summary refs log tree commit diff
path: root/synapse/handlers/auth.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #1155 from matrix-org/erikj/pluggable_pwd_authErik Johnston2016-10-121-295/+39
|\ | | | | Implement pluggable password auth
| * Implement pluggable password authErik Johnston2016-10-031-295/+39
| | | | | | | | | | | | Allows delegating the password auth to an external module. This also moves the LDAP auth to using this system, allowing it to be removed from the synapse tree entirely in the future.
* | Work around email-spamming Riot bugRichard van der Hoff2016-10-111-3/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | 5d9546f9 introduced a change to synapse behaviour, in that failures in the interactive-auth process would return the flows and params data as well as an error code (as specced in https://github.com/matrix-org/matrix-doc/pull/397). That change exposed a bug in Riot which would make it request a new validation token (and send a new email) each time it got a 401 with a `flows` parameter (see https://github.com/vector-im/vector-web/issues/2447 and the fix at https://github.com/matrix-org/matrix-react-sdk/pull/510). To preserve compatibility with broken versions of Riot, grandfather in the old behaviour for the email validation stage.
* | Merge pull request #1160 from matrix-org/rav/401_on_password_failRichard van der Hoff2016-10-071-32/+52
|\ \ | |/ |/| Interactive Auth: Return 401 from for incorrect password
| * Interactive Auth: Return 401 from for incorrect passwordRichard van der Hoff2016-10-071-32/+52
| | | | | | | | | | | | | | | | | | This requires a bit of fettling, because I want to return a helpful error message too but we don't want to distinguish between unknown user and invalid password. To avoid hardcoding the error message into 15 places in the code, I've had to refactor a few methods to return None instead of throwing. Fixes https://matrix.org/jira/browse/SYN-744
* | Restructure ldap authenticationMartin Weinelt2016-09-291-87/+192
|/ | | | | | | | - properly parse return values of ldap bind() calls - externalize authentication methods - change control flow to be more error-resilient - unbind ldap connections in many places - improve log messages and loglevels
* Refactor user_delete_access_tokens. Invalidate get_user_by_access_token to ↵Erik Johnston2016-08-151-3/+3
| | | | slaves.
* Log the value which is observed in the first place.Daniel Ehlers2016-08-141-1/+1
| | | | | | | | The name 'result' is of bool type and has no len property, resulting in a TypeError. Futhermore in the flow control conn.response is observed and hence should be reported. Signed-off-by: Daniel Ehlers <sargon@toppoint.de>
* Fix AttributeError when bind_dn is not defined.Daniel Ehlers2016-08-141-1/+1
| | | | | | | | | In case one does not define bind_dn in ldap configuration, filter attribute is not declared. Since auth code only uses ldap_filter attribute when according LDAP mode is selected, it is safe to only declare the attribute in that case. Signed-off-by: Daniel Ehlers <sargon@toppoint.de>
* /login: Respond with a 403 when we get an invalid m.login.tokenRichard van der Hoff2016-08-091-3/+3
|
* Fix login with m.login.tokenRichard van der Hoff2016-08-081-13/+4
| | | | | login with token (as used by CAS auth) was broken by 067596d, such that it always returned a 401.
* Implement deleting devicesRichard van der Hoff2016-07-261-2/+20
|
* Use get to avoid KeyErrorsDavid Baker2016-07-221-1/+1
|
* Log the hostname the reCAPTCHA was completed onDavid Baker2016-07-221-2/+11
| | | | This could be useful information to have in the logs. Also comment about how & why we don't verify the hostname.
* Type annotationsRichard van der Hoff2016-07-191-0/+4
| | | | | Add some type annotations to help PyCharm (in particular) to figure out the types of a bunch of things.
* Add device_id support to /loginRichard van der Hoff2016-07-181-8/+11
| | | | | | | | | | | | | Add a 'devices' table to the storage, as well as a 'device_id' column to refresh_tokens. Allow the client to pass a device_id, and initial_device_display_name, to /login. If login is successful, then register the device in the devices table if it wasn't known already. If no device_id was supplied, make one up. Associate the device_id with the access token and refresh token, so that we can get at it again later. Ensure that the device_id is copied from the refresh token to the access_token when the token is refreshed.
* Refactor login flowRichard van der Hoff2016-07-181-47/+59
| | | | | | | | | | Make sure that we have the canonical user_id *before* calling get_login_tuple_for_user_id. Replace login_with_password with a method which just validates the password, and have the caller call get_login_tuple_for_user_id. This brings the password flow into line with the other flows, and will give us a place to register the device_id if necessary.
