| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
We've decided to add a 'brand' field to help clients decide how to style the
buttons.
Also, fix up the allowed characters for idp_id, while I'm in the area.
|
|
|
| |
Fixes #8928.
|
| |
|
|
|
|
| |
If a remote server name is provided, ensure it is something reasonable
before making remote connections to it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Implement CasHandler.handle_redirect_request
... to make it match OidcHandler and SamlHandler
* Clean up interface for OidcHandler.handle_redirect_request
Make it accept `client_redirect_url=None`.
* Clean up interface for `SamlHandler.handle_redirect_request`
... bring it into line with CAS and OIDC by making it take a Request parameter,
move the magic for `client_redirect_url` for UIA into the handler, and fix the
return type to be a `str` rather than a `bytes`.
* Define a common protocol for SSO auth provider impls
* Give SsoIdentityProvider an ID and register them
* Combine the SSO Redirect servlets
Now that the SsoHandler knows about the identity providers, we can combine the
various *RedirectServlets into a single implementation which delegates to the
right IdP.
* changelog
|
|
|
| |
Adds the redacts endpoint to workers that have the client listener.
|
|
|
| |
This improves type hinting and should use less memory.
|
|
|
|
| |
Fixes #8846.
|
|
|
|
|
|
|
|
|
|
| |
The spec requires synapse to support `identifier` dicts for `m.login.password`
user-interactive auth, which it did not (instead, it required an undocumented
`user` parameter.)
To fix this properly, we need to pull the code that interprets `identifier`
into `AuthHandler.validate_login` so that it can be called from the UIA code.
Fixes #5665.
|
|
|
| |
we don't need to support legacy login dictionaries here.
|
| |
|
|
|
|
| |
The handling of OPTIONS requests was consolidated in #7534, but the endpoint
specific handlers were not removed.
|
| |
|
|
|
| |
Fixes #8029
|
|
|
| |
All handlers now available via get_*_handler() methods on the HomeServer.
|
| |
|
|
|
| |
The idea is that in future tokens will encode a mapping of instance to position. However, we don't want to include the full instance name in the string representation, so instead we'll have a mapping between instance name and an immutable integer ID in the DB that we can use instead. We'll then do the lookup when we serialize/deserialize the token (we could alternatively pass around an `Instance` type that includes both the name and ID, but that turns out to be a lot more invasive).
|
| |
|
|
|
|
|
|
|
| |
This converts calls like super(Foo, self) -> super().
Generated with:
sed -i "" -Ee 's/super\([^\(]+\)/super()/g' **/*.py
|
|
|
|
|
| |
Add ability for ASes to /login using the `uk.half-shot.msc2778.login.application_service` login `type`.
Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
|
|
|
|
|
|
|
| |
missing push rules in `.../actions` and `.../enabled` (#7796)
Signed-off-by: Olivier Wilkinson (reivilibre) <olivier@librepush.net>
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
|
|
|
|
|
|
|
| |
This is split out from https://github.com/matrix-org/synapse/pull/7438, which had gotten rather large.
`LoginRestServlet` has a couple helper methods, `login_submission_legacy_convert` and `login_id_thirdparty_from_phone`. They're primarily used for converting legacy user login submissions to "identifier" dicts ([see spec](https://matrix.org/docs/spec/client_server/r0.6.1#post-matrix-client-r0-login)). Identifying information such as usernames or 3PID information used to be top-level in the login body. They're now supposed to be put inside an [identifier](https://matrix.org/docs/spec/client_server/r0.6.1#identifier-types) parameter instead.
#7438's purpose is to allow using the new identifier parameter during User-Interactive Authentication, which is currently handled in AuthHandler. That's why I've moved these helper methods there. I also moved the refactoring of these method from #7438 as they're relevant.
|
| |
|
|
|
|
|
|
| |
Small cleanup PR.
