mirror of
https://github.com/matrix-org/dendrite
synced 2024-12-13 13:03:15 +01:00
Do not check if a username is exclusive if the request is for an appservice in /register (#1652)
* Do not check if a username is exclusive if the request is for an appservice in /register * remove useless comment * Move statements * fix broken test * Also fix the senderLocalpart problem * Check domain name is ours * Handle accessTokenErr * Return unauthorised instead of forbidden Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
This commit is contained in:
parent
4fe4c180e6
commit
e4d1f0958f
1 changed files with 50 additions and 36 deletions
|
@ -328,7 +328,22 @@ func UserIDIsWithinApplicationServiceNamespace(
|
|||
userID string,
|
||||
appservice *config.ApplicationService,
|
||||
) bool {
|
||||
|
||||
var local, domain, err = gomatrixserverlib.SplitID('@', userID)
|
||||
if err != nil {
|
||||
// Not a valid userID
|
||||
return false
|
||||
}
|
||||
|
||||
if domain != cfg.Matrix.ServerName {
|
||||
return false
|
||||
}
|
||||
|
||||
if appservice != nil {
|
||||
if appservice.SenderLocalpart == local {
|
||||
return true
|
||||
}
|
||||
|
||||
// Loop through given application service's namespaces and see if any match
|
||||
for _, namespace := range appservice.NamespaceMap["users"] {
|
||||
// AS namespaces are checked for validity in config
|
||||
|
@ -341,6 +356,9 @@ func UserIDIsWithinApplicationServiceNamespace(
|
|||
|
||||
// Loop through all known application service's namespaces and see if any match
|
||||
for _, knownAppService := range cfg.Derived.ApplicationServices {
|
||||
if knownAppService.SenderLocalpart == local {
|
||||
return true
|
||||
}
|
||||
for _, namespace := range knownAppService.NamespaceMap["users"] {
|
||||
// AS namespaces are checked for validity in config
|
||||
if namespace.RegexpObject.MatchString(userID) {
|
||||
|
@ -488,17 +506,6 @@ func Register(
|
|||
return *resErr
|
||||
}
|
||||
|
||||
// Make sure normal user isn't registering under an exclusive application
|
||||
// service namespace. Skip this check if no app services are registered.
|
||||
if r.Auth.Type != authtypes.LoginTypeApplicationService &&
|
||||
len(cfg.Derived.ApplicationServices) != 0 &&
|
||||
UsernameMatchesExclusiveNamespaces(cfg, r.Username) {
|
||||
return util.JSONResponse{
|
||||
Code: http.StatusBadRequest,
|
||||
JSON: jsonerror.ASExclusive("This username is reserved by an application service."),
|
||||
}
|
||||
}
|
||||
|
||||
logger := util.GetLogger(req.Context())
|
||||
logger.WithFields(log.Fields{
|
||||
"username": r.Username,
|
||||
|
@ -581,11 +588,39 @@ func handleRegistrationFlow(
|
|||
// TODO: Handle mapping registrationRequest parameters into session parameters
|
||||
|
||||
// TODO: email / msisdn auth types.
|
||||
accessToken, accessTokenErr := auth.ExtractAccessToken(req)
|
||||
if accessTokenErr != nil {
|
||||
return util.JSONResponse{
|
||||
Code: http.StatusUnauthorized,
|
||||
JSON: jsonerror.MissingToken(accessTokenErr.Error()),
|
||||
}
|
||||
}
|
||||
|
||||
// Appservices are special and are not affected by disabled
|
||||
// registration or user exclusivity.
|
||||
if r.Auth.Type == authtypes.LoginTypeApplicationService ||
|
||||
(r.Auth.Type == "" && accessTokenErr == nil) {
|
||||
return handleApplicationServiceRegistration(
|
||||
accessToken, accessTokenErr, req, r, cfg, userAPI,
|
||||
)
|
||||
}
|
||||
|
||||
if cfg.RegistrationDisabled && r.Auth.Type != authtypes.LoginTypeSharedSecret {
|
||||
return util.MessageResponse(http.StatusForbidden, "Registration has been disabled")
|
||||
}
|
||||
|
||||
// Make sure normal user isn't registering under an exclusive application
|
||||
// service namespace. Skip this check if no app services are registered.
|
||||
// If an access token is provided, ignore this check this is an appservice
|
||||
// request and we will validate in validateApplicationService
|
||||
if len(cfg.Derived.ApplicationServices) != 0 &&
|
||||
UsernameMatchesExclusiveNamespaces(cfg, r.Username) {
|
||||
return util.JSONResponse{
|
||||
Code: http.StatusBadRequest,
|
||||
JSON: jsonerror.ASExclusive("This username is reserved by an application service."),
|
||||
}
|
||||
}
|
||||
|
||||
switch r.Auth.Type {
|
||||
case authtypes.LoginTypeRecaptcha:
|
||||
// Check given captcha response
|
||||
|
@ -611,36 +646,15 @@ func handleRegistrationFlow(
|
|||
// Add SharedSecret to the list of completed registration stages
|
||||
AddCompletedSessionStage(sessionID, authtypes.LoginTypeSharedSecret)
|
||||
|
||||
case "":
|
||||
// Extract the access token from the request, if there's one to extract
|
||||
// (which we can know by checking whether the error is nil or not).
|
||||
accessToken, err := auth.ExtractAccessToken(req)
|
||||
|
||||
// A missing auth type can mean either the registration is performed by
|
||||
// an AS or the request is made as the first step of a registration
|
||||
// using the User-Interactive Authentication API. This can be determined
|
||||
// by whether the request contains an access token.
|
||||
if err == nil {
|
||||
return handleApplicationServiceRegistration(
|
||||
accessToken, err, req, r, cfg, userAPI,
|
||||
)
|
||||
}
|
||||
|
||||
case authtypes.LoginTypeApplicationService:
|
||||
// Extract the access token from the request.
|
||||
accessToken, err := auth.ExtractAccessToken(req)
|
||||
// Let the AS registration handler handle the process from here. We
|
||||
// don't need a condition on that call since the registration is clearly
|
||||
// stated as being AS-related.
|
||||
return handleApplicationServiceRegistration(
|
||||
accessToken, err, req, r, cfg, userAPI,
|
||||
)
|
||||
|
||||
case authtypes.LoginTypeDummy:
|
||||
// there is nothing to do
|
||||
// Add Dummy to the list of completed registration stages
|
||||
AddCompletedSessionStage(sessionID, authtypes.LoginTypeDummy)
|
||||
|
||||
case "":
|
||||
// An empty auth type means that we want to fetch the available
|
||||
// flows. It can also mean that we want to register as an appservice
|
||||
// but that is handed above.
|
||||
default:
|
||||
return util.JSONResponse{
|
||||
Code: http.StatusNotImplemented,
|
||||
|
|
Loading…
Reference in a new issue