summary refs log tree commit diff
path: root/synapse/handlers/identity.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Call the v2 identity service `/3pid/unbind` endpoint, rather than v1. (#13240)Jacek Kuśnierz2022-07-131-2/+2
| | | | | | | | | | | * Drop support for v1 unbind Signed-off-by: Jacek Kusnierz <jacek.kusnierz@tum.de> * Add changelog Signed-off-by: Jacek Kusnierz <jacek.kusnierz@tum.de> * Update changelog.d/13240.misc
* Drop support for calling `/_matrix/client/v3/account/3pid/bind` without an ↵Jacek Kuśnierz2022-07-121-24/+6
| | | | | | | `id_access_token` (#13239) Fixes #13201 Signed-off-by: Jacek Kusnierz jacek.kusnierz@tum.de
* Drop support for delegating email validation (#13192)Richard van der Hoff2022-07-121-55/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Drop support for delegating email validation Delegating email validation to an IS is insecure (since it allows the owner of the IS to do a password reset on your HS), and has long been deprecated. It will now cause a config error at startup. * Update unit test which checks for email verification Give it an `email` config instead of a threepid delegate * Remove unused method `requestEmailToken` * Simplify config handling for email verification Rather than an enum and a boolean, all we need here is a single bool, which says whether we are or are not doing email verification. * update docs * changelog * upgrade.md: fix typo * update version number this will be in 1.64, not 1.63 * update version number this one too
* Use `getClientAddress` instead of `getClientIP`. (#12599)Patrick Cloke2022-05-041-1/+1
| | | | | getClientIP was deprecated in Twisted 18.4.0, which also added getClientAddress. The Synapse minimum version for Twisted is currently 18.9.0, so all supported versions have the new API.
* Remove support for the unstable identifier from MSC3288. (#12398)Patrick Cloke2022-04-061-2/+0
|
* Remove `HomeServer.get_datastore()` (#12031)Richard van der Hoff2022-02-231-1/+1
| | | | | | | The presence of this method was confusing, and mostly present for backwards compatibility. Let's get rid of it. Part of #11733
* Remove legacy code related to deprecated ↵Shay2021-11-181-18/+0
| | | | | | | | | | | | | | | | | | | | | `trust_identity_server_for_password_resets` config flag (#11333) * remove code legacy code related to deprecated config flag "trust_identity_server_for_password_resets" from synapse/config/emailconfig.py * remove legacy code supporting depreciated config flag "trust_identity_server_for_password_resets" from synapse/config/registration.py * remove legacy code supporting depreciated config flag "trust_identity_server_for_password_resets" from synapse/handlers/identity.py * add tests to ensure config error is thrown and synapse refuses to start when depreciated config flag is found * add changelog * slightly change behavior to only check for deprecated flag if set to 'true' * Update changelog.d/11333.misc Co-authored-by: reivilibre <oliverw@matrix.org> Co-authored-by: reivilibre <oliverw@matrix.org>
* Default value for `public_baseurl` (#11210)Richard van der Hoff2021-11-081-4/+0
| | | | | We might as well use a default value for `public_baseurl` based on `server_name` - in many cases, it will be correct.
* Include the stable identifier for MSC3288. (#11187)Patrick Cloke2021-10-271-0/+2
| | | | | Includes both the stable and unstable identifier to store-invite calls to the identity server. In the future we should remove the unstable identifier.
* Consider IP whitelist for identity server resolution (#11120)Robert Edström2021-10-201-1/+3
| | | Signed-off-by: Robert Edström <github@legogris.se>
* Remove the deprecated BaseHandler. (#11005)Patrick Cloke2021-10-081-5/+2
| | | | | | | | The shared ratelimit function was replaced with a dedicated RequestRatelimiter class (accessible from the HomeServer object). Other properties were copied to each sub-class that inherited from BaseHandler.