* Removed the unused `is_guest` argument
* Added a safeguard to a (currently) impossible code path, fixing static checking at the same time.
|
| |
|
| |
|
|
|
|
|
| |
It's just a thin wrapper around two ID gens to make `get_current_token`
and `get_next` return tuples. This can easily be replaced by calling the
appropriate methods on the underlying ID gens directly.
|
| |
|
| |
|
|\
| |
| | |
With an undocumented configuration setting to enable them for specific users.
|
| |\
| | |
| | |
| | | |
babolivier/new_push_rules
|
| | | |
|
| | | |
|
| |/
|/| |
|
|/
|
| |
Signed-off-by: Michael Albert <michael.albert@awesome-technologies.de>
|
| |
|
|
|
|
| |
json. (#7836)
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
| |
fixes #7016
|
|\ |
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Implementation of https://github.com/matrix-org/matrix-doc/pull/2625
|
| |\ \ |
|
| | | | |
|
| | |/
| |/| |
|
| | | |
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| | |
The spec [states](https://matrix.org/docs/spec/client_server/r0.6.1#phone-number) that `m.id.phone` requires the field `country` and `phone`.
In Synapse, we've been enforcing `country` and `number`.
I am not currently sure whether this affects any client implementations.
This issue was introduced in #1994.
|
|/ |
|
|
|
|
|
|
|
|
|
|
| |
While working on https://github.com/matrix-org/synapse/issues/5665 I found myself digging into the `Ratelimiter` class and seeing that it was both:
* Rather undocumented, and
* causing a *lot* of config checks
This PR attempts to refactor and comment the `Ratelimiter` class, as well as encourage config file accesses to only be done at instantiation.
Best to be reviewed commit-by-commit.
|
| |
|
| |
|
|
|
|
|
|
|
| |
The idea here is that if an instance persists an event via the replication HTTP API it can return before we receive that event over replication, which can lead to races where code assumes that persisting an event immediately updates various caches (e.g. current state of the room).
Most of Synapse doesn't hit such races, so we don't do the waiting automagically, instead we do so where necessary to avoid unnecessary delays. We may decide to change our minds here if it turns out there are a lot of subtle races going on.
People probably want to look at this commit by commit.
|
| |
|
| |
|
| |
|
|
|
|
| |
public rooms list (#6899)
|
| |
|
|
|
|
| |
(#7136)
|
|
|
| |
Build the same service URL when requesting the CAS ticket and when calling the proxyValidate URL.
|
| |
|
| |
|
|\ |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
handling of call to deactivate user (#6990)
|
|/
|
|
| |
Ensure good comprehension hygiene using flake8-comprehensions.
|
|
|
| |
it's not in the spec yet, so needs to be unstable. Also add a feature flag for it. Also add a test for admin users.
|
|
|
|
|
| |
per matrix-org/matrix-doc#2432
|
|
|
|
|
| |
as per MSC2260
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove redundant python2 support code
`str.decode()` doesn't exist on python3, so presumably this code was doing
nothing
* Filter out pushers with corrupt data
When we get a row with unparsable json, drop the row, rather than returning a
row with null `data`, which will then cause an explosion later on.
* Improve logging when we can't start a pusher
Log the ID to help us understand the problem
* Make email pusher setup more robust
We know we'll have a `data` member, since that comes from the database. What we
*don't* know is if that is a dict, and if that has a `brand` member, and if
that member is a string.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Co-Authored-By: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Co-Authored-By: Brendan Abolivier <babolivier@matrix.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were doing this in a number of places which meant that some login
code paths incremented the counter multiple times.
It was also applying ratelimiting to UIA endpoints, which was probably
not intentional.
In particular, some custom auth modules were calling
`check_user_exists`, which incremented the counters, meaning that people
would fail to login sometimes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `http_proxy` and `HTTPS_PROXY` env vars can be set to a `host[:port]` value which should point to a proxy.
The address of the proxy should be excluded from IP blacklists such as the `url_preview_ip_range_blacklist`.
The proxy will then be used for
* push
* url previews
* phone-home stats
* recaptcha validation
* CAS auth validation
It will *not* be used for:
* Application Services
* Identity servers
* Outbound federation
* In worker configurations, connections from workers to masters
Fixes #4198.
|
|
|
| |
* update version of black and also fix the mypy config being overridden
|
|
|
| |
Replace every instance of `logger.warn` with `logger.warning` as the former is deprecated.
|
| |
|
|
|
| |
Now, the CAS server can return an attribute stating what's the desired displayname, instead of using the username directly.
|
|
|
|
| |
Use room_stats and room_state for room directory search
|
| |
|
|
|
|
| |
This will make it easier to search for sending event requests.