* Bug fix: expire invalid access tokensNegar Fazeli2016-07-131-2/+3
|
* Fix password configKent Shikama2016-07-051-2/+2
|
* Fix pep8Kent Shikama2016-07-051-1/+2
|
* Add pepper to password hashingKent Shikama2016-07-051-2/+3
| | | | Signed-off-by: Kent Shikama <kent@kentshikama.com>
* Rework ldap integration with ldap3Martin Weinelt2016-06-221-33/+170
| | | | | | | | | | | | | | | | | | | Use the pure-python ldap3 library, which eliminates the need for a system dependency. Offer both a `search` and `simple_bind` mode, for more sophisticated ldap scenarios. - `search` tries to find a matching DN within the `user_base` while employing the `user_filter`, then tries the bind when a single matching DN was found. - `simple_bind` tries the bind against a specific DN by combining the localpart and `user_base` Offer support for STARTTLS on a plain connection. The configuration was changed to reflect these new possibilities. Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
* Fix TypeError in call to bcrypt.hashpwSalvatore LaMendola2016-06-161-1/+1
| | | | | | | | - At the very least, this TypeError caused logins to fail on my own running instance of Synapse, and the simple (explicit) UTF-8 conversion resolved login errors for me. Signed-off-by: Salvatore LaMendola <salvatore.lamendola@gmail.com>
* Email unsubscribing that may in theory, workDavid Baker2016-06-021-0/+5
| | | | Were it not for that fact that you can't use the base handler in the pusher because it pulls in the world. Comitting while I fix that on a different branch.
* Send down correct error response if user not foundErik Johnston2016-05-271-2/+7
|
* Merge pull request #741 from negzi/create_user_with_expiryErik Johnston2016-05-131-2/+2
|\ | | | | Create user with expiry
| * Create user with expiryNegi Fazeli2016-05-131-2/+2
| | | | | | | | | | | | - Add unittests for client, api and handler Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com>
* | Correctly handle NULL password hashes from the databaseErik Johnston2016-05-111-1/+4
|/
* Simplify _check_passwordErik Johnston2016-04-151-5/+9
|
* Fix check_password rather than inverting the meaning of ↵Mark Haines2016-04-141-9/+12
| | | | _check_local_password (#730)
* Fix login to error for nonexistent usersDavid Baker2016-04-141-1/+1
| | | | Fixes SYN-680
* fix check for failed authenticationChristoph Witzany2016-04-061-2/+4
|
* remove lineChristoph Witzany2016-04-061-1/+0
|
* make tests for ldap more specific to not be fooled by MocksChristoph Witzany2016-04-061-3/+3
|
* output ldap version for info and to pacify pep8Christoph Witzany2016-04-061-0/+2
|
* conditionally import ldapChristoph Witzany2016-04-061-2/+5
|
* fix pep8Christoph Witzany2016-04-061-2/+1
|
* fix exception handlingChristoph Witzany2016-04-061-2/+2
|
* code styleChristoph Witzany2016-04-061-6/+13
|
* add tls property and twist my head around twistedChristoph Witzany2016-04-061-15/+29
|
* move LDAP authentication to AuthenticationHandlerChristoph Witzany2016-04-061-6/+48
|
* Use google style doc strings.Mark Haines2016-04-011-9/+17
| | | | | | | pycharm supports them so there is no need to use the other format. Might as well convert the existing strings to reduce the risk of people accidentally cargo culting the wrong doc string format.
* Make registration idempotent, part 2: be idempotent if the client specifies ↵David Baker2016-03-161-0/+14
| | | | a username.
* pep8David Baker2016-03-161-1/+2
|
* time_msec()David Baker2016-03-161-1/+1
|
* string with symbols is a bit too symboly.David Baker2016-03-161-1/+1
|
* Replace other time.time().David Baker2016-03-161-2/+1
|
* Use hs get_clock instead of time.time()David Baker2016-03-161-2/+2
|
* pep8 & remove debug loggingDavid Baker2016-03-161-1/+1
|
* Make registration idempotent: if you specify the same session, make it give ↵David Baker2016-03-161-12/+48
| | | | you an access token for the user that was registered on previous uses of that session. Tweak the UI auth layer to not delete sessions when their auth has completed and hence expire themn so they don't hang around until server restart. Allow server-side data to be associated with UI auth sessions.
* Make select more sensible when dseleting access tokens, rename pusher ↵David Baker2016-03-111-1/+1
| | | | deletion to match access token deletion and make exception arg optional.
* Delete old, unused methods and rename new one to just be ↵David Baker2016-03-111-1/+1
| | | | `user_delete_access_tokens` with an `except_token_ids` argument doing what it says on the tin.
* Dear PyCharm, please indent sensibly for me. Thx.David Baker2016-03-111-2/+2
|
* Fix cache invalidation so deleting access tokens (which we did when changing ↵David Baker2016-03-111-4/+9
| | | | password) actually takes effect without HS restart. Reinstate the code to avoid logging out the session that changed the password, removed in 415c2f05491ce65a4fc34326519754cd1edd9c54
* Stop using checkpw as it seems to have vanished from bcrypt. Use ↵David Baker2016-03-021-1/+1
| | | | `bcrypt.hashpw(password, hashed) == hashed` as per the bcrypt README.
