Skip UIA device endpoints for ASes

2024-11-21 17:15:38 +03:00 · 2024-09-12 15:08:57 +02:00 · 2024-09-12 15:08:57 +02:00 · 12a0b2d295
commit 12a0b2d295
parent 68cb2b90ea
1 changed files with 31 additions and 21 deletions
--- a/synapse/rest/client/devices.py
+++ b/synapse/rest/client/devices.py
@ -114,15 +114,19 @@ class DeleteDevicesRestServlet(RestServlet):
            else:
                raise e

-        await self.auth_handler.validate_user_via_ui_auth(
-            requester,
-            request,
-            body.dict(exclude_unset=True),
-            "remove device(s) from your account",
-            # Users might call this multiple times in a row while cleaning up
-            # devices, allow a single UI auth session to be re-used.
-            can_skip_ui_auth=True,
-        )
+        if requester.app_service and requester.app_service.msc4190_device_management:
+            # MSC4190 can skip UIA for this endpoint
+            pass
+        else:
+            await self.auth_handler.validate_user_via_ui_auth(
+                requester,
+                request,
+                body.dict(exclude_unset=True),
+                "remove device(s) from your account",
+                # Users might call this multiple times in a row while cleaning up
+                # devices, allow a single UI auth session to be re-used.
+                can_skip_ui_auth=True,
+            )

        await self.device_handler.delete_devices(
            requester.user.to_string(), body.devices
@ -175,9 +179,6 @@ class DeviceRestServlet(RestServlet):
    async def on_DELETE(
        self, request: SynapseRequest, device_id: str
    ) -> Tuple[int, JsonDict]:
-        if self._msc3861_oauth_delegation_enabled:
-            raise UnrecognizedRequestError(code=404)
-
        requester = await self.auth.get_user_by_req(request)

        try:
@ -192,15 +193,24 @@ class DeviceRestServlet(RestServlet):
            else:
                raise

-        await self.auth_handler.validate_user_via_ui_auth(
-            requester,
-            request,
-            body.dict(exclude_unset=True),
-            "remove a device from your account",
-            # Users might call this multiple times in a row while cleaning up
-            # devices, allow a single UI auth session to be re-used.
-            can_skip_ui_auth=True,
-        )
+        if requester.app_service and requester.app_service.msc4190_device_management:
+            # MSC4190 allows appservices to delete devices through this endpoint without UIA
+            # It's also allowed with MSC3861 enabled
+            pass
+
+        else:
+            if self._msc3861_oauth_delegation_enabled:
+                raise UnrecognizedRequestError(code=404)
+
+            await self.auth_handler.validate_user_via_ui_auth(
+                requester,
+                request,
+                body.dict(exclude_unset=True),
+                "remove a device from your account",
+                # Users might call this multiple times in a row while cleaning up
+                # devices, allow a single UI auth session to be re-used.
+                can_skip_ui_auth=True,
+            )

        await self.device_handler.delete_devices(
            requester.user.to_string(), [device_id]