From d3b0be57f961f5860d71e3e89daf93b493d40bd7 Mon Sep 17 00:00:00 2001
From: "Olivier Wilkinson (reivilibre)" <oliverw@matrix.org>
Date: Wed, 8 Dec 2021 15:12:32 +0000
Subject: Allow masquerading as a device by specifying the device_id URI
 parameter

---
 synapse/api/auth.py | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index d34d9f8abe..65369afd13 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -313,6 +313,8 @@ class Auth:
         - The returned device ID, if present, has been checked to be a valid device ID
           for the returned user ID.
         """
+        DEVICE_ID_ARG_NAME = b"org.matrix.msc3202.device_id"
+
         app_service = self.store.get_app_service_by_token(
             self.get_access_token_from_request(request)
         )
@@ -335,7 +337,22 @@ class Auth:
         else:
             effective_user_id = app_service.sender
 
-        return effective_user_id, None, app_service
+        effective_device_id: Optional[str] = None
+
+        if DEVICE_ID_ARG_NAME in request.args:
+            effective_device_id = request.args[DEVICE_ID_ARG_NAME][0].decode("utf8")
+            # We only just set this so it can't be None!
+            assert effective_device_id is not None
+            device_opt = await self.store.get_device_opt(
+                effective_user_id, effective_device_id
+            )
+            if device_opt is None:
+                raise AuthError(
+                    403,
+                    f"Application service trying to use a device that doesn't exist ('{effective_device_id}' for {effective_user_id})",
+                )
+
+        return effective_user_id, effective_device_id, app_service
 
     async def get_user_by_access_token(
         self,
-- 
cgit 1.4.1