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
This is a redo of https://github.com/matrix-org/synapse/pull/5897 but with `id_access_token` accepted.
Implements [MSC2134](https://github.com/matrix-org/matrix-doc/pull/2134) plus Identity Service v2 authentication ala [MSC2140](https://github.com/matrix-org/matrix-doc/pull/2140).
Identity lookup-related functions were also moved from `RoomMemberHandler` to `IdentityHandler`.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove all the "double return" statements which were a result of us removing all the instances of
```
defer.returnValue(...)
return
```
statements when we switched to python3 fully.
|
| |
| |
| |
| |
| | |
Python will return a tuple whether there are parentheses around the returned values or not.
I'm just sick of my editor complaining about this all over the place :)
|
|/
|
|
|
|
| |
We want to assign unique mxids to saml users based on an incrementing
suffix. For that to work, we need to record the allocated mxid in a separate
table.
|
|
|
|
|
| |
Part of fixing matrix-org/sytest#652
Sytest PR: matrix-org/sytest#667
|
|\
| |
| |
| |
| |
| |
| | |
Bugfixes
--------
- Fix a regression introduced in v1.2.0rc1 which led to incorrect labels on some prometheus metrics. ([\#5734](https://github.com/matrix-org/synapse/issues/5734))
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Fix servlet metric names
Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
* Remove redundant check
* Cover all return paths
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First of all, let's get rid of `TOKEN_NOT_FOUND_HTTP_STATUS`. It was a hack we
did at one point when it was possible to return either a 403 or a 401 if the
creds were missing. We always return a 401 in these cases now (thankfully), so
it's not needed.
Let's also stop abusing `AuthError` for these cases. Honestly they have nothing
that relates them to the other places that `AuthError` is used, other than the
fact that they are loosely under the 'Auth' banner. It makes no sense for them
to share exception classes.
Instead, let's add a couple of new exception classes: `InvalidClientTokenError`
and `MissingClientTokenError`, for the `M_UNKNOWN_TOKEN` and `M_MISSING_TOKEN`
cases respectively - and an `InvalidClientCredentialsError` base class for the
two of them.
|
|
|
|
|
|
|
|
| |
Nothing uses this now, so we can remove the dead code, and clean up the
API.
Since we're changing the shape of the return value anyway, we take the
opportunity to give the method a better name.
|
|
|
|
|
|
|
|
| |
* Factor out some redundant code in the login impl
Also fixes a redundant access_token which was generated during jwt login.
* changelog
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* SAML2 Improvements and redirect stuff
Signed-off-by: Alexander Trost <galexrt@googlemail.com>
* Code cleanups and simplifications.
Also: share the saml client between redirect and response handlers.
* changelog
* Revert redundant changes to static js
* Move all the saml stuff out to a centralised handler
* Add support for tracking SAML2 sessions.
This allows us to correctly handle `allow_unsolicited: False`.
* update sample config
* cleanups
* update sample config
* rename BaseSSORedirectServlet for consistency
* Address review comments
|
| |\ |
|
| | | |
|
| | | |
|
| |\ \ |
|
| | | |
| | | |
| | | |
| | | | |
Also: share the saml client between redirect and response handlers.
|
| |\ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Alexander Trost <galexrt@googlemail.com>
|
| |_|_|/
|/| | |
| | | |
| | | | |
Signed-off-by: Pau Rodriguez-Estivill <prodrigestivill@gmail.com>
|
| |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Fix JWT login with register
Signed-off-by: Pau Rodriguez-Estivill <prodrigestivill@gmail.com>
* Add pyjwt conditional dependency
Signed-off-by: Pau Rodriguez-Estivill <prodrigestivill@gmail.com>
* Added changelog file
Signed-off-by: Pau Rodriguez-Estivill <prodrigestivill@gmail.com>
* Improved changelog description
Signed-off-by: Pau Rodriguez-Estivill <prodrigestivill@gmail.com>
|
| | | |
|
| |/
|/| |
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
| |
This fixes a bug which were causing the "event_format" field to be
ignored in the filter of requests to the `/messages` endpoint of the
CS API.
