| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Co-Authored-By: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Co-Authored-By: Brendan Abolivier <babolivier@matrix.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We were doing this in a number of places which meant that some login
code paths incremented the counter multiple times.
It was also applying ratelimiting to UIA endpoints, which was probably
not intentional.
In particular, some custom auth modules were calling
`check_user_exists`, which incremented the counters, meaning that people
would fail to login sometimes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `http_proxy` and `HTTPS_PROXY` env vars can be set to a `host[:port]` value which should point to a proxy.
The address of the proxy should be excluded from IP blacklists such as the `url_preview_ip_range_blacklist`.
The proxy will then be used for
* push
* url previews
* phone-home stats
* recaptcha validation
* CAS auth validation
It will *not* be used for:
* Application Services
* Identity servers
* Outbound federation
* In worker configurations, connections from workers to masters
Fixes #4198.
|
| |
|
| |
* update version of black and also fix the mypy config being overridden
|
| |
|
| |
Replace every instance of `logger.warn` with `logger.warning` as the former is deprecated.
|
| |
|
| |
Now, the CAS server can return an attribute stating what's the desired displayname, instead of using the username directly.
|
| |\ |
|
| | |
| |
| |
| |
| | |
Python will return a tuple whether there are parentheses around the returned values or not.
I'm just sick of my editor complaining about this all over the place :)
|
| |/
|
|
|
|
| |
We want to assign unique mxids to saml users based on an incrementing
suffix. For that to work, we need to record the allocated mxid in a separate
table.
|
| | |
|
| |
|
|
|
|
|
|
| |
Nothing uses this now, so we can remove the dead code, and clean up the
API.
Since we're changing the shape of the return value anyway, we take the
opportunity to give the method a better name.
|
| |
|
|
|
|
|
|
| |
* Factor out some redundant code in the login impl
Also fixes a redundant access_token which was generated during jwt login.
* changelog
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* SAML2 Improvements and redirect stuff
Signed-off-by: Alexander Trost <galexrt@googlemail.com>
* Code cleanups and simplifications.
Also: share the saml client between redirect and response handlers.
* changelog
* Revert redundant changes to static js
* Move all the saml stuff out to a centralised handler
* Add support for tracking SAML2 sessions.
This allows us to correctly handle `allow_unsolicited: False`.
* update sample config
* cleanups
* update sample config
* rename BaseSSORedirectServlet for consistency
* Address review comments
|
| | |\ |
|
| | | | |
|
| | | | |
|
| | |\ \ |
|
| | | | |
| | | |
| | | |
| | | | |
Also: share the saml client between redirect and response handlers.
|
| | |\ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Alexander Trost <galexrt@googlemail.com>
|
| | |_|_|/
|/| | |
| | | |
| | | | |
Signed-off-by: Pau Rodriguez-Estivill <prodrigestivill@gmail.com>
|
| | |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Fix JWT login with register
Signed-off-by: Pau Rodriguez-Estivill <prodrigestivill@gmail.com>
* Add pyjwt conditional dependency
Signed-off-by: Pau Rodriguez-Estivill <prodrigestivill@gmail.com>
* Added changelog file
Signed-off-by: Pau Rodriguez-Estivill <prodrigestivill@gmail.com>
* Improved changelog description
Signed-off-by: Pau Rodriguez-Estivill <prodrigestivill@gmail.com>
|
| | |/
|/| |
|
| |/ |
|
| | |
|
| |
|
|
|
| |
Adds a new method, check_3pid_auth, which gives password providers
the chance to allow authentication with third-party identifiers such
as email or msisdn.
|
| |
|
| |
Add two ratelimiters on login (per-IP address and per-userID).
|
| |
|
|
|
|
|
|
|
|
| |
* Move RegistrationHandler init to HomeServer
* Move post registration actions to RegistrationHandler
* Add post regisration replication endpoint
* Newsfile
|
| | |
|
| |
|
|
| |
... as per MSC1730.
|
| |
|
|
|
| |
When we register a new user from SAML2 data, initialise their displayname
correctly.
|
| |
|
|
| |
This is mostly factoring out the post-CAS-login code to somewhere we can reuse
it for other SSO flows, but it also fixes the userid mapping while we're at it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Rip out half-implemented m.login.saml2 support
This was implemented in an odd way that left most of the work to the client, in
a way that I really didn't understand. It's going to be a pain to maintain, so
let's start by ripping it out.
* drop undocumented dependency on dateutil
It turns out we were relying on dateutil being pulled in transitively by
pysaml2. There's no need for that bloat.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Clean up the CSS for the fallback login form
I was finding this hard to work with, so simplify a bunch of things. Each
flow is now a form inside a div of class login_flow.
The login_flow class now has a fixed width, as that looks much better than each
flow having a differnt width.
* Support m.login.sso
MSC1721 renames m.login.cas to m.login.sso. This implements the change
(retaining support for m.login.cas for older clients).