* Use direct references for configuration variables (part 7). (#10959)Patrick Cloke2021-10-041-3/+10
|
* Use direct references for configuration variables (part 6). (#10916)Patrick Cloke2021-09-291-1/+1
|
* Use direct references for some configuration variables (part 3) (#10885)Patrick Cloke2021-09-231-6/+6
| | | | | | | | This avoids the overhead of searching through the various configuration classes by directly referencing the class that the attributes are in. It also improves type hints since mypy can now resolve the types of the configuration variables.
* Use direct references for some configuration variables (#10798)Patrick Cloke2021-09-131-2/+2
| | | | Instead of proxying through the magic getter of the RootConfig object. This should be more performant (and is more explicit).
* Send unstable-prefixed room_type in store-invite IS API requests (#10435)Michael Telatynski2021-08-041-0/+6
| | | | | | | | The room type is per MSC3288 to allow the identity-server to change invitation wording based on whether the invitation is to a room or a space. The prefixed key will be replaced once MSC3288 is accepted into the spec.
* [pyupgrade] `synapse/` (#10348)Jonathan de Jong2021-07-191-2/+2
| | | | | | | | | This PR is tantamount to running ``` pyupgrade --py36-plus --keep-percent-format `find synapse/ -type f -name "*.py"` ``` Part of #9744
* Add missing type hints to handlers and fix a Spam Checker type hint. (#9896)Patrick Cloke2021-04-291-3/+6
| | | | | The user_may_create_room_alias method on spam checkers declared the room_alias parameter as a str when in reality it is passed a RoomAlias object.
* Sanity check identity server passed to bind/unbind. (#9802)Denis Kasak2021-04-191-3/+26
| | | | Signed-off-by: Denis Kasak <dkasak@termina.org.uk>
* Remove redundant "coding: utf-8" lines (#9786)Jonathan de Jong2021-04-141-1/+0
| | | | | | | Part of #9744 Removes all redundant `# -*- coding: utf-8 -*-` lines from files, as python 3 automatically reads source code as utf-8 now. `Signed-off-by: Jonathan de Jong <jonathan@automatia.nl>`
* Make RateLimiter class check for ratelimit overrides (#9711)Erik Johnston2021-03-301-3/+9
| | | | | | | This should fix a class of bug where we forget to check if e.g. the appservice shouldn't be ratelimited. We also check the `ratelimit_override` table to check if the user has ratelimiting disabled. That table is really only meant to override the event sender ratelimiting, so we don't use any values from it (as they might not make sense for different rate limits), but we do infer that if ratelimiting is disabled for the user we should disabled all ratelimits. Fixes #9663
* Update black, and run auto formatting over the codebase (#9381)Eric Eastwood2021-02-161-1/+4
| | | | | | | - Update black version to the latest - Run black auto formatting over the codebase - Run autoformatting according to [`docs/code_style.md `](https://github.com/matrix-org/synapse/blob/80d6dc9783aa80886a133756028984dbf8920168/docs/code_style.md) - Update `code_style.md` docs around installing black to use the correct version
* Backout changes for automatically calculating the public baseurl. (#9313)Patrick Cloke2021-02-111-0/+4
| | | | This breaks some people's configurations (if their Client-Server API is not accessed via port 443).
* Ratelimit 3PID /requestToken API (#9238)Erik Johnston2021-01-281-0/+28
|
* Give `public_baseurl` a default value (#9159)Richard van der Hoff2021-01-201-2/+0
|
* Send the location of the web client to the IS when inviting via 3PIDs. (#8930)Patrick Cloke2020-12-181-0/+5
| | | | Adds a new setting `email.invite_client_location` which, if defined, is passed to the identity server during invites.
* Apply an IP range blacklist to push and key revocation requests. (#8821)Patrick Cloke2020-12-021-3/+3
| | | | | | | | | | | | Replaces the `federation_ip_range_blacklist` configuration setting with an `ip_range_blacklist` setting with wider scope. It now applies to: * Federation * Identity servers * Push notifications * Checking key validitity for third-party invite events The old `federation_ip_range_blacklist` setting is still honored if present, but with reduced scope (it only applies to federation and identity servers).
