sending. | ||||
* | Fix another comment typo | David Baker | 2016-12-21 | 1 | -1/+1 |
| | |||||
* | Add /account/3pid/delete endpoint | David Baker | 2016-12-20 | 1 | -0/+11 |
| | | | | Also fix a typo in a comment | ||||
* | fix ability to change password to a non-ascii one | Matthew Hodgson | 2016-12-18 | 1 | -2/+2 |
| | | | | https://github.com/vector-im/riot-web/issues/2658 | ||||
* | Merge pull request #1649 from matrix-org/dbkr/log_ui_auth_args | Erik Johnston | 2016-12-05 | 1 | -1/+9 |
|\ | | | | | Log the args that we have on UI auth completion | ||||
| * | Clarify that creds doesn not contain passwords. | David Baker | 2016-11-24 | 1 | -1/+3 |
| | | |||||
| * | Log the args that we have on UI auth completion | David Baker | 2016-11-24 | 1 | -1/+7 |
| | | | | | | | | | | This will be super helpful for debugging if we have more registration woes. | ||||
* | | Rip out more refresh_token code | Richard van der Hoff | 2016-11-30 | 1 | -10/+0 |
| | | | | | | | | | | | | | | | | We might as well treat all refresh_tokens as invalid. Just return a 403 from /tokenrefresh, so that we don't have a load of dead, untestable code hanging around. Still TODO: removing the table from the schema. | ||||
* | | Merge branch 'develop' into rav/no_more_refresh_tokens | Richard van der Hoff | 2016-11-30 | 1 | -5/+6 |
|\ \ | |||||
| * | | Stop putting a time caveat on access tokens | Richard van der Hoff | 2016-11-29 | 1 | -5/+6 |
| |/ | | | | | | | | | | | | | | | The 'time' caveat on the access tokens was something of a lie, since we weren't enforcing it; more pertinently its presence stops us ever adding useful time caveats. Let's move in the right direction by not lying in our caveats. | ||||
* / | Stop generating refresh tokens | Richard van der Hoff | 2016-11-28 | 1 | -16/+4 |
|/ | | | | | | | Since we're not doing refresh tokens any more, we should start killing off the dead code paths. /tokenrefresh itself is a bit of a thornier subject, since there might be apps out there using it, but we can at least not generate refresh tokens on new logins. | ||||
* | Use external ldap auth pacakge | Erik Johnston | 2016-11-15 | 1 | -0/+2 |
| | |||||
* | Don't error on non-ascii passwords | David Baker | 2016-11-03 | 1 | -1/+1 |
| | |||||
* | Convert emails to lowercase when storing | David Baker | 2016-10-19 | 1 | -0/+12 |
| | | | | And db migration sql to convert existing addresses. | ||||
* | Merge pull request #1155 from matrix-org/erikj/pluggable_pwd_auth | Erik Johnston | 2016-10-12 | 1 | -295/+39 |
|\ | | | | | Implement pluggable password auth | ||||
| * | Implement pluggable password auth | Erik Johnston | 2016-10-03 | 1 | -295/+39 |
| | | | | | | | | | | | | Allows delegating the password auth to an external module. This also moves the LDAP auth to using this system, allowing it to be removed from the synapse tree entirely in the future. | ||||
* | | Work around email-spamming Riot bug | Richard van der Hoff | 2016-10-11 | 1 | -3/+14 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | 5d9546f9 introduced a change to synapse behaviour, in that failures in the interactive-auth process would return the flows and params data as well as an error code (as specced in https://github.com/matrix-org/matrix-doc/pull/397). That change exposed a bug in Riot which would make it request a new validation token (and send a new email) each time it got a 401 with a `flows` parameter (see https://github.com/vector-im/vector-web/issues/2447 and the fix at https://github.com/matrix-org/matrix-react-sdk/pull/510). To preserve compatibility with broken versions of Riot, grandfather in the old behaviour for the email validation stage. | ||||
* | | Merge pull request #1160 from matrix-org/rav/401_on_password_fail | Richard van der Hoff | 2016-10-07 | 1 | -32/+52 |
|\ \ | |/ |/| | Interactive Auth: Return 401 from for incorrect password | ||||
