mirror of
https://mau.dev/maunium/synapse.git
synced 2024-12-14 12:23:48 +01:00
Split out password/captcha/email logic.
This commit is contained in:
parent
34878bc26a
commit
285ecaacd0
2 changed files with 220 additions and 143 deletions
|
@ -40,8 +40,7 @@ class RegistrationHandler(BaseHandler):
|
|||
self.distributor.declare("registered_user")
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def register(self, localpart=None, password=None, threepidCreds=None,
|
||||
captcha_info={}):
|
||||
def register(self, localpart=None, password=None):
|
||||
"""Registers a new client on the server.
|
||||
|
||||
Args:
|
||||
|
@ -54,37 +53,6 @@ class RegistrationHandler(BaseHandler):
|
|||
Raises:
|
||||
RegistrationError if there was a problem registering.
|
||||
"""
|
||||
if captcha_info:
|
||||
captcha_response = yield self._validate_captcha(
|
||||
captcha_info["ip"],
|
||||
captcha_info["private_key"],
|
||||
captcha_info["challenge"],
|
||||
captcha_info["response"]
|
||||
)
|
||||
if not captcha_response["valid"]:
|
||||
logger.info("Invalid captcha entered from %s. Error: %s",
|
||||
captcha_info["ip"], captcha_response["error_url"])
|
||||
raise InvalidCaptchaError(
|
||||
error_url=captcha_response["error_url"]
|
||||
)
|
||||
else:
|
||||
logger.info("Valid captcha entered from %s", captcha_info["ip"])
|
||||
|
||||
if threepidCreds:
|
||||
for c in threepidCreds:
|
||||
logger.info("validating theeepidcred sid %s on id server %s",
|
||||
c['sid'], c['idServer'])
|
||||
try:
|
||||
threepid = yield self._threepid_from_creds(c)
|
||||
except:
|
||||
logger.err()
|
||||
raise RegistrationError(400, "Couldn't validate 3pid")
|
||||
|
||||
if not threepid:
|
||||
raise RegistrationError(400, "Couldn't validate 3pid")
|
||||
logger.info("got threepid medium %s address %s",
|
||||
threepid['medium'], threepid['address'])
|
||||
|
||||
password_hash = None
|
||||
if password:
|
||||
password_hash = bcrypt.hashpw(password, bcrypt.gensalt())
|
||||
|
@ -126,15 +94,54 @@ class RegistrationHandler(BaseHandler):
|
|||
raise RegistrationError(
|
||||
500, "Cannot generate user ID.")
|
||||
|
||||
# Now we have a matrix ID, bind it to the threepids we were given
|
||||
if threepidCreds:
|
||||
for c in threepidCreds:
|
||||
# XXX: This should be a deferred list, shouldn't it?
|
||||
yield self._bind_threepid(c, user_id)
|
||||
|
||||
|
||||
defer.returnValue((user_id, token))
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def check_recaptcha(self, ip, private_key, challenge, response):
|
||||
"""Checks a recaptcha is correct."""
|
||||
|
||||
captcha_response = yield self._validate_captcha(
|
||||
ip,
|
||||
private_key,
|
||||
challenge,
|
||||
response
|
||||
)
|
||||
if not captcha_response["valid"]:
|
||||
logger.info("Invalid captcha entered from %s. Error: %s",
|
||||
ip, captcha_response["error_url"])
|
||||
raise InvalidCaptchaError(
|
||||
error_url=captcha_response["error_url"]
|
||||
)
|
||||
else:
|
||||
logger.info("Valid captcha entered from %s", ip)
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def register_email(self, threepidCreds):
|
||||
"""Registers emails with an identity server."""
|
||||
|
||||
for c in threepidCreds:
|
||||
logger.info("validating theeepidcred sid %s on id server %s",
|
||||
c['sid'], c['idServer'])
|
||||
try:
|
||||
threepid = yield self._threepid_from_creds(c)
|
||||
except:
|
||||
logger.err()
|
||||
raise RegistrationError(400, "Couldn't validate 3pid")
|
||||
|
||||
if not threepid:
|
||||
raise RegistrationError(400, "Couldn't validate 3pid")
|
||||
logger.info("got threepid medium %s address %s",
|
||||
threepid['medium'], threepid['address'])
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def bind_emails(self, user_id, threepidCreds):
|
||||
"""Links emails with a user ID and informs an identity server."""