* Simplify the way the `HomeServer` object caches its internal attributes. ↵Jonathan de Jong2020-11-301-1/+2
| | | | | (#8565) Changes `@cache_in_self` to use underscore-prefixed attributes.
* Fix handling of connection timeouts in outgoing http requests (#8400)Richard van der Hoff2020-09-291-13/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Remove `on_timeout_cancel` from `timeout_deferred` The `on_timeout_cancel` param to `timeout_deferred` wasn't always called on a timeout (in particular if the canceller raised an exception), so it was unreliable. It was also only used in one place, and to be honest it's easier to do what it does a different way. * Fix handling of connection timeouts in outgoing http requests Turns out that if we get a timeout during connection, then a different exception is raised, which wasn't always handled correctly. To fix it, catch the exception in SimpleHttpClient and turn it into a RequestTimedOutError (which is already a documented exception). Also add a description to RequestTimedOutError so that we can see which stage it failed at. * Fix incorrect handling of timeouts reading federation responses This was trapping the wrong sort of TimeoutError, so was never being hit. The effect was relatively minor, but we should fix this so that it does the expected thing. * Fix inconsistent handling of `timeout` param between methods `get_json`, `put_json` and `delete_json` were applying a different timeout to the response body to `post_json`; bring them in line and test. Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com> Co-authored-by: Erik Johnston <erik@matrix.org>
* Simplify super() calls to Python 3 syntax. (#8344)Patrick Cloke2020-09-181-1/+1
| | | | | | | This converts calls like super(Foo, self) -> super(). Generated with: sed -i "" -Ee 's/super\([^\(]+\)/super()/g' **/*.py
* Be stricter about JSON that is accepted by Synapse (#8106)Patrick Cloke2020-08-191-3/+2
|
* Remove signature check on v1 identity server lookups (#8001)Andrew Morgan2020-08-031-31/+3
| | | | | | | We've [decided](https://github.com/matrix-org/synapse/issues/5253#issuecomment-665976308) to remove the signature check for v1 lookups. The signature check has been removed in v2 lookups. v1 lookups are currently deprecated. As mentioned in the above linked issue, this verification was causing deployments for the vector.im and matrix.org IS deployments, and this change is the simplest solution, without being unjustified. Implementations are encouraged to use the v2 lookup API as it has [increased privacy benefits](https://github.com/matrix-org/matrix-doc/pull/2134).
* Fix up types and comments that refer to Deferreds. (#7945)Patrick Cloke2020-07-241-126/+145
|
* Stop passing bytes when dumping JSON (#7799)Patrick Cloke2020-07-081-2/+2
|
* Convert identity handler to async/await. (#7561)Patrick Cloke2020-05-261-55/+39
|
* Convert sending mail to async/await. (#7557)Erik Johnston2020-05-221-5/+4
| | | | Mainly because sometimes the email push code raises exceptions where the stack traces have gotten lost, which is hopefully fixed by this.
* import urllib.parse when using urllib.parse.quote (#7319)Andrew Morgan2020-04-221-1/+1
|
* Validate client_secret parameter (#6767)Andrew Morgan2020-01-241-1/+3
|
* Remove usage of deprecated logger.warn method from codebase (#6271)Andrew Morgan2019-10-311-3/+3
| | | Replace every instance of `logger.warn` with `logger.warning` as the former is deprecated.
* Move lookup-related functions from RoomMemberHandler to IdentityHandler (#5978)Andrew Morgan2019-09-271-0/+353
| | | Just to have all the methods that make calls to identity services in one place.
* Add sid to next_link for email validation (#6097)J. Ryan Stinnett2019-09-241-0/+10
|
* Add submit_url response parameter to msisdn /requestToken (#6079)Andrew Morgan2019-09-231-1/+11
| | | | | | Second part of solving #6076 Fixes #6076 We return a submit_url parameter on calls to POST */msisdn/requestToken so that clients know where to submit token information to.
