modules/client/devices: Implement 14.10.2 security considerations.

2024-06-16 08:58:20 +02:00 · 2019-02-20 15:45:32 -08:00 · 2019-02-20 15:45:32 -08:00 · 964d6b427f
parent 5b962205d1
commit 964d6b427f
2 changed files with 75 additions and 8 deletions
--- a/modules/client/delete_devices.cc
+++ b/modules/client/delete_devices.cc
@ -48,6 +48,9 @@ method_post
 	}
 };

+extern const std::string
+flows;
+
 resource::response
 post__delete_devices(client &client,
                     const resource::request &request)
@ -62,15 +65,20 @@ post__delete_devices(client &client,
 		request["auth"]
 	};

-	const string_view &type
-	{
-		auth.at("type")
-	};
+	// 14.10.2 Security considerations
+	const json::string &type{auth["type"]};
+	if(type != "m.login.password")
+		return resource::response
+		{
+			client, http::UNAUTHORIZED, json::object{flows}
+		};

-	const string_view &session
-	{
-		auth["session"]
-	};
+	const json::string &password{auth["password"]};
+	if(!m::user(request.user_id).is_password(password))
+		throw m::ACCESS_DENIED
+		{
+			"Incorrect password."
+		};

 	for(const json::string &device_id : devices)
 		m::device::del(request.user_id, device_id);
@ -80,3 +88,21 @@ post__delete_devices(client &client,
 		client, http::OK
 	};
 }
+
+const std::string
+flows
+{
+	ircd::string(512 | SHRINK_TO_FIT, [](const mutable_buffer &buf)
+	{
+		json::stack out{buf};
+		{
+			json::stack::object top{out};
+			json::stack::array flows{top, "flows"};
+			json::stack::object flow{flows};
+			json::stack::array stages{flow, "stages"};
+			stages.append("m.login.password");
+		}
+
+		return out.completed();
+	})
+};
--- a/modules/client/devices.cc
+++ b/modules/client/devices.cc
@ -197,6 +197,9 @@ method_put
 	}
 };

+extern const std::string
+flows;
+
 resource::response
 delete__devices(client &client,
                const resource::request &request)
@ -212,6 +215,26 @@ delete__devices(client &client,
 		url::decode(device_id, request.parv[1])
 	};

+	const json::object &auth
+	{
+		request["auth"]
+	};
+
+	// 14.10.2 Security considerations
+	const json::string &type{auth["type"]};
+	if(type != "m.login.password")
+		return resource::response
+		{
+			client, http::UNAUTHORIZED, json::object{flows}
+		};
+
+	const json::string &password{auth["password"]};
+	if(!m::user(request.user_id).is_password(password))
+		throw m::ACCESS_DENIED
+		{
+			"Incorrect password."
+		};
+
 	m::device::del(request.user_id, device_id);

 	return resource::response
@ -228,3 +251,21 @@ method_delete
 		method_delete.REQUIRES_AUTH
 	}
 };
+
+const std::string
+flows
+{
+	ircd::string(512 | SHRINK_TO_FIT, [](const mutable_buffer &buf)
+	{
+		json::stack out{buf};
+		{
+			json::stack::object top{out};
+			json::stack::array flows{top, "flows"};
+			json::stack::object flow{flows};
+			json::stack::array stages{flow, "stages"};
+			stages.append("m.login.password");
+		}
+
+		return out.completed();
+	})
+};