Skip to content
Snippets Groups Projects
Unverified Commit 7218a0ca authored by Jacek Kuśnierz's avatar Jacek Kuśnierz Committed by GitHub
Browse files

Drop support for calling `/_matrix/client/v3/account/3pid/bind` without an... 

Drop support for calling `/_matrix/client/v3/account/3pid/bind` without an `id_access_token` (#13239)

Fixes #13201

Signed-off-by: default avatarJacek Kusnierz <jacek.kusnierz@tum.de>
parent 52a0c8f2
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
changelog.d/13239.removal 0 → 100644
+ 1
0
View file @ 7218a0ca
Drop support for calling `/_matrix/client/v3/account/3pid/bind` without an `id_access_token`, which was not permitted by the spec. Contributed by @Vetchu.
\ No newline at end of file
synapse/handlers/identity.py
+ 6
24
View file @ 7218a0ca
...@@ -162,8 +162,7 @@ class IdentityHandler: ...@@ -162,8 +162,7 @@ class IdentityHandler:
sid: str, sid: str,
mxid: str, mxid: str,
id_server: str, id_server: str,
id_access_token: Optional[str] = None, id_access_token: str,
use_v2: bool = True,
) -> JsonDict: ) -> JsonDict:
"""Bind a 3PID to an identity server """Bind a 3PID to an identity server
...@@ -173,8 +172,7 @@ class IdentityHandler: ...@@ -173,8 +172,7 @@ class IdentityHandler:
mxid: The MXID to bind the 3PID to mxid: The MXID to bind the 3PID to
id_server: The domain of the identity server to query id_server: The domain of the identity server to query
id_access_token: The access token to authenticate to the identity id_access_token: The access token to authenticate to the identity
server with, if necessary. Required if use_v2 is true server with
use_v2: Whether to use v2 Identity Service API endpoints. Defaults to True
Raises: Raises:
SynapseError: On any of the following conditions SynapseError: On any of the following conditions
...@@ -186,24 +184,15 @@ class IdentityHandler: ...@@ -186,24 +184,15 @@ class IdentityHandler:
""" """
logger.debug("Proxying threepid bind request for %s to %s", mxid, id_server) logger.debug("Proxying threepid bind request for %s to %s", mxid, id_server)
# If an id_access_token is not supplied, force usage of v1
if id_access_token is None:
use_v2 = False
if not valid_id_server_location(id_server): if not valid_id_server_location(id_server):
raise SynapseError( raise SynapseError(
400, 400,
"id_server must be a valid hostname with optional port and path components", "id_server must be a valid hostname with optional port and path components",
) )
# Decide which API endpoint URLs to use
headers = {}
bind_data = {"sid": sid, "client_secret": client_secret, "mxid": mxid} bind_data = {"sid": sid, "client_secret": client_secret, "mxid": mxid}
if use_v2: bind_url = "https://%s/_matrix/identity/v2/3pid/bind" % (id_server,)
bind_url = "https://%s/_matrix/identity/v2/3pid/bind" % (id_server,) headers = {"Authorization": create_id_access_token_header(id_access_token)}
headers["Authorization"] = create_id_access_token_header(id_access_token) # type: ignore
else:
bind_url = "https://%s/_matrix/identity/api/v1/3pid/bind" % (id_server,)
try: try:
# Use the blacklisting http client as this call is only to identity servers # Use the blacklisting http client as this call is only to identity servers
...@@ -222,21 +211,14 @@ class IdentityHandler: ...@@ -222,21 +211,14 @@ class IdentityHandler:
return data return data
except HttpResponseException as e: except HttpResponseException as e:
if e.code != 404 or not use_v2: logger.error("3PID bind failed with Matrix error: %r", e)
logger.error("3PID bind failed with Matrix error: %r", e) raise e.to_synapse_error()
raise e.to_synapse_error()
except RequestTimedOutError: except RequestTimedOutError:
raise SynapseError(500, "Timed out contacting identity server") raise SynapseError(500, "Timed out contacting identity server")
except CodeMessageException as e: except CodeMessageException as e:
data = json_decoder.decode(e.msg) # XXX WAT? data = json_decoder.decode(e.msg) # XXX WAT?
return data return data
logger.info("Got 404 when POSTing JSON %s, falling back to v1 URL", bind_url)
res = await self.bind_threepid(
client_secret, sid, mxid, id_server, id_access_token, use_v2=False
)
return res
async def try_unbind_threepid(self, mxid: str, threepid: dict) -> bool: async def try_unbind_threepid(self, mxid: str, threepid: dict) -> bool:
"""Attempt to remove a 3PID from an identity server, or if one is not provided, all """Attempt to remove a 3PID from an identity server, or if one is not provided, all
identity servers we're aware the binding is present on identity servers we're aware the binding is present on
......
synapse/rest/client/account.py
+ 4
2
View file @ 7218a0ca
...@@ -704,10 +704,12 @@ class ThreepidBindRestServlet(RestServlet): ...@@ -704,10 +704,12 @@ class ThreepidBindRestServlet(RestServlet):
async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]: async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
body = parse_json_object_from_request(request) body = parse_json_object_from_request(request)
assert_params_in_dict(body, ["id_server", "sid", "client_secret"]) assert_params_in_dict(
body, ["id_server", "sid", "id_access_token", "client_secret"]
)
id_server = body["id_server"] id_server = body["id_server"]
sid = body["sid"] sid = body["sid"]
id_access_token = body.get("id_access_token") # optional id_access_token = body["id_access_token"]
client_secret = body["client_secret"] client_secret = body["client_secret"]
assert_valid_client_secret(client_secret) assert_valid_client_secret(client_secret)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment