| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|\
| |
| | |
Only do `rc_login` ratelimiting on succesful login.
|
| |
| |
| |
| | |
Co-Authored-By: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Co-Authored-By: Brendan Abolivier <babolivier@matrix.org>
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We were doing this in a number of places which meant that some login
code paths incremented the counter multiple times.
It was also applying ratelimiting to UIA endpoints, which was probably
not intentional.
In particular, some custom auth modules were calling
`check_user_exists`, which incremented the counters, meaning that people
would fail to login sometimes.
|
|/ |
|
|
|
| |
Replace every instance of `logger.warn` with `logger.warning` as the former is deprecated.
|
|
|
|
|
|
|
| |
If email or msisdn verification aren't supported, let's stop advertising them
for registration.
Fixes #6100.
|
|
|
|
|
|
|
| |
Pull the checkers out to their own classes, rather than having them lost in a
massive 1000-line class which does everything.
This is also preparation for some more intelligent advertising of flows, as per #6100
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
server to handle 3pid validation (#5987)
This is a combination of a few different PRs, finally all being merged into `develop`:
* #5875
* #5876
* #5868 (This one added the `/versions` flag but the flag itself was actually [backed out](https://github.com/matrix-org/synapse/commit/891afb57cbdf9867f2848341b29c75d6f35eef5a#diff-e591d42d30690ffb79f63bb726200891) in #5969. What's left is just giving /versions access to the config file, which could be useful in the future)
* #5835
* #5969
* #5940
Clients should not actually use the new registration functionality until https://github.com/matrix-org/synapse/pull/5972 is merged.
UPGRADE.rst, changelog entries and config file changes should all be reviewed closely before this PR is merged.
|
|
|
|
|
| |
Python will return a tuple whether there are parentheses around the returned values or not.
I'm just sick of my editor complaining about this all over the place :)
|
|
|
|
|
|
|
|
| |
The `expire_access_token` didn't do what it sounded like it should do. What it
actually did was make Synapse enforce the 'time' caveat on macaroons used as
access tokens, but since our access token macaroons never contained such a
caveat, it was always a no-op.
(The code to add 'time' caveats was removed back in v0.18.5, in #1656)
|
| |
|
|
|
|
|
| |
(#5674)
Return `This account has been deactivated` instead of `Invalid password` when a user is deactivated.
|
|
|
|
| |
Record how long an access token is valid for, and raise a soft-logout once it
expires.
|
|
|
|
|
|
|
|
| |
this is only used in one place, so it's clearer if we inline it and reduce the
API surface.
Also, fixes a buglet where we would create an access token even if we were
about to block the user (we would never return the AT, so the user could never
use it, but it was still created and added to the db.)
|
| |
|
|
|
|
|
| |
Signed-off-by: Daniel Hoffend <dh@dotlan.net>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
identity server (#5377)
Sends password reset emails from the homeserver instead of proxying to the identity server. This is now the default behaviour for security reasons. If you wish to continue proxying password reset requests to the identity server you must now enable the email.trust_identity_server_for_password_resets option.
This PR is a culmination of 3 smaller PRs which have each been separately reviewed:
* #5308
* #5345
* #5368
|
|
|
|
|
|
|
|
|
|
| |
By default the homeserver will use the identity server used during the
binding of the 3PID to unbind the 3PID. However, we need to allow
clients to explicitly ask the homeserver to unbind via a particular
identity server, for the case where the 3PID was bound out of band from
the homeserver.
Implements MSC915.
|
|
|
|
|
| |
Adds a new method, check_3pid_auth, which gives password providers
the chance to allow authentication with third-party identifiers such
as email or msisdn.
|
| |
|
|
|
| |
Add two ratelimiters on login (per-IP address and per-userID).
|
|
|
|
| |
This is mostly factoring out the post-CAS-login code to somewhere we can reuse
it for other SSO flows, but it also fixes the userid mapping while we're at it.
|
| |
|
|
|
|
| |
So people can still collect consent the old way if they want to.
|
| |
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Wrap calls to deferToThread() in a thing which uses a child logcontext to
attribute CPU usage to the right request.
While we're in the area, remove the logcontext_tracer stuff, which is never
used, and afaik doesn't work.