|
||||
|
||||
# Now we have a matrix ID, bind it to the threepids we were given
|
||||
for c in threepidCreds:
|
||||
# XXX: This should be a deferred list, shouldn't it?
|
||||
yield self._bind_threepid(c, user_id)
|
||||
|
||||
def _generate_token(self, user_id):
|
||||
# urlsafe variant uses _ and - so use . as the separator and replace
|
||||
# all =s with .s so http clients don't quote =s when it is used as
|
||||
|
@ -149,17 +156,17 @@ class RegistrationHandler(BaseHandler):
|
|||
def _threepid_from_creds(self, creds):
|
||||
httpCli = PlainHttpClient(self.hs)
|
||||
# XXX: make this configurable!
|
||||
trustedIdServers = [ 'matrix.org:8090' ]
|
||||
trustedIdServers = ['matrix.org:8090']
|
||||
if not creds['idServer'] in trustedIdServers:
|
||||
logger.warn('%s is not a trusted ID server: rejecting 3pid '+
|
||||
logger.warn('%s is not a trusted ID server: rejecting 3pid ' +
|
||||
'credentials', creds['idServer'])
|
||||
defer.returnValue(None)
|
||||
data = yield httpCli.get_json(
|
||||
creds['idServer'],
|
||||
"/_matrix/identity/api/v1/3pid/getValidated3pid",
|
||||
{ 'sid': creds['sid'], 'clientSecret': creds['clientSecret'] }
|
||||
{'sid': creds['sid'], 'clientSecret': creds['clientSecret']}
|
||||
)
|
||||
|
||||
|
||||
if 'medium' in data:
|
||||
defer.returnValue(data)
|
||||
defer.returnValue(None)
|
||||
|
@ -170,44 +177,45 @@ class RegistrationHandler(BaseHandler):
|
|||
data = yield httpCli.post_urlencoded_get_json(
|
||||
creds['idServer'],
|
||||
"/_matrix/identity/api/v1/3pid/bind",
|
||||
{ 'sid': creds['sid'], 'clientSecret': creds['clientSecret'],
|
||||
'mxid':mxid }
|
||||
{'sid': creds['sid'], 'clientSecret': creds['clientSecret'],
|
||||
'mxid': mxid}
|
||||
)
|
||||
defer.returnValue(data)
|
||||
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def _validate_captcha(self, ip_addr, private_key, challenge, response):
|
||||
"""Validates the captcha provided.
|
||||
|
||||
|
||||
Returns:
|
||||
dict: Containing 'valid'(bool) and 'error_url'(str) if invalid.
|
||||
|
||||
|
||||
"""
|
||||
response = yield self._submit_captcha(ip_addr, private_key, challenge,
|
||||
response = yield self._submit_captcha(ip_addr, private_key, challenge,
|
||||
response)
|
||||
# parse Google's response. Lovely format..
|
||||
lines = response.split('\n')
|
||||
json = {
|
||||
"valid": lines[0] == 'true',
|
||||
"error_url": "http://www.google.com/recaptcha/api/challenge?"+
|
||||
"error_url": "http://www.google.com/recaptcha/api/challenge?" +
|
||||
"error=%s" % lines[1]
|
||||
}
|
||||
defer.returnValue(json)
|
||||
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def _submit_captcha(self, ip_addr, private_key, challenge, response):
|
||||
client = PlainHttpClient(self.hs)
|
||||
data = yield client.post_urlencoded_get_raw(
|
||||
"www.google.com:80",
|
||||
"/recaptcha/api/verify",
|
||||
accept_partial=True, # twisted dislikes google's response, no content length.
|
||||
args={
|
||||
'privatekey': private_key,
|
||||
# twisted dislikes google's response, no content length.
|
||||
accept_partial=True,
|
||||
args={
|
||||
'privatekey': private_key,
|
||||
'remoteip': ip_addr,
|
||||
'challenge': challenge,
|
||||
'response': response
|
||||
}
|
||||
)
|
||||
defer.returnValue(data)
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -19,28 +19,62 @@ from twisted.internet import defer
|
|||
from synapse.api.errors import SynapseError, Codes
|
||||
from synapse.api.constants import LoginType
|
||||
from base import RestServlet, client_path_pattern
|
||||
import synapse.util.stringutils as stringutils
|
||||
|
||||
import json
|
||||
import logging
|
||||
import urllib
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class RegisterRestServlet(RestServlet):
|
||||
"""Handles registration with the home server.
