Return a different error from Invalid Password when a user is deactivated (#5674)

Return `This account has been deactivated` instead of `Invalid password` when a user is deactivated.

Return a different error from Invalid Password when a user is deactivated (#5674)
18c51669 · Andrew Morgan · GitHub · d8632130 · 18c51669 · 18c51669
Unverified Commit 18c51669 authored 5 years ago by Andrew Morgan Committed by GitHub 5 years ago
--- a/changelog.d/5674.feature
+++ b/changelog.d/5674.feature
+Return "This account has been deactivated" when a deactivated user tries to login.
--- a/synapse/api/errors.py
+++ b/synapse/api/errors.py
@@ -139,6 +139,22 @@ class ConsentNotGivenError(SynapseError):
        return cs_error(self.msg, self.errcode, consent_uri=self._consent_uri)
+class UserDeactivatedError(SynapseError):
+    """The error returned to the client when the user attempted to access an
+    authenticated endpoint, but the account has been deactivated.
+    """
+    def __init__(self, msg):
+        """Constructs a UserDeactivatedError
+        Args:
+            msg (str): The human-readable error message
+        """
+        super(UserDeactivatedError, self).__init__(
+            code=http_client.FORBIDDEN, msg=msg, errcode=Codes.UNKNOWN
+        )
 class RegistrationError(SynapseError):
    """An error raised when a registration event fails."""

--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -35,6 +35,7 @@ from synapse.api.errors import (
    LoginError,
    StoreError,
    SynapseError,
+    UserDeactivatedError,
 )
 from synapse.api.ratelimiting import Ratelimiter
 from synapse.logging.context import defer_to_thread
@@ -623,6 +624,7 @@ class AuthHandler(BaseHandler):
        Raises:
            LimitExceededError if the ratelimiter's login requests count for this
                user is too high too proceed.
+            UserDeactivatedError if a user is found but is deactivated.
        """
        self.ratelimit_login_per_account(user_id)
        res = yield self._find_user_id_and_pwd_hash(user_id)
@@ -838,6 +840,13 @@ class AuthHandler(BaseHandler):
        if not lookupres:
            defer.returnValue(None)
        (user_id, password_hash) = lookupres
+        # If the password hash is None, the account has likely been deactivated
+        if not password_hash:
+            deactivated = yield self.store.get_user_deactivated_status(user_id)
+            if deactivated:
+                raise UserDeactivatedError("This account has been deactivated")
        result = yield self.validate_hash(password, password_hash)
        if not result:
            logger.warn("Failed password login for user %s", user_id)