| * | Interactive Auth: Return 401 from for incorrect password | Richard van der Hoff | 2016-10-07 | 1 | -32/+52 |
| | | | | | | | | | | | | | | | | | | This requires a bit of fettling, because I want to return a helpful error message too but we don't want to distinguish between unknown user and invalid password. To avoid hardcoding the error message into 15 places in the code, I've had to refactor a few methods to return None instead of throwing. Fixes https://matrix.org/jira/browse/SYN-744 | ||||
* | | Restructure ldap authentication | Martin Weinelt | 2016-09-29 | 1 | -87/+192 |
|/ | | | | | | | | - properly parse return values of ldap bind() calls - externalize authentication methods - change control flow to be more error-resilient - unbind ldap connections in many places - improve log messages and loglevels | ||||
* | Refactor user_delete_access_tokens. Invalidate get_user_by_access_token to ↵ | Erik Johnston | 2016-08-15 | 1 | -3/+3 |
| | | | | slaves. | ||||
* | Log the value which is observed in the first place. | Daniel Ehlers | 2016-08-14 | 1 | -1/+1 |
| | | | | | | | | The name 'result' is of bool type and has no len property, resulting in a TypeError. Futhermore in the flow control conn.response is observed and hence should be reported. Signed-off-by: Daniel Ehlers <sargon@toppoint.de> | ||||
* | Fix AttributeError when bind_dn is not defined. | Daniel Ehlers | 2016-08-14 | 1 | -1/+1 |
| | | | | | | | | | In case one does not define bind_dn in ldap configuration, filter attribute is not declared. Since auth code only uses ldap_filter attribute when according LDAP mode is selected, it is safe to only declare the attribute in that case. Signed-off-by: Daniel Ehlers <sargon@toppoint.de> | ||||
* | /login: Respond with a 403 when we get an invalid m.login.token | Richard van der Hoff | 2016-08-09 | 1 | -3/+3 |
| | |||||
* | Fix login with m.login.token | Richard van der Hoff | 2016-08-08 | 1 | -13/+4 |
| | | | | | login with token (as used by CAS auth) was broken by 067596d, such that it always returned a 401. | ||||
* | Implement deleting devices | Richard van der Hoff | 2016-07-26 | 1 | -2/+20 |
| | |||||
* | Use get to avoid KeyErrors | David Baker | 2016-07-22 | 1 | -1/+1 |
| | |||||
* | Log the hostname the reCAPTCHA was completed on | David Baker | 2016-07-22 | 1 | -2/+11 |
| | | | | This could be useful information to have in the logs. Also comment about how & why we don't verify the hostname. | ||||
* | Type annotations | Richard van der Hoff | 2016-07-19 | 1 | -0/+4 |
| | | | | | Add some type annotations to help PyCharm (in particular) to figure out the types of a bunch of things. | ||||
* | Add device_id support to /login | Richard van der Hoff | 2016-07-18 | 1 | -8/+11 |
| | | | | | | | | | | | | | Add a 'devices' table to the storage, as well as a 'device_id' column to refresh_tokens. Allow the client to pass a device_id, and initial_device_display_name, to /login. If login is successful, then register the device in the devices table if it wasn't known already. If no device_id was supplied, make one up. Associate the device_id with the access token and refresh token, so that we can get at it again later. Ensure that the device_id is copied from the refresh token to the access_token when the token is refreshed. | ||||
* | Refactor login flow | Richard van der Hoff | 2016-07-18 | 1 | -47/+59 |
| | | | | | | | | | | Make sure that we have the canonical user_id *before* calling get_login_tuple_for_user_id. Replace login_with_password with a method which just validates the password, and have the caller call get_login_tuple_for_user_id. This brings the password flow into line with the other flows, and will give us a place to register the device_id if necessary. | ||||
* | Bug fix: expire invalid access tokens | Negar Fazeli | 2016-07-13 | 1 | -2/+3 |
| | |||||