* Use the federation blacklist for requests to untrusted Identity Servers (#6000)Andrew Morgan2019-09-231-3/+15
| | | | | Uses a SimpleHttpClient instance equipped with the federation_ip_range_blacklist list for requests to identity servers provided by user input. Does not use a blacklist when contacting identity servers specified by account_threepid_delegates. The homeserver trusts the latter and we don't want to prevent homeserver admins from specifying delegates that are on internal IP addresses. Fixes #5935
* Add POST submit_token endpoint for MSISDN (#6078)Andrew Morgan2019-09-231-0/+34
| | | First part of solving #6076
* Implement MSC2290 (#6043)Andrew Morgan2019-09-231-51/+83
| | | | | | | Implements MSC2290. This PR adds two new endpoints, /unstable/account/3pid/add and /unstable/account/3pid/bind. Depending on the progress of that MSC the unstable prefix may go away. This PR also removes the blacklist on some 3PID tests which occurs in #6042, as the corresponding Sytest PR changes them to use the new endpoints. Finally, it also modifies the account deactivation code such that it doesn't just try to deactivate 3PIDs that were bound to the user's account, but any 3PIDs that were bound through the homeserver on that user's account.
* Return timeout error to user for identity server calls (#6073)Andrew Morgan2019-09-231-2/+14
|
* Allow HS to send emails when adding an email to the HS (#6042)Andrew Morgan2019-09-201-14/+3
|
* Use the v2 Identity Service API for lookups (MSC2134 + MSC2140) (#5976)Andrew Morgan2019-09-111-22/+34
| | | | | | | This is a redo of https://github.com/matrix-org/synapse/pull/5897 but with `id_access_token` accepted. Implements [MSC2134](https://github.com/matrix-org/matrix-doc/pull/2134) plus Identity Service v2 authentication ala [MSC2140](https://github.com/matrix-org/matrix-doc/pull/2140). Identity lookup-related functions were also moved from `RoomMemberHandler` to `IdentityHandler`.
* Fix existing v2 identity server calls (MSC2140) (#6013)Andrew Morgan2019-09-111-2/+26
| | | | | | | | | | | | Two things I missed while implementing [MSC2140](https://github.com/matrix-org/matrix-doc/pull/2140/files#diff-c03a26de5ac40fb532de19cb7fc2aaf7R80). 1. Access tokens should be provided to the identity server as `access_token`, not `id_access_token`, even though the homeserver may accept the tokens as `id_access_token`. 2. Access tokens must be sent to the identity server in a query parameter, the JSON body is not allowed. We now send the access token as part of an `Authorization: ...` header, which fixes both things. The breaking code was added in https://github.com/matrix-org/synapse/pull/5892 Sytest PR: https://github.com/matrix-org/sytest/pull/697
* Merge pull request #6011 from matrix-org/anoa/fix_3pid_validationErik Johnston2019-09-101-40/+33
|\ | | | | Use account_threepid_delegate for 3pid validation
| * Add changelogAndrew Morgan2019-09-101-3/+3
| |
| * Use account_threepid_delegate for 3pid validationAndrew Morgan2019-09-101-40/+33
| |
* | Ensure a sid parameter is passed to bind_threepid (#5995)Andrew Morgan2019-09-061-1/+7
|/ | | `sid` is required to be part of `three_pid_creds`. We were 500'ing if it wasn't provided instead of returning `M_MISSING_PARAM`.