Fixes #4064
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| | |
This also means that the template now has optional parameters, which will need to be documented somehow.
|
| |
| |
| | |
As per https://github.com/matrix-org/matrix-doc/pull/1692
|
|/
|
| |
As per https://github.com/vector-im/riot-web/issues/7168#issuecomment-419996117
|
| |
|
|\
| |
| |
| | |
neilj/fix_off_by_1+maus
|
| |\
| | |
| | | |
Don't fail requests to unbind 3pids for non supporting ID servers
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Older identity servers may not support the unbind 3pid request, so we
shouldn't fail the requests if we received one of 400/404/501. The
request still fails if we receive e.g. 500 responses, allowing clients
to retry requests on transient identity server errors that otherwise do
support the API.
Fixes #3661
|
|/ / |
|
| | |
|
|/ |
|
|\
| |
| | |
Initial impl of capping MAU
|
| | |
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Remove email addresses / phone numbers from ID servers when they're removed from synapse
|
| | |
|
| | |
|
| | |
|
|/
|
|
| |
they're not meant to be lazy (#3307)
|
|
|
|
|
|
|
|
| |
in bcrypt 3.1.0 checkpw got introduced (already 2 years ago)
This makes use of that with enhancements which might get introduced
by that
Signed-Off-by: Matthias Kesler <krombel@krombel.de>
|
|\
| |
| | |
Do bcrypt hashing in a background thread
|
| | |
|
| |
| |
| |
| |
| | |
Wire the custom login type support from password providers into the UI-auth
user-validation flows.
|
| |
| |
| |
| | |
Collect together all the places that validate a logged-in user via UI auth.
|
|/
|
|
|
| |
Instead of returning False when auth is incomplete, throw an exception which
can be caught with a wrapper.
|
|
|
|
|
|
| |
Non-functional refactoring to move set_password. This means that we'll be able
to properly deactivate devices and access tokens without introducing a
dependency loop.
|
|
|
|
|
|
| |
Non-functional refactoring to move deactivate_account. This means that we'll be
able to properly deactivate devices and access tokens without introducing a
dependency loop.
|
|
|
|
|
| |
Whenever an access token is invalidated, we should remove the associated
pushers.
|
| |
|
|
|
|
|
| |
We're going to need to use this from places that aren't password auth, so let's
move it to a proper class.
|
|\
| |
| | |
Notify auth providers on logout
|
| |
| |
| |
| | |
Provide a hook by which auth providers can be notified of logouts.
|
|\ \
| | |
| | | |
Allow password_auth_providers to return a callback
|
| | |
| | |
| | |
| | | |
this got broken in the previous commit
|
| |/
| |
| |
| | |
... so that they have a way to record access tokens.
|
|\ \
| |/
|/| |
Let auth providers get to the database
|
| |
| |
| |
| | |
Somewhat open to abuse, but also somewhat unavoidable :/
|
|\ \
| | |
| | | |
Let password auth providers handle arbitrary login types
|
| |/
| |
| |
| |
| | |
Provide a hook where password auth providers can say they know about other
login types, and get passed the relevant parameters
|
|\ \
| | |
| | |
| | | |
rav/refactor_accesstoken_delete
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
I'm going to need to make the device_handler depend on the auth_handler, so I
need to break this dependency to avoid a cycle.
It turns out that the auth_handler was only using the device_handler in one
place which was an edge case which we can more elegantly handle by throwing an
error rather than fixing it up.
|
|/
|
|
|
|
|
| |
Also move duplicated deactivation code into the auth handler.
I want to add some hooks when we deactivate an access token, so let's bring it
all in here so that there's somewhere to put it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'm going to need some more flexibility in handling login types in password
auth providers, so as a first step, move some stuff from LoginRestServlet into
AuthHandler.
In particular, we pass everything other than SAML, JWT and token logins down to
the AuthHandler, which now has responsibility for checking the login type and
fishing the password out of the login dictionary, as well as qualifying the
user_id if need be. Ideally SAML, JWT and token would go that way too, but
there's no real need for it right now and I'm trying to minimise impact.