* | Fix password config | Kent Shikama | 2016-07-05 | 1 | -2/+2 |
| | |||||
* | Fix pep8 | Kent Shikama | 2016-07-05 | 1 | -1/+2 |
| | |||||
* | Add pepper to password hashing | Kent Shikama | 2016-07-05 | 1 | -2/+3 |
| | | | | Signed-off-by: Kent Shikama <kent@kentshikama.com> | ||||
* | Rework ldap integration with ldap3 | Martin Weinelt | 2016-06-22 | 1 | -33/+170 |
| | | | | | | | | | | | | | | | | | | | Use the pure-python ldap3 library, which eliminates the need for a system dependency. Offer both a `search` and `simple_bind` mode, for more sophisticated ldap scenarios. - `search` tries to find a matching DN within the `user_base` while employing the `user_filter`, then tries the bind when a single matching DN was found. - `simple_bind` tries the bind against a specific DN by combining the localpart and `user_base` Offer support for STARTTLS on a plain connection. The configuration was changed to reflect these new possibilities. Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de> | ||||
* | Fix TypeError in call to bcrypt.hashpw | Salvatore LaMendola | 2016-06-16 | 1 | -1/+1 |
| | | | | | | | | - At the very least, this TypeError caused logins to fail on my own running instance of Synapse, and the simple (explicit) UTF-8 conversion resolved login errors for me. Signed-off-by: Salvatore LaMendola <salvatore.lamendola@gmail.com> | ||||
* | Email unsubscribing that may in theory, work | David Baker | 2016-06-02 | 1 | -0/+5 |
| | | | | Were it not for that fact that you can't use the base handler in the pusher because it pulls in the world. Comitting while I fix that on a different branch. | ||||
* | Send down correct error response if user not found | Erik Johnston | 2016-05-27 | 1 | -2/+7 |
| | |||||
* | Merge pull request #741 from negzi/create_user_with_expiry | Erik Johnston | 2016-05-13 | 1 | -2/+2 |
|\ | | | | | Create user with expiry | ||||
| * | Create user with expiry | Negi Fazeli | 2016-05-13 | 1 | -2/+2 |
| | | | | | | | | | | | | - Add unittests for client, api and handler Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com> | ||||
* | | Correctly handle NULL password hashes from the database | Erik Johnston | 2016-05-11 | 1 | -1/+4 |
|/ | |||||
* | Simplify _check_password | Erik Johnston | 2016-04-15 | 1 | -5/+9 |
| | |||||
* | Fix check_password rather than inverting the meaning of ↵ | Mark Haines | 2016-04-14 | 1 | -9/+12 |
| | | | | _check_local_password (#730) | ||||
* | Fix login to error for nonexistent users | David Baker | 2016-04-14 | 1 | -1/+1 |
| | | | | Fixes SYN-680 | ||||
* | fix check for failed authentication | Christoph Witzany | 2016-04-06 | 1 | -2/+4 |
| | |||||
* | remove line | Christoph Witzany | 2016-04-06 | 1 | -1/+0 |
| | |||||
* | make tests for ldap more specific to not be fooled by Mocks | Christoph Witzany | 2016-04-06 | 1 | -3/+3 |
| | |||||
* | output ldap version for info and to pacify pep8 | Christoph Witzany | 2016-04-06 | 1 | -0/+2 |
| | |||||
* | conditionally import ldap | Christoph Witzany | 2016-04-06 | 1 | -2/+5 |
| | |||||
* | fix pep8 | Christoph Witzany | 2016-04-06 | 1 | -2/+1 |
| | |||||
* | fix exception handling | Christoph Witzany | 2016-04-06 | 1 | -2/+2 |
| | |||||
* | code style | Christoph Witzany | 2016-04-06 | 1 | -6/+13 |
| | |||||
* | add tls property and twist my head around twisted | Christoph Witzany | 2016-04-06 | 1 | -15/+29 |
| | |||||
* | move LDAP authentication to AuthenticationHandler | Christoph Witzany | 2016-04-06 | 1 | -6/+48 |
| | |||||
* | Use google style doc strings. | Mark Haines | 2016-04-01 | 1 | -9/+17 |
| | | | | | | | pycharm supports them so there is no need to use the other format. Might as well convert the existing strings to reduce the risk of people accidentally cargo culting the wrong doc string format. | ||||
* | Make registration idempotent, part 2: be idempotent if the client specifies ↵ | David Baker | 2016-03-16 | 1 | -0/+14 |