* Allow Synapse to send registration emails + choose Synapse or an external ↵Andrew Morgan2019-09-061-42/+136
| | | | | | | | | | | | | | | | server to handle 3pid validation (#5987) This is a combination of a few different PRs, finally all being merged into `develop`: * #5875 * #5876 * #5868 (This one added the `/versions` flag but the flag itself was actually [backed out](https://github.com/matrix-org/synapse/commit/891afb57cbdf9867f2848341b29c75d6f35eef5a#diff-e591d42d30690ffb79f63bb726200891) in #5969. What's left is just giving /versions access to the config file, which could be useful in the future) * #5835 * #5969 * #5940 Clients should not actually use the new registration functionality until https://github.com/matrix-org/synapse/pull/5972 is merged. UPGRADE.rst, changelog entries and config file changes should all be reviewed closely before this PR is merged.
* Switch to using v2 Identity Service APIs other than lookup (MSC 2140) (#5892)Andrew Morgan2019-09-051-41/+119
|
* Add POST /_matrix/client/r0/account/3pid/unbind (MSC2140) (#5980)Andrew Morgan2019-09-051-1/+2
| | | Implements `POST /_matrix/client/r0/account/3pid/unbind` from [MSC2140](https://github.com/matrix-org/matrix-doc/blob/dbkr/tos_2/proposals/2140-terms-of-service-2.md#post-_matrixclientr0account3pidunbind).
* Revert "Use the v2 lookup API for 3PID invites (#5897)" (#5937)Andrew Morgan2019-08-301-13/+0
| | | | | This reverts commit 71fc04069a5770a204c3514e0237d7374df257a8. This broke 3PID invites as #5892 was required for it to work correctly.
* Use the v2 lookup API for 3PID invites (#5897)Andrew Morgan2019-08-281-0/+13
| | | | | | | Fixes https://github.com/matrix-org/synapse/issues/5861 Adds support for the v2 lookup API as defined in [MSC2134](https://github.com/matrix-org/matrix-doc/pull/2134). Currently this is only used for 3PID invites. Sytest PR: https://github.com/matrix-org/sytest/pull/679
* Replace returnValue with return (#5736)Amber Brown2019-07-231-9/+9
|
* TypoBrendan Abolivier2019-07-101-1/+1
|
* Send 3PID bind requests as JSON dataBrendan Abolivier2019-07-101-1/+1
|
* Run Black. (#5482)Amber Brown2019-06-201-82/+50
|
* Add ability to perform password reset via email without trusting the ↵Andrew Morgan2019-06-061-2/+11
| | | | | | | | | | | | identity server (#5377) Sends password reset emails from the homeserver instead of proxying to the identity server. This is now the default behaviour for security reasons. If you wish to continue proxying password reset requests to the identity server you must now enable the email.trust_identity_server_for_password_resets option. This PR is a culmination of 3 smaller PRs which have each been separately reviewed: * #5308 * #5345 * #5368
* Remove threepid binding if id server returns 400/404/501Erik Johnston2019-04-021-9/+10
|
* Fixup docstringsErik Johnston2019-04-021-2/+4
|
* Allowing specifying IS to use in unbind API.Erik Johnston2019-04-011-5/+8
| | | | | | | | | | By default the homeserver will use the identity server used during the binding of the 3PID to unbind the 3PID. However, we need to allow clients to explicitly ask the homeserver to unbind via a particular identity server, for the case where the 3PID was bound out of band from the homeserver. Implements MSC915.
* For unbind poke IS used during binding of 3PIDErik Johnston2019-04-011-9/+35
| | | | | | | | This changes the behaviour from using the server specified trusted identity server to using the IS that used during the binding of the 3PID, if known. This is the behaviour specified by MSC1915.
* Track IS used to bind 3PIDsErik Johnston2019-04-011-0/+15
| | | | | This will then be used to know which IS to default to when unbinding the threepid.
* sign_request -> build_auth_headers (#4408)Richard van der Hoff2019-01-171-3/+6
| | | | | Just got very confused about the fact that the headers are only an output, not an input.