This commit *should* be non-functional.
|
| |
|
|
|
|
|
| |
It just calls the constructor, so we may as well kill it rather than having
random codepaths.
|
|
|
|
|
| |
This is because pruning them was a significant performance drain on
matrix.org
|
|
|
|
| |
Changes from https://github.com/matrix-org/synapse/pull/1971
|
| |
|
| |
|
|
|
|
| |
Plus a couple of other minor fixes
|
| |
|
|
|
|
|
| |
defer.returnValue doth not maketh a generator: it would need a
yield to be a generator, and this doesn't need a yield.
|
| |
|
|
|
|
|
|
| |
This was broken when device list updates were implemented, as Mailer
could no longer instantiate an AuthHandler due to a dependency on
federation sending.
|
| |
|
|
|
|
| |
Also fix a typo in a comment
|
|
|
|
| |
https://github.com/vector-im/riot-web/issues/2658
|
|\
| |
| | |
Log the args that we have on UI auth completion
|
| | |
|
| |
| |
| |
| |
| | |
This will be super helpful for debugging if we have more
registration woes.
|
| |
| |
| |
| |
| |
| |
| |
| | |
We might as well treat all refresh_tokens as invalid. Just return a 403 from
/tokenrefresh, so that we don't have a load of dead, untestable code hanging
around.
Still TODO: removing the table from the schema.
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| | |
The 'time' caveat on the access tokens was something of a lie, since we weren't
enforcing it; more pertinently its presence stops us ever adding useful time
caveats.
Let's move in the right direction by not lying in our caveats.
|
|/
|
|
|
|
|
| |
Since we're not doing refresh tokens any more, we should start killing off the
dead code paths. /tokenrefresh itself is a bit of a thornier subject, since
there might be apps out there using it, but we can at least not generate
refresh tokens on new logins.
|
| |
|
| |
|
|
|
|
| |
And db migration sql to convert existing addresses.
|
|\
| |
| | |
Implement pluggable password auth
|
| |
| |
| |
| |
| |
| | |
Allows delegating the password auth to an external module. This also
moves the LDAP auth to using this system, allowing it to be removed from
the synapse tree entirely in the future.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
5d9546f9 introduced a change to synapse behaviour, in that failures in the
interactive-auth process would return the flows and params data as well as an
error code (as specced in https://github.com/matrix-org/matrix-doc/pull/397).
That change exposed a bug in Riot which would make it request a new validation
token (and send a new email) each time it got a 401 with a `flows` parameter
(see https://github.com/vector-im/vector-web/issues/2447 and the fix at
https://github.com/matrix-org/matrix-react-sdk/pull/510).
To preserve compatibility with broken versions of Riot, grandfather in the old
behaviour for the email validation stage.
|
|\ \
| |/
|/| |
Interactive Auth: Return 401 from for incorrect password
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This requires a bit of fettling, because I want to return a helpful error
message too but we don't want to distinguish between unknown user and invalid
password. To avoid hardcoding the error message into 15 places in the code,
I've had to refactor a few methods to return None instead of throwing.
Fixes https://matrix.org/jira/browse/SYN-744
|
|/
|
|
|
|
|
|
| |
- properly parse return values of ldap bind() calls
- externalize authentication methods
- change control flow to be more error-resilient
- unbind ldap connections in many places
- improve log messages and loglevels
|
|
|
|
| |
slaves.
|
|
|
|
|
|
|
|
| |
The name 'result' is of bool type and has no len property,
resulting in a TypeError. Futhermore in the flow control
conn.response is observed and hence should be reported.
Signed-off-by: Daniel Ehlers <sargon@toppoint.de>
|
|
|
|
|
|
|
|
|
| |
In case one does not define bind_dn in ldap configuration, filter
attribute is not declared. Since auth code only uses ldap_filter attribute
when according LDAP mode is selected, it is safe to only declare the
attribute in that case.
Signed-off-by: Daniel Ehlers <sargon@toppoint.de>
|
| |
|
|
|
|
|
| |
login with token (as used by CAS auth) was broken by 067596d, such that it
always returned a 401.
|
| |
|
| |
|
|
|
|
| |
This could be useful information to have in the logs. Also comment about how & why we don't verify the hostname.
|
|
|
|
|
| |
Add some type annotations to help PyCharm (in particular) to figure out the
types of a bunch of things.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a 'devices' table to the storage, as well as a 'device_id' column to
refresh_tokens.
Allow the client to pass a device_id, and initial_device_display_name, to
/login. If login is successful, then register the device in the devices table
if it wasn't known already. If no device_id was supplied, make one up.
Associate the device_id with the access token and refresh token, so that we can
get at it again later. Ensure that the device_id is copied from the refresh
token to the access_token when the token is refreshed.
|
|
|
|
|
|
|
|
|
|
| |
Make sure that we have the canonical user_id *before* calling
get_login_tuple_for_user_id.
