mirror of
https://mau.dev/maunium/synapse.git
synced 2024-12-14 17:44:01 +01:00
Remove shared secret registration from client/r0/register endpoint
This type of registration was probably never used. It only includes the user name in the HMAC but not the password. Shared secret registration is still available via client/r0/admin/register. Signed-off-by: Manuel Stahl <manuel.stahl@awesome-technologies.de>
This commit is contained in:
parent
d514dac0b2
commit
0bab582fd6
2 changed files with 5 additions and 53 deletions
1
changelog.d/5877.removal
Normal file
1
changelog.d/5877.removal
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Remove shared secret registration from client/r0/register endpoint. Contributed by Awesome Technologies Innovationslabor GmbH.
|
|
@ -16,7 +16,6 @@
|
||||||
|
|
||||||
import hmac
|
import hmac
|
||||||
import logging
|
import logging
|
||||||
from hashlib import sha1
|
|
||||||
|
|
||||||
from six import string_types
|
from six import string_types
|
||||||
|
|
||||||
|
@ -239,14 +238,12 @@ class RegisterRestServlet(RestServlet):
|
||||||
|
|
||||||
# we do basic sanity checks here because the auth layer will store these
|
# we do basic sanity checks here because the auth layer will store these
|
||||||
# in sessions. Pull out the username/password provided to us.
|
# in sessions. Pull out the username/password provided to us.
|
||||||
desired_password = None
|
|
||||||
if "password" in body:
|
if "password" in body:
|
||||||
if (
|
if (
|
||||||
not isinstance(body["password"], string_types)
|
not isinstance(body["password"], string_types)
|
||||||
or len(body["password"]) > 512
|
or len(body["password"]) > 512
|
||||||
):
|
):
|
||||||
raise SynapseError(400, "Invalid password")
|
raise SynapseError(400, "Invalid password")
|
||||||
desired_password = body["password"]
|
|
||||||
|
|
||||||
desired_username = None
|
desired_username = None
|
||||||
if "username" in body:
|
if "username" in body:
|
||||||
|
@ -261,8 +258,8 @@ class RegisterRestServlet(RestServlet):
|
||||||
if self.auth.has_access_token(request):
|
if self.auth.has_access_token(request):
|
||||||
appservice = yield self.auth.get_appservice_by_req(request)
|
appservice = yield self.auth.get_appservice_by_req(request)
|
||||||
|
|
||||||
# fork off as soon as possible for ASes and shared secret auth which
|
# fork off as soon as possible for ASes which have completely
|
||||||
# have completely different registration flows to normal users
|
# different registration flows to normal users
|
||||||
|
|
||||||
# == Application Service Registration ==
|
# == Application Service Registration ==
|
||||||
if appservice:
|
if appservice:
|
||||||
|
@ -285,8 +282,8 @@ class RegisterRestServlet(RestServlet):
|
||||||
return (200, result) # we throw for non 200 responses
|
return (200, result) # we throw for non 200 responses
|
||||||
return
|
return
|
||||||
|
|
||||||
# for either shared secret or regular registration, downcase the
|
# for regular registration, downcase the provided username before
|
||||||
# provided username before attempting to register it. This should mean
|
# attempting to register it. This should mean
|
||||||
# that people who try to register with upper-case in their usernames
|
# that people who try to register with upper-case in their usernames
|
||||||
# don't get a nasty surprise. (Note that we treat username
|
# don't get a nasty surprise. (Note that we treat username
|
||||||
# case-insenstively in login, so they are free to carry on imagining
|
# case-insenstively in login, so they are free to carry on imagining
|
||||||
|
@ -294,16 +291,6 @@ class RegisterRestServlet(RestServlet):
|
||||||
if desired_username is not None:
|
if desired_username is not None:
|
||||||
desired_username = desired_username.lower()
|
desired_username = desired_username.lower()
|
||||||
|
|
||||||
# == Shared Secret Registration == (e.g. create new user scripts)
|
|
||||||
if "mac" in body:
|
|
||||||
# FIXME: Should we really be determining if this is shared secret
|
|
||||||
# auth based purely on the 'mac' key?
|
|
||||||
result = yield self._do_shared_secret_registration(
|
|
||||||
desired_username, desired_password, body
|
|
||||||
)
|
|
||||||
return (200, result) # we throw for non 200 responses
|
|
||||||
return
|
|
||||||
|
|
||||||
# == Normal User Registration == (everyone else)
|
# == Normal User Registration == (everyone else)
|
||||||
if not self.hs.config.enable_registration:
|
if not self.hs.config.enable_registration:
|
||||||
raise SynapseError(403, "Registration has been disabled")
|
raise SynapseError(403, "Registration has been disabled")
|
||||||
|
@ -512,42 +499,6 @@ class RegisterRestServlet(RestServlet):
|
||||||
)
|
)
|
||||||
return (yield self._create_registration_details(user_id, body))
|
return (yield self._create_registration_details(user_id, body))
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
|
||||||
def _do_shared_secret_registration(self, username, password, body):
|
|
||||||
if not self.hs.config.registration_shared_secret:
|
|
||||||
raise SynapseError(400, "Shared secret registration is not enabled")
|
|
||||||
if not username:
|
|
||||||
raise SynapseError(
|
|
||||||
400, "username must be specified", errcode=Codes.BAD_JSON
|
|
||||||
)
|
|
||||||
|
|
||||||
# use the username from the original request rather than the
|
|
||||||
# downcased one in `username` for the mac calculation
|
|
||||||
user = body["username"].encode("utf-8")
|
|
||||||
|
|
||||||
# str() because otherwise hmac complains that 'unicode' does not
|
|
||||||
# have the buffer interface
|
|
||||||
got_mac = str(body["mac"])
|
|
||||||
|
|
||||||
# FIXME this is different to the /v1/register endpoint, which
|
|
||||||
# includes the password and admin flag in the hashed text. Why are
|
|
||||||
# these different?
|
|
||||||
want_mac = hmac.new(
|
|
||||||
key=self.hs.config.registration_shared_secret.encode(),
|
|
||||||
msg=user,
|
|
||||||
digestmod=sha1,
|
|
||||||
).hexdigest()
|
|
||||||
|
|
||||||
if not compare_digest(want_mac, got_mac):
|
|
||||||
raise SynapseError(403, "HMAC incorrect")
|
|
||||||
|
|
||||||
user_id = yield self.registration_handler.register_user(
|
|
||||||
localpart=username, password=password
|
|
||||||
)
|
|
||||||
|
|
||||||
result = yield self._create_registration_details(user_id, body)
|
|
||||||
return result
|
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def _create_registration_details(self, user_id, params):
|
def _create_registration_details(self, user_id, params):
|
||||||
"""Complete registration of newly-registered user
|
"""Complete registration of newly-registered user
|
||||||
|
|
Loading…
Reference in a new issue