Fix validation problem that occurs when a user tries to deactivate their...

Fix validation problem that occurs when a user tries to deactivate their account or change their password. (#13563)

Fix validation problem that occurs when a user tries to deactivate their...
3a245f6c · reivilibre · GitHub · 2c42673a · 3a245f6c · 3a245f6c
Unverified Commit 3a245f6c authored 2 years ago by reivilibre Committed by GitHub 2 years ago
--- a/changelog.d/13563.feature
+++ b/changelog.d/13563.feature
+Improve validation of request bodies for the following client-server API endpoints: [`/account/password`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpassword), [`/account/password/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpasswordemailrequesttoken), [`/account/deactivate`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountdeactivate) and [`/account/3pid/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3account3pidemailrequesttoken).
--- a/synapse/rest/client/account.py
+++ b/synapse/rest/client/account.py
@@ -196,7 +196,7 @@ class PasswordRestServlet(RestServlet):
                params, session_id = await self.auth_handler.validate_user_via_ui_auth(
                    requester,
                    request,
-                    body.dict(),
+                    body.dict(exclude_unset=True),
                    "modify your account password",
                )
            except InteractiveAuthIncompleteError as e:
@@ -219,7 +219,7 @@ class PasswordRestServlet(RestServlet):
                result, params, session_id = await self.auth_handler.check_ui_auth(
                    [[LoginType.EMAIL_IDENTITY]],
                    request,
-                    body.dict(),
+                    body.dict(exclude_unset=True),
                    "modify your account password",
                )
            except InteractiveAuthIncompleteError as e:
@@ -316,7 +316,7 @@ class DeactivateAccountRestServlet(RestServlet):
        await self.auth_handler.validate_user_via_ui_auth(
            requester,
            request,
-            body.dict(),
+            body.dict(exclude_unset=True),
            "deactivate your account",
        )
        result = await self._deactivate_account_handler.deactivate_account(

--- a/tests/handlers/test_deactivate_account.py
+++ b/tests/handlers/test_deactivate_account.py
@@ -322,3 +322,18 @@ class DeactivateAccountTestCase(HomeserverTestCase):
                )
            ),
        )
+    def test_deactivate_account_needs_auth(self) -> None:
+        """
+        Tests that making a request to /deactivate with an empty body
+        succeeds in starting the user-interactive auth flow.
+        """
+        req = self.make_request(
+            "POST",
+            "account/deactivate",
+            {},
+            access_token=self.token,
+        )
+        self.assertEqual(req.code, 401, req)
+        self.assertEqual(req.json_body["flows"], [{"stages": ["m.login.password"]}])