Drop support for calling /_matrix/client/v3/account/3pid/bind without an id_access_token (#13239)

Fixes #13201

Signed-off-by: Jacek Kusnierz jacek.kusnierz@tum.de
This commit is contained in:
Jacek Kuśnierz 2022-07-12 20:48:29 +02:00 committed by GitHub
parent 52a0c8f2f7
commit 7218a0ca18
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 26 deletions

View file

@ -0,0 +1 @@
Drop support for calling `/_matrix/client/v3/account/3pid/bind` without an `id_access_token`, which was not permitted by the spec. Contributed by @Vetchu.

View file

@ -162,8 +162,7 @@ class IdentityHandler:
sid: str, sid: str,
mxid: str, mxid: str,
id_server: str, id_server: str,
id_access_token: Optional[str] = None, id_access_token: str,
use_v2: bool = True,
) -> JsonDict: ) -> JsonDict:
"""Bind a 3PID to an identity server """Bind a 3PID to an identity server
@ -173,8 +172,7 @@ class IdentityHandler:
mxid: The MXID to bind the 3PID to mxid: The MXID to bind the 3PID to
id_server: The domain of the identity server to query id_server: The domain of the identity server to query
id_access_token: The access token to authenticate to the identity id_access_token: The access token to authenticate to the identity
server with, if necessary. Required if use_v2 is true server with
use_v2: Whether to use v2 Identity Service API endpoints. Defaults to True
Raises: Raises:
SynapseError: On any of the following conditions SynapseError: On any of the following conditions
@ -186,24 +184,15 @@ class IdentityHandler:
""" """
logger.debug("Proxying threepid bind request for %s to %s", mxid, id_server) logger.debug("Proxying threepid bind request for %s to %s", mxid, id_server)
# If an id_access_token is not supplied, force usage of v1
if id_access_token is None:
use_v2 = False
if not valid_id_server_location(id_server): if not valid_id_server_location(id_server):
raise SynapseError( raise SynapseError(
400, 400,
"id_server must be a valid hostname with optional port and path components", "id_server must be a valid hostname with optional port and path components",
) )
# Decide which API endpoint URLs to use
headers = {}
bind_data = {"sid": sid, "client_secret": client_secret, "mxid": mxid} bind_data = {"sid": sid, "client_secret": client_secret, "mxid": mxid}
if use_v2: bind_url = "https://%s/_matrix/identity/v2/3pid/bind" % (id_server,)
bind_url = "https://%s/_matrix/identity/v2/3pid/bind" % (id_server,) headers = {"Authorization": create_id_access_token_header(id_access_token)}
headers["Authorization"] = create_id_access_token_header(id_access_token) # type: ignore
else:
bind_url = "https://%s/_matrix/identity/api/v1/3pid/bind" % (id_server,)
try: try:
# Use the blacklisting http client as this call is only to identity servers # Use the blacklisting http client as this call is only to identity servers
@ -222,21 +211,14 @@ class IdentityHandler:
return data return data
except HttpResponseException as e: except HttpResponseException as e:
if e.code != 404 or not use_v2: logger.error("3PID bind failed with Matrix error: %r", e)
logger.error("3PID bind failed with Matrix error: %r", e) raise e.to_synapse_error()
raise e.to_synapse_error()
except RequestTimedOutError: except RequestTimedOutError:
raise SynapseError(500, "Timed out contacting identity server") raise SynapseError(500, "Timed out contacting identity server")
except CodeMessageException as e: except CodeMessageException as e:
data = json_decoder.decode(e.msg) # XXX WAT? data = json_decoder.decode(e.msg) # XXX WAT?
return data return data
logger.info("Got 404 when POSTing JSON %s, falling back to v1 URL", bind_url)
res = await self.bind_threepid(
client_secret, sid, mxid, id_server, id_access_token, use_v2=False
)
return res
async def try_unbind_threepid(self, mxid: str, threepid: dict) -> bool: async def try_unbind_threepid(self, mxid: str, threepid: dict) -> bool:
"""Attempt to remove a 3PID from an identity server, or if one is not provided, all """Attempt to remove a 3PID from an identity server, or if one is not provided, all
identity servers we're aware the binding is present on identity servers we're aware the binding is present on

View file

@ -704,10 +704,12 @@ class ThreepidBindRestServlet(RestServlet):
async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]: async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
body = parse_json_object_from_request(request) body = parse_json_object_from_request(request)
assert_params_in_dict(body, ["id_server", "sid", "client_secret"]) assert_params_in_dict(
body, ["id_server", "sid", "id_access_token", "client_secret"]
)
id_server = body["id_server"] id_server = body["id_server"]
sid = body["sid"] sid = body["sid"]
id_access_token = body.get("id_access_token") # optional id_access_token = body["id_access_token"]
client_secret = body["client_secret"] client_secret = body["client_secret"]
assert_valid_client_secret(client_secret) assert_valid_client_secret(client_secret)