Add User-Interactive Auth to /account/3pid/add (#6119)

This commit is contained in:
Andrew Morgan 2019-11-29 13:51:14 +00:00 committed by GitHub
parent 1c3a61529f
commit 23ea572125
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 0 deletions

1
changelog.d/6119.feature Normal file
View file

@ -0,0 +1 @@
Require User-Interactive Authentication for `/account/3pid/add`, meaning the user's password will be required to add a third-party ID to their account.

View file

@ -642,6 +642,7 @@ class ThreepidAddRestServlet(RestServlet):
self.auth = hs.get_auth() self.auth = hs.get_auth()
self.auth_handler = hs.get_auth_handler() self.auth_handler = hs.get_auth_handler()
@interactive_auth_handler
@defer.inlineCallbacks @defer.inlineCallbacks
def on_POST(self, request): def on_POST(self, request):
requester = yield self.auth.get_user_by_req(request) requester = yield self.auth.get_user_by_req(request)
@ -652,6 +653,10 @@ class ThreepidAddRestServlet(RestServlet):
client_secret = body["client_secret"] client_secret = body["client_secret"]
sid = body["sid"] sid = body["sid"]
yield self.auth_handler.validate_user_via_ui_auth(
requester, body, self.hs.get_ip_from_request(request)
)
validation_session = yield self.identity_handler.validate_threepid_session( validation_session = yield self.identity_handler.validate_threepid_session(
client_secret, sid client_secret, sid
) )