Signed-off-by: Eisha Chen-yen-su <chenyensu0@gmail.com>
|
|\
| |
| | |
Show correct error when logging out and access token is missing
|
| |
| |
| |
| | |
Signed-off-by: Aaron Raimist <aaron@raim.ist>
|
| |
| |
| |
| | |
Signed-off-by: Aaron Raimist <aaron@raim.ist>
|
| |
| |
| |
| | |
Signed-off-by: Aaron Raimist <aaron@raim.ist>
|
|/ |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CS API (#5083)
This commit adds two config options:
* `restrict_public_rooms_to_local_users`
Requires auth to fetch the public rooms directory through the CS API and disables fetching it through the federation API.
* `require_auth_for_profile_requests`
When set to `true`, requires that requests to `/profile` over the CS API are authenticated, and only returns the user's profile if the requester shares a room with the profile's owner, as per MSC1301.
MSC1301 also specifies a behaviour for federation (only returning the profile if the server asking for it shares a room with the profile's owner), but that's currently really non-trivial to do in a not too expensive way. Next step is writing down a MSC that allows a HS to specify which user sent the profile query. In this implementation, Synapse won't send a profile query over federation if it doesn't believe it already shares a room with the profile's owner, though.
Groups have been intentionally omitted from this commit.
|
|
|
|
| |
It doesn't really belong under rest/client/v1 any more.
|
| |
|
| |
|
|\
| |
| |
| | |
babolivier/account_expiration
|
| |
| |
| |
| |
| |
| |
| | |
This is an undocumented variable in twisted, and relies on the servlet
being mounted in the right way.
This also breaks getting push rules on workers.
|
| | |
|
| | |
|
| | |
|
| |
| |
| | |
Remove presence list support as per MSC 1819
|
| |
| |
| |
| | |
Remove log line for password.
|
|/ |
|
|
|
|
|
| |
Adds a new method, check_3pid_auth, which gives password providers
the chance to allow authentication with third-party identifiers such
as email or msisdn.
|
| |
|
| |
|
| |
|
|
|
| |
Add two ratelimiters on login (per-IP address and per-userID).
|
|
|
|
|
|
|
|
| |
Currently the explanation message is sent to the abuse room before any
users are forced joined, which means it tends to get lost in the backlog
of joins.
So instead we send the message *after* we've forced joined everyone.
|
|
|
|
|
| |
This is required because the 'Server' HTTP header is not always
passed through proxies.
|
|
|
|
|
|
|
|
|
|
| |
* Move RegistrationHandler init to HomeServer
* Move post registration actions to RegistrationHandler
* Add post regisration replication endpoint
* Newsfile
|
| |
|
| |
|
|
|
|
| |
... as per MSC1730.
|
|
|
|
|
|
| |
Allow for the creation of a support user.
A support user can access the server, join rooms, interact with other users, but does not appear in the user directory nor does it contribute to monthly active user limits.
|
|
|
|
|
| |
When we register a new user from SAML2 data, initialise their displayname
correctly.
|
|
|
|
| |
This is mostly factoring out the post-CAS-login code to somewhere we can reuse
it for other SSO flows, but it also fixes the userid mapping while we're at it.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Rip out half-implemented m.login.saml2 support
This was implemented in an odd way that left most of the work to the client, in
a way that I really didn't understand. It's going to be a pain to maintain, so
let's start by ripping it out.
* drop undocumented dependency on dateutil
It turns out we were relying on dateutil being pulled in transitively by
pysaml2. There's no need for that bloat.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Clean up the CSS for the fallback login form
I was finding this hard to work with, so simplify a bunch of things. Each
flow is now a form inside a div of class login_flow.
The login_flow class now has a fixed width, as that looks much better than each
flow having a differnt width.
* Support m.login.sso
MSC1721 renames m.login.cas to m.login.sso. This implements the change
(retaining support for m.login.cas for older clients).