| | | | | a username. | ||||
* | pep8 | David Baker | 2016-03-16 | 1 | -1/+2 |
| | |||||
* | time_msec() | David Baker | 2016-03-16 | 1 | -1/+1 |
| | |||||
* | string with symbols is a bit too symboly. | David Baker | 2016-03-16 | 1 | -1/+1 |
| | |||||
* | Replace other time.time(). | David Baker | 2016-03-16 | 1 | -2/+1 |
| | |||||
* | Use hs get_clock instead of time.time() | David Baker | 2016-03-16 | 1 | -2/+2 |
| | |||||
* | pep8 & remove debug logging | David Baker | 2016-03-16 | 1 | -1/+1 |
| | |||||
* | Make registration idempotent: if you specify the same session, make it give ↵ | David Baker | 2016-03-16 | 1 | -12/+48 |
| | | | | you an access token for the user that was registered on previous uses of that session. Tweak the UI auth layer to not delete sessions when their auth has completed and hence expire themn so they don't hang around until server restart. Allow server-side data to be associated with UI auth sessions. | ||||
* | Make select more sensible when dseleting access tokens, rename pusher ↵ | David Baker | 2016-03-11 | 1 | -1/+1 |
| | | | | deletion to match access token deletion and make exception arg optional. | ||||
* | Delete old, unused methods and rename new one to just be ↵ | David Baker | 2016-03-11 | 1 | -1/+1 |
| | | | | `user_delete_access_tokens` with an `except_token_ids` argument doing what it says on the tin. | ||||
* | Dear PyCharm, please indent sensibly for me. Thx. | David Baker | 2016-03-11 | 1 | -2/+2 |
| | |||||
* | Fix cache invalidation so deleting access tokens (which we did when changing ↵ | David Baker | 2016-03-11 | 1 | -4/+9 |
| | | | | password) actually takes effect without HS restart. Reinstate the code to avoid logging out the session that changed the password, removed in 415c2f05491ce65a4fc34326519754cd1edd9c54 | ||||
* | Stop using checkpw as it seems to have vanished from bcrypt. Use ↵ | David Baker | 2016-03-02 | 1 | -1/+1 |
| | | | | `bcrypt.hashpw(password, hashed) == hashed` as per the bcrypt README. | ||||
* | Allow guests to upgrade their accounts | Daniel Wagner-Hall | 2016-01-05 | 1 | -3/+3 |
| | |||||
* | Take a boolean not a list of lambdas | Daniel Wagner-Hall | 2015-11-19 | 1 | -1/+1 |
| | |||||
* | Minor review fixes | Steven Hammerton | 2015-11-11 | 1 | -4/+4 |
| | |||||
* | Share more code between macaroon validation | Steven Hammerton | 2015-11-11 | 1 | -48/+7 |
| | |||||
* | Allow hs to do CAS login completely and issue the client with a login token ↵ | Steven Hammerton | 2015-11-05 | 1 | -3/+73 |
| | | | | that can be redeemed for the usual successful login response | ||||
* | Allow guests to register and call /events?room_id= | Daniel Wagner-Hall | 2015-11-04 | 1 | -1/+4 |
| | | | | | | | This follows the same flows-based flow as regular registration, but as the only implemented flow has no requirements, it auto-succeeds. In the future, other flows (e.g. captcha) may be required, so clients should treat this like the regular registration flow choices. | ||||
* | Add config for how many bcrypt rounds to use for password hashes | Mark Haines | 2015-10-16 | 1 | -1/+2 |
| | | | | | By default we leave it at the default value of 12. But now we can reduce it for preparing users for loadtests or running integration tests. | ||||
* | Formatting changes | Steven Hammerton | 2015-10-10 | 1 | -1/+2 |
| | |||||
* | Provide ability to login using CAS | Steven Hammerton | 2015-10-10 | 1 | -0/+31 |
| | |||||
* | Allow configuration to ignore invalid SSL certs | Daniel Wagner-Hall | 2015-09-09 | 1 | -2/+1 |
| | | | | | This will be useful for sytest, and sytest only, hence the aggressive config key name. | ||||
* | Swap out bcrypt for md5 in tests | Daniel Wagner-Hall | 2015-08-26 | 1 | -2/+25 |
| | | | | This reduces our ~8 second sequential test time down to ~7 seconds | ||||
* | Merge erikj/user_dedup to develop | Daniel Wagner-Hall | 2015-08-26 | 1 | -8/+31 |