* Allow guests to upgrade their accountsDaniel Wagner-Hall2016-01-051-3/+3
|
* Take a boolean not a list of lambdasDaniel Wagner-Hall2015-11-191-1/+1
|
* Minor review fixesSteven Hammerton2015-11-111-4/+4
|
* Share more code between macaroon validationSteven Hammerton2015-11-111-48/+7
|
* Allow hs to do CAS login completely and issue the client with a login token ↵Steven Hammerton2015-11-051-3/+73
| | | | that can be redeemed for the usual successful login response
* Allow guests to register and call /events?room_id=Daniel Wagner-Hall2015-11-041-1/+4
| | | | | | | This follows the same flows-based flow as regular registration, but as the only implemented flow has no requirements, it auto-succeeds. In the future, other flows (e.g. captcha) may be required, so clients should treat this like the regular registration flow choices.
* Add config for how many bcrypt rounds to use for password hashesMark Haines2015-10-161-1/+2
| | | | | By default we leave it at the default value of 12. But now we can reduce it for preparing users for loadtests or running integration tests.
* Formatting changesSteven Hammerton2015-10-101-1/+2
|
* Provide ability to login using CASSteven Hammerton2015-10-101-0/+31
|
* Allow configuration to ignore invalid SSL certsDaniel Wagner-Hall2015-09-091-2/+1
| | | | | This will be useful for sytest, and sytest only, hence the aggressive config key name.
* Swap out bcrypt for md5 in testsDaniel Wagner-Hall2015-08-261-2/+25
| | | | This reduces our ~8 second sequential test time down to ~7 seconds
* Merge erikj/user_dedup to developDaniel Wagner-Hall2015-08-261-8/+31
|
* Fix bad mergeDaniel Wagner-Hall2015-08-201-8/+1
|
* Fix indentationDaniel Wagner-Hall2015-08-201-1/+2
|
* Fix flake8 warningsDaniel Wagner-Hall2015-08-201-4/+6
|
* Merge branch 'auth' into refreshDaniel Wagner-Hall2015-08-201-3/+3
|\ | | | | | | | | Conflicts: synapse/handlers/register.py
* | Merge branch 'develop' into refreshDaniel Wagner-Hall2015-08-201-1/+1
|\| | | | | | | | | Conflicts: synapse/rest/client/v1/login.py
| * Another use of check_password that got missed in the yield fixDavid Baker2015-08-201-1/+1
| |
* | /tokenrefresh POST endpointDaniel Wagner-Hall2015-08-201-5/+30
| | | | | | | | | | | | | | | | This allows refresh tokens to be exchanged for (access_token, refresh_token). It also starts issuing them on login, though no clients currently interpret them.
* | Move token generation to auth handlerDaniel Wagner-Hall2015-08-201-5/+24
|/ | | | | I prefer the auth handler to worry about all auth, and register to call into it as needed, than to smatter auth logic between the two.
* Remove an access token log lineErik Johnston2015-08-191-1/+1
|
* Fix regression where we incorrectly responded with a 200 to /loginErik Johnston2015-08-191-1/+2
|
* Merge password checking implementationsDaniel Wagner-Hall2015-08-121-20/+15
|
* Simplify LoginHander and AuthHandlerDaniel Wagner-Hall2015-08-121-18/+72
| | | | | | | | | * Merge LoginHandler -> AuthHandler * Add a bunch of documentation * Improve some naming * Remove unused branches I will start merging the actual logic of the two handlers shortly
* Add back in support for remembering parameters submitted to a ↵David Baker2015-07-151-2/+4
| | | | user-interactive auth call.
* Merge branch 'develop' into markjh/SYT-8-recaptchaMark Haines2015-05-291-0/+1
|\ | | | | | | | | Conflicts: synapse/handlers/auth.py
| * SYN-395: Fix CAPTCHA, don't double decode jsonErik Johnston2015-05-281-2/+3
| |
* | Add config for setting the recaptcha verify api endpoint, so we can test it ↵Mark Haines2015-05-291-3/+3
|/ | | | in sytest
* This api now no longer returns an arrayDavid Baker2015-05-011-1/+1
|
* Add commentage.David Baker2015-04-271-0/+4
|
* Use underscores instead of camelcase for id server stuffDavid Baker2015-04-241-6/+6
|
* pep8David Baker2015-04-241-2/+2
|
* Remove ultimately unused feature of saving params from the first call in the ↵David Baker2015-04-231-2/+10
| | | | session: it's probably too open to abuse.
* Password reset, finally.David Baker2015-04-171-1/+7
|
* Return user ID in use error straight awayDavid Baker2015-04-161-0/+2
|
* Dummy login so we can do the first POST request to get login flows without ↵David Baker2015-04-151-0/+6
| | | | it just succeeding
* Regstration with email in v2David Baker2015-04-151-21/+43
|
* Completely replace fallback auth for C/S V2:David Baker2015-04-011-21/+77
| | | | | | | * Now only the auth part goes to fallback, not the whole operation * Auth fallback is a normal API endpoint, not a static page * Params like the recaptcha pubkey can just live in the config Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
* pep8David Baker2015-03-311-1/+1
|
* New registration for C/S API v2. Only ReCAPTCHA working currently.David Baker2015-03-301-13/+77
|
* Implement password changing (finally) along with a start on making ↵David Baker2015-03-231-0/+109
client/server auth more general.