* changelog
|
|
|
|
|
|
|
|
| |
Currently when fetching state groups from the data store we make two
hits two the database: once for members and once for non-members (unless
request is filtered to one or the other). This adds needless load to the
datbase, so this PR refactors the lookup to make only a single database
hit.
|
| |
|
|\
| |
| | |
fix VOIP crashes under Python 3
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Older identity servers may not support the unbind 3pid request, so we
shouldn't fail the requests if we received one of 400/404/501. The
request still fails if we receive e.g. 500 responses, allowing clients
to retry requests on transient identity server errors that otherwise do
support the API.
Fixes #3661
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Make sure that the user has permission to view the requeseted event for
/event/{eventId} and /room/{roomId}/event/{eventId} requests.
Also check that the event is in the given room for
/room/{roomId}/event/{eventId}, for sanity.
|
|\ \
| | |
| | | |
return 404 if room not found
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Per the Client-Server API[0] we should return
`M_NOT_FOUND` if the room isn't found instead
of generic SynapseError.
This ensures that /directory/list API returns
404 for room not found instead of 400.
[0]: https://matrix.org/docs/spec/client_server/unstable.html#get-matrix-client-r0-directory-list-room-roomid
Signed-off-by: Serban Constantin <serban.constantin@gmail.com>
|
|/ / |
|
| |
| |
| | |
make /context lazyload & filter aware.
|
|\ \
| | |
| | |
| | | |
erikj/client_apis_move
|
| | | |
|
| |/ |
|
| |
| |
| |
| | |
This is in preparation for moving GET /context/ to a worker
|
|/
|
|
|
| |
This will let us call the read only parts from workers, and so be able
to move some APIs off of master, e.g. the `/state` API.
|
| |
|
| |
|
|\
| |
| | |
Use parse and asserts from http.servlet
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
the method "assert_params_in_request" does handle dicts and not
requests. A request body has to be parsed to json before this method
can be used
|
| |
| |
| |
| |
| |
| |
| | |
parse_integer and parse_string can take a request and raise errors
in case we have wrong or missing params.
This PR tries to use them more to deduplicate some code and make it
better readable
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
matrix-org/rav/erasure_visibility""
This reverts commit 1d009013b3c3e814177afc59f066e02a202b21cd.
|
|
|
|
|
| |
This reverts commit ce0d911156b355c5bf452120bfb08653dad96497, reversing
changes made to b4a5d767a94f1680d07edfd583aae54ce422573e.
|
|\
| |
| | |
Support hiding events from deleted users
|
| | |
|
|/ |
|
| |
|
|
|
|
|
|
| |
This got completely broken in 0.30.
Fixes #3300.
|
|
|
|
|
|
| |
plus a bonus b"" string I missed last time
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
|\
| |
| | |
Make purge_history operate on tokens
|
| |
| |
| |
| | |
As we're soon going to change how topological_ordering works
|
|/
|
|
|
|
|
| |
Handlers is deprecated nowadays, so let's move this out before I add a new
dependency on it.
Also fix the docstrings on create_room.
|
|
|
|
|
|
|
|
|
|
|
|
| |
(instead of everywhere that writes a response. Or rather, the subset of places
which write responses where we haven't forgotten it).
This also means that we don't have to have the mysterious version_string
attribute in anything with a request handler.
Unfortunately it does mean that we have to pass the version string wherever we
instantiate a SynapseSite, which has been c&ped 150 times, but that is code
that ought to be cleaned up anyway really.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This closes #2602
v1auth was created to account for the differences in status code between
the v1 and v2_alpha revisions of the protocol (401 vs 403 for invalid
tokens). However since those protocols were merged, this makes the r0
version/endpoint internally inconsistent, and violates the
specification for the r0 endpoint.
This might break clients that rely on this inconsistency with the
specification. This is said to affect the legacy angular reference
client. However, I feel that restoring parity with the spec is more
important. Either way, it is critical to inform developers about this
change, in case they rely on the illegal behaviour.