| | |||||
* | Fix bad merge | Daniel Wagner-Hall | 2015-08-20 | 1 | -8/+1 |
| | |||||
* | Fix indentation | Daniel Wagner-Hall | 2015-08-20 | 1 | -1/+2 |
| | |||||
* | Fix flake8 warnings | Daniel Wagner-Hall | 2015-08-20 | 1 | -4/+6 |
| | |||||
* | Merge branch 'auth' into refresh | Daniel Wagner-Hall | 2015-08-20 | 1 | -3/+3 |
|\ | | | | | | | | | Conflicts: synapse/handlers/register.py | ||||
* | | Merge branch 'develop' into refresh | Daniel Wagner-Hall | 2015-08-20 | 1 | -1/+1 |
|\| | | | | | | | | | Conflicts: synapse/rest/client/v1/login.py | ||||
| * | Another use of check_password that got missed in the yield fix | David Baker | 2015-08-20 | 1 | -1/+1 |
| | | |||||
* | | /tokenrefresh POST endpoint | Daniel Wagner-Hall | 2015-08-20 | 1 | -5/+30 |
| | | | | | | | | | | | | | | | | This allows refresh tokens to be exchanged for (access_token, refresh_token). It also starts issuing them on login, though no clients currently interpret them. | ||||
* | | Move token generation to auth handler | Daniel Wagner-Hall | 2015-08-20 | 1 | -5/+24 |
|/ | | | | | I prefer the auth handler to worry about all auth, and register to call into it as needed, than to smatter auth logic between the two. | ||||
* | Remove an access token log line | Erik Johnston | 2015-08-19 | 1 | -1/+1 |
| | |||||
* | Fix regression where we incorrectly responded with a 200 to /login | Erik Johnston | 2015-08-19 | 1 | -1/+2 |
| | |||||
* | Merge password checking implementations | Daniel Wagner-Hall | 2015-08-12 | 1 | -20/+15 |
| | |||||
* | Simplify LoginHander and AuthHandler | Daniel Wagner-Hall | 2015-08-12 | 1 | -18/+72 |
| | | | | | | | | | * Merge LoginHandler -> AuthHandler * Add a bunch of documentation * Improve some naming * Remove unused branches I will start merging the actual logic of the two handlers shortly | ||||
* | Add back in support for remembering parameters submitted to a ↵ | David Baker | 2015-07-15 | 1 | -2/+4 |
| | | | | user-interactive auth call. | ||||
* | Merge branch 'develop' into markjh/SYT-8-recaptcha | Mark Haines | 2015-05-29 | 1 | -0/+1 |
|\ | | | | | | | | | Conflicts: synapse/handlers/auth.py | ||||
| * | SYN-395: Fix CAPTCHA, don't double decode json | Erik Johnston | 2015-05-28 | 1 | -2/+3 |
| | | |||||
* | | Add config for setting the recaptcha verify api endpoint, so we can test it ↵ | Mark Haines | 2015-05-29 | 1 | -3/+3 |
|/ | | | | in sytest | ||||
* | This api now no longer returns an array | David Baker | 2015-05-01 | 1 | -1/+1 |
| | |||||
* | Add commentage. | David Baker | 2015-04-27 | 1 | -0/+4 |
| | |||||
* | Use underscores instead of camelcase for id server stuff | David Baker | 2015-04-24 | 1 | -6/+6 |
| | |||||
* | pep8 | David Baker | 2015-04-24 | 1 | -2/+2 |
| | |||||
* | Remove ultimately unused feature of saving params from the first call in the ↵ | David Baker | 2015-04-23 | 1 | -2/+10 |
| | | | | session: it's probably too open to abuse. | ||||
* | Password reset, finally. | David Baker | 2015-04-17 | 1 | -1/+7 |
| | |||||
* | Return user ID in use error straight away | David Baker | 2015-04-16 | 1 | -0/+2 |
| | |||||
* | Dummy login so we can do the first POST request to get login flows without ↵ | David Baker | 2015-04-15 | 1 | -0/+6 |
| | | | | it just succeeding | ||||
* | Regstration with email in v2 | David Baker | 2015-04-15 | 1 | -21/+43 |
| | |||||
* | Completely replace fallback auth for C/S V2: | David Baker | 2015-04-01 | 1 | -21/+77 |
| | | | | | | | * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now. | ||||
* | pep8 | David Baker | 2015-03-31 | 1 | -1/+1 |
| | |||||
* | New registration for C/S API v2. Only ReCAPTCHA working currently. | David Baker | 2015-03-30 | 1 | -13/+77 |
| | |||||
* | Implement password changing (finally) along with a start on making ↵ | David Baker | 2015-03-23 | 1 | -0/+109 |
client/server auth more general. |