* changelog
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The imports were shuffled around a bunch in py3
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
| | |
|
| |
|
|
| |
... so that they have a way to record access tokens.
|
| |\
| |
| | |
Break dependency of auth_handler on device_handler
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
I'm going to need to make the device_handler depend on the auth_handler, so I
need to break this dependency to avoid a cycle.
It turns out that the auth_handler was only using the device_handler in one
place which was an edge case which we can more elegantly handle by throwing an
error rather than fixing it up.
|
| | | |
|
| |/
|
|
| |
Carefully though, to avoid logging passwords
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'm going to need some more flexibility in handling login types in password
auth providers, so as a first step, move some stuff from LoginRestServlet into
AuthHandler.
In particular, we pass everything other than SAML, JWT and token logins down to
the AuthHandler, which now has responsibility for checking the login type and
fishing the password out of the login dictionary, as well as qualifying the
user_id if need be. Ideally SAML, JWT and token would go that way too, but
there's no real need for it right now and I'm trying to minimise impact.
This commit *should* be non-functional.
|
| |
|
|
|
| |
It just calls the constructor, so we may as well kill it rather than having
random codepaths.
|
| |\
| |
| | |
Handle PartialDownloadError in CAS login
|
| | | |
|
| |/
|
|
| |
Changes from https://github.com/matrix-org/synapse/pull/1971
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Plus a couple of other minor fixes
|
| | |
|
| |
|
|
| |
https://docs.google.com/document/d/1-6ZSSW5YvCGhVFDyD2QExAUAdpCWjccvJT5xiyTTG2Y/edit#
|
| |
|
|
|
|
| |
This was broken when device list updates were implemented, as Mailer
could no longer instantiate an AuthHandler due to a dependency on
federation sending.
|
| |
|
|
|
| |
Since we store all emails in the DB in lowercase
(https://github.com/matrix-org/synapse/pull/1170)
|
| |
|
|
|
|
|
| |
Since we're not doing refresh tokens any more, we should start killing off the
dead code paths. /tokenrefresh itself is a bit of a thornier subject, since
there might be apps out there using it, but we can at least not generate
refresh tokens on new logins.
|
| |
|
|
|
|
|
| |
Redirect to CAS's /login endpoint properly, and
don't require an <attributes> element.
Signed-off-by: Shell Turner <cam.turn@gmail.com>
|
| |
|
|
|
|
| |
hs.get_handlers() can not be invoked from split out processes. Moving
the invocations down a level means that we can slowly split out
individual servlets.
|
| |\
| |
| | |
Clean up CAS login code
|
| | |
| |
| |
| |
| |
| |
| | |
Remove some apparently unused code.
Clean up parse_cas_response, mostly to catch the exception if the CAS response
isn't valid XML.
|
| |/
|
|
| |
Attempting to log in with CAS was giving a 500 error.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a 'devices' table to the storage, as well as a 'device_id' column to
refresh_tokens.
Allow the client to pass a device_id, and initial_device_display_name, to
/login. If login is successful, then register the device in the devices table
if it wasn't known already. If no device_id was supplied, make one up.
Associate the device_id with the access token and refresh token, so that we can
get at it again later. Ensure that the device_id is copied from the refresh
token to the access_token when the token is refreshed.
|
| |
|
|
|
|
|
|
|
|
| |
Make sure that we have the canonical user_id *before* calling
get_login_tuple_for_user_id.
Replace login_with_password with a method which just validates the password,
and have the caller call get_login_tuple_for_user_id. This brings the password
flow into line with the other flows, and will give us a place to register the
device_id if necessary.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
to deduplicate all the copy+pasted _parse_json functions. Also document
the parse_.* functions.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Gergely Polonkai <gergely@polonkaieu>
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
The spec says /login should be available at r0 and 'unstable', so make it so.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
that can be redeemed for the usual successful login response
|
| |\ |
|
| | | |
|
| | | |
|
| | | |
|
| |/
|
|
| |
synapse.client.v1.login.PasswordResetRestServlet are unused
|
| |
|
|
| |
CAS attribute tags
|
| | |
|
| | |
|
| |
|
|
| |
format too
|
| |
|
|
| |
specified any CAS user must have the given attribute and the value must equal
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
requests
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| |
| |
| | |
Conflicts:
synapse/rest/client/v1/login.py
|
| | | |
|
| | |\ |
|
| | | | |
|
| | |/
|/|
| |
| |
| |
| |
| |
| | |
This allows refresh tokens to be exchanged for (access_token,
refresh_token).
It also starts issuing them on login, though no clients currently
interpret them.
|
| |/
|
|
|
|
|
|
|
| |
* Merge LoginHandler -> AuthHandler
* Add a bunch of documentation
* Improve some naming
* Remove unused branches
I will start merging the actual logic of the two handlers shortly
|
| |
|
|
|
| |
- Add saml2 config docs to default config.
- Use existence of saml2 config to indicate if saml2 should be enabled.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