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
| |
|
|\
| |
| | |
Construct HMAC as bytes on py3
|
| |
| |
| |
| | |
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
|/
|
|
|
|
| |
The imports were shuffled around a bunch in py3
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
|\
| |
| | |
Limit concurrent event sends for a room
|
| | |
|
|\ \
| | |
| | | |
Add b prefixes to some strings that are bytes in py3
|
| | |
| | |
| | |
| | |
| | |
| | | |
This has no effect on python2
Signed-off-by: Adrian Tschira <nota@notafile.com>
|
|\ \ \
| |_|/
|/| | |
Return 401 for invalid access_token on logout
|
| | |
| | |
| | |
| | | |
Signed-off-by: Duncan Klug <dklug@ucmerced.edu>
|
|\ \ \
| |_|/
|/| | |
Add room_id to the response of `rooms/{roomId}/join`
|
| | |
| | |
| | |
| | | |
Fixes #2349
|
|\ \ \
| |/ /
|/| | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
Due to the order we register the REST handlers `/forget` was handled by
the correct handler.
|
| | |
| | |
| | |
| | | |
Make the purge request return quickly, and allow scripts to poll for updates.
|
| |/
|/| |
|
| | |
|
|\ \
| | |
| | | |
Create a worker for event creation
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
* It's supposed to be purge_local_events, not ..._history
* Fix the doc to have valid json
|
|\ \ \
| |/ /
|/| | |
delete_local_events for purge_room_history
|
| | |
| | |
| | |
| | | |
Add a flag which makes the purger delete local events
|
| | | |
|
| | | |
|
|\ \ \ |
|
| | | |
| | | |
| | | | |
blindly implement ?ts for AS. untested
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* [ ] split config options into allowed_local_3pids and registrations_require_3pid
* [ ] simplify and comment logic for picking registration flows
* [ ] fix docstring and move check_3pid_allowed into a new util module
* [ ] use check_3pid_allowed everywhere
@erikjohnston PTAL
|
| |/ / |
|
|/ /
| |
| |
| |
| | |
This is intended to be used by administrators to monitor the media that is passing through their server, if they wish.
Signed-off-by: Travis Ralston <travpc@gmail.com>
|
| |
| |
| |
| |
| |
| | |
Turns out that there is a valid usecase for retrieving event by id (notably
having received a push), but event ids should be scoped to room, so /event/{id}
is wrong.
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure that we delete devices whenever a user is logged out due to any of
the following situations:
* /logout
* /logout_all
* change password
* deactivate account (by the user or by an admin)
* invalidate access token from a dynamic module
Fixes #2672.
|
|
|
|
|
|
| |
Non-functional refactoring to move set_password. This means that we'll be able
to properly deactivate devices and access tokens without introducing a
dependency loop.
|
|
|
|
|
|
| |
Non-functional refactoring to move deactivate_account. This means that we'll be
able to properly deactivate devices and access tokens without introducing a
dependency loop.
|
| |
|
|
|
|
| |
... so that they have a way to record access tokens.
|
|\
| |
| |
| | |
rav/refactor_accesstoken_delete
|
| |\
| | |
| | | |
Break dependency of auth_handler on device_handler
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I'm going to need to make the device_handler depend on the auth_handler, so I
need to break this dependency to avoid a cycle.
It turns out that the auth_handler was only using the device_handler in one
place which was an edge case which we can more elegantly handle by throwing an
error rather than fixing it up.
|
| | | |
|
| |/
| |
| |
| | |
Carefully though, to avoid logging passwords
|
|/
|
|
|
|
|
| |
Also move duplicated deactivation code into the auth handler.
I want to add some hooks when we deactivate an access token, so let's bring it
all in here so that there's somewhere to put it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'm going to need some more flexibility in handling login types in password
auth providers, so as a first step, move some stuff from LoginRestServlet into
AuthHandler.
In particular, we pass everything other than SAML, JWT and token logins down to
the AuthHandler, which now has responsibility for checking the login type and
fishing the password out of the login dictionary, as well as qualifying the
user_id if need be. Ideally SAML, JWT and token would go that way too, but
there's no real need for it right now and I'm trying to minimise impact.
This commit *should* be non-functional.
|
|
|
|
| |
what could possibly go wrong
|
|
|
|
|
| |
It just calls the constructor, so we may as well kill it rather than having
random codepaths.
|