Replace login_with_password with a method which just validates the password,
and have the caller call get_login_tuple_for_user_id. This brings the password
flow into line with the other flows, and will give us a place to register the
device_id if necessary.
|
| |
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Kent Shikama <kent@kentshikama.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the pure-python ldap3 library, which eliminates the need for a
system dependency.
Offer both a `search` and `simple_bind` mode, for more sophisticated
ldap scenarios.
- `search` tries to find a matching DN within the `user_base` while
employing the `user_filter`, then tries the bind when a single
matching DN was found.
- `simple_bind` tries the bind against a specific DN by combining the
localpart and `user_base`
Offer support for STARTTLS on a plain connection.
The configuration was changed to reflect these new possibilities.
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
|
|
|
|
|
|
|
|
| |
- At the very least, this TypeError caused logins to fail on my own
running instance of Synapse, and the simple (explicit) UTF-8
conversion resolved login errors for me.
Signed-off-by: Salvatore LaMendola <salvatore.lamendola@gmail.com>
|
|
|
|
| |
Were it not for that fact that you can't use the base handler in the pusher because it pulls in the world. Comitting while I fix that on a different branch.
|
| |
|
|\
| |
| | |
Create user with expiry
|
| |
| |
| |
| |
| |
| | |
- Add unittests for client, api and handler
Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com>
|
|/ |
|
| |
|
|
|
|
| |
_check_local_password (#730)
|
|
|
|
| |
Fixes SYN-680
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
pycharm supports them so there is no need to use the other format.
Might as well convert the existing strings to reduce the risk of
people accidentally cargo culting the wrong doc string format.
|
|
|
|
| |
a username.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
you an access token for the user that was registered on previous uses of that session. Tweak the UI auth layer to not delete sessions when their auth has completed and hence expire themn so they don't hang around until server restart. Allow server-side data to be associated with UI auth sessions.
|
|
|
|
| |
deletion to match access token deletion and make exception arg optional.
|
|
|
|
| |
`user_delete_access_tokens` with an `except_token_ids` argument doing what it says on the tin.
|
| |
|
|
|
|
| |
password) actually takes effect without HS restart. Reinstate the code to avoid logging out the session that changed the password, removed in 415c2f05491ce65a4fc34326519754cd1edd9c54
|
|
|
|
| |
`bcrypt.hashpw(password, hashed) == hashed` as per the bcrypt README.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
that can be redeemed for the usual successful login response
|
|
|
|
|
|
|
| |
This follows the same flows-based flow as regular registration, but as
the only implemented flow has no requirements, it auto-succeeds. In the
future, other flows (e.g. captcha) may be required, so clients should
treat this like the regular registration flow choices.
|
|
|
|
|
| |
By default we leave it at the default value of 12. But now we can reduce
it for preparing users for loadtests or running integration tests.
|
| |
|
| |
|
|
|
|
|
| |
This will be useful for sytest, and sytest only, hence the aggressive
config key name.
|
|
|
|
| |
This reduces our ~8 second sequential test time down to ~7 seconds
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| | |
Conflicts:
synapse/handlers/register.py
|
|\|
| |
| |
| |
| | |
Conflicts:
synapse/rest/client/v1/login.py
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
This allows refresh tokens to be exchanged for (access_token,
refresh_token).
It also starts issuing them on login, though no clients currently
interpret them.
|
|/
|
|
|
| |
I prefer the auth handler to worry about all auth, and register to call
into it as needed, than to smatter auth logic between the two.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
* Merge LoginHandler -> AuthHandler
* Add a bunch of documentation
* Improve some naming
* Remove unused branches
I will start merging the actual logic of the two handlers shortly
|
|
|
|
| |
user-interactive auth call.
|
|\
| |
| |
| |
| | |
Conflicts:
synapse/handlers/auth.py
|
| | |
|
|/
|
|
| |
in sytest
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
session: it's probably too open to abuse.
|
| |
|
| |
|
|
|
|
| |
it just succeeding
|
| |
|
|
|
|
|
|
|
| |
* Now only the auth part goes to fallback, not the whole operation
* Auth fallback is a normal API endpoint, not a static page
* Params like the recaptcha pubkey can just live in the config
Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
|
| |
|
| |
|
|
client/server auth more general.
|