* Log when we 3pid/unbind request failsErik Johnston2018-08-091-0/+2
|
* Don't fail requests to unbind 3pids for non supporting ID serversErik Johnston2018-08-081-9/+21
| | | | | | | | | | Older identity servers may not support the unbind 3pid request, so we shouldn't fail the requests if we received one of 400/404/501. The request still fails if we receive e.g. 500 responses, allowing clients to retry requests on transient identity server errors that otherwise do support the API. Fixes #3661
* Kill off MatrixCodeMessageExceptionRichard van der Hoff2018-08-011-17/+8
| | | | | | | | | | | This code brings the SimpleHttpClient into line with the MatrixFederationHttpClient by having it raise HttpResponseExceptions when a request fails (rather than trying to parse for matrix errors and maybe raising MatrixCodeMessageException). Then, whenever we were checking for MatrixCodeMessageException and turning them into SynapseErrors, we now need to check for HttpResponseExceptions and call to_synapse_error.
* run isortAmber Brown2018-07-091-2/+5
|
* Attempt to be more performant on PyPy (#3462)Amber Brown2018-06-281-1/+1
|
* Remove run_on_reactor (#3395)Amber Brown2018-06-141-8/+0
|
* doc fixesDavid Baker2018-06-051-1/+1
|
* docstringDavid Baker2018-06-041-1/+9
|
* pep8David Baker2018-05-241-3/+4
|
* commentDavid Baker2018-05-241-0/+4
|
* Hit the 3pid unbind endpoint on deactivationDavid Baker2018-05-231-0/+35
|
* Use simplejson throughoutRichard van der Hoff2018-03-291-3/+5
| | | | Let's use simplejson rather than json, for consistency.
* Revert accidental commitDavid Baker2017-04-261-4/+4
|
* Use CodeMessageException subclass insteadDavid Baker2017-04-251-10/+19
| | | | | Parse json errors from get_json client methods and throw special errors.
* Propagate errors sensibly from proxied IS requestsDavid Baker2017-04-211-5/+5
| | | | | | When we're proxying Matrix endpoints, parse out Matrix error responses and turn them into SynapseErrors so they can be propagated sensibly upstream.
* Support registration / login with phone numberDavid Baker2017-03-131-1/+36
| | | | Changes from https://github.com/matrix-org/synapse/pull/1971
* Revert "Support registration & login with phone number"Erik Johnston2017-03-131-36/+1
|
* WIP support for msisdn 3pid proxy methodsDavid Baker2017-02-141-1/+36
|
* requestToken updateDavid Baker2016-06-301-14/+27
| | | | | | Don't send requestToken request to untrusted ID servers Also correct the THREEPID_IN_USE error to add the M_ prefix. This is a backwards incomaptible change, but the only thing using this is the angular client which is now unmaintained, so it's probably better to just do this now.
* Add missing param to the log lineMark Haines2016-01-291-1/+2
|
* Add config option for setting the trusted id servers, disabling checking the ↵Mark Haines2016-01-291-8/+17
| | | | ID server in integration tests
* copyrightsMatthew Hodgson2016-01-071-1/+1
|
* Reuse a single http client, rather than creating new onesMark Haines2015-12-021-9/+5
|
* Add endpoint that proxies ID server request token and errors if the given ↵David Baker2015-08-041-0/+25
| | | | email is in use on this Home Server.
* Add vector.im as trusted ID serverDavid Baker2015-08-031-1/+1
|
* Accept camelcase + underscores in binding tooDavid Baker2015-04-291-2/+17
|
* Fix includesDavid Baker2015-04-291-1/+2
|
* Accept both camelcase and underscore threepid creds for transitionDavid Baker2015-04-291-4/+19
|
* Change to https for ID server communicationDavid Baker2015-04-241-3/+2
|
* Use underscores instead of camelcase for id server stuffDavid Baker2015-04-241-6/+6
|
* pep8David Baker2015-04-171-3/+3
|
* Return user ID in use error straight awayDavid Baker2015-04-161-1/+24
|
* Dummy login so we can do the first POST request to get login flows without ↵David Baker2015-04-151-3/+3
| | | | it just succeeding
* Regstration with email in v2David Baker2015-04-151-0/+66