|
||||
|
||||
This servlet is in control of the registration flow; the registration
|
||||
handler doesn't have a concept of multi-stages or sessions.
|
||||
"""
|
||||
|
||||
PATTERN = client_path_pattern("/register$")
|
||||
|
||||
def __init__(self, hs):
|
||||
super(RegisterRestServlet, self).__init__(hs)
|
||||
# sessions are stored as:
|
||||
# self.sessions = {
|
||||
# "session_id" : { __session_dict__ }
|
||||
# }
|
||||
# TODO: persistent storage
|
||||
self.sessions = {}
|
||||
|
||||
def on_GET(self, request):
|
||||
return (200, {
|
||||
"flows": [
|
||||
{
|
||||
"type": LoginType.RECAPTCHA,
|
||||
"stages": ([LoginType.RECAPTCHA, LoginType.EMAIL_IDENTITY,
|
||||
LoginType.PASSWORD])
|
||||
},
|
||||
{
|
||||
"type": LoginType.RECAPTCHA,
|
||||
"stages": [LoginType.RECAPTCHA, LoginType.PASSWORD]
|
||||
},
|
||||
]
|
||||
})
|
||||
if self.hs.config.enable_registration_captcha:
|
||||
return (200, {
|
||||
"flows": [
|
||||
{
|
||||
"type": LoginType.RECAPTCHA,
|
||||
"stages": ([LoginType.RECAPTCHA,
|
||||
LoginType.EMAIL_IDENTITY,
|
||||
LoginType.PASSWORD])
|
||||
},
|
||||
{
|
||||
"type": LoginType.RECAPTCHA,
|
||||
"stages": [LoginType.RECAPTCHA, LoginType.PASSWORD]
|
||||
}
|
||||
]
|
||||
})
|
||||
else:
|
||||
return (200, {
|
||||
"flows": [
|
||||
{
|
||||
"type": LoginType.EMAIL_IDENTITY,
|
||||
"stages": ([LoginType.EMAIL_IDENTITY,
|
||||
LoginType.PASSWORD])
|
||||
},
|
||||
{
|
||||
"type": LoginType.PASSWORD
|
||||
}
|
||||
]
|
||||
})
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def on_POST(self, request):
|
||||
|
@ -56,96 +90,130 @@ class RegisterRestServlet(RestServlet):
|
|||
LoginType.EMAIL_IDENTITY: self._do_email_identity
|
||||
}
|
||||
|
||||
session_info = None
|
||||
if session:
|
||||
session_info = self._get_session_info(session)
|
||||
session_info = self._get_session_info(request, session)
|
||||
logger.debug("%s : session info %s request info %s",
|
||||
login_type, session_info, register_json)
|
||||
response = yield stages[login_type](
|
||||
request,
|
||||
register_json,
|
||||
session_info
|
||||
)
|
||||
|
||||
if "access_token" not in response:
|
||||
# isn't a final response
|
||||
response["session"] = session_info["id"]
|
||||
|
||||
response = yield stages[login_type](register_json, session_info)
|
||||
defer.returnValue((200, response))
|
||||
except KeyError:
|
||||
raise SynapseError(400, "Bad login type.")
|
||||
except KeyError as e:
|
||||
logger.exception(e)
|
||||
raise SynapseError(400, "Missing JSON keys or bad login type.")
|
||||
|
||||
def on_OPTIONS(self, request):
|
||||
return (200, {})
|
||||
|
||||
desired_user_id = None
|
||||
password = None
|
||||
|
||||
if "password" in register_json:
|
||||
password = register_json["password"].encode("utf-8")
|
||||
|
||||
if ("user_id" in register_json and
|
||||
type(register_json["user_id"]) == unicode):
|
||||
desired_user_id = register_json["user_id"].encode("utf-8")
|
||||
if urllib.quote(desired_user_id) != desired_user_id:
|
||||
raise SynapseError(
|
||||
400,
|
||||
"User ID must only contain characters which do not " +
|
||||
"require URL encoding.")
|
||||
|
||||
threepidCreds = None
|
||||
if 'threepidCreds' in register_json:
|
||||
threepidCreds = register_json['threepidCreds']
|
||||
|
||||
captcha = {}
|
||||
if self.hs.config.enable_registration_captcha:
|
||||
challenge = None
|
||||
user_response = None
|
||||
try:
|
||||
captcha_type = register_json["captcha"]["type"]
|
||||
if captcha_type != "m.login.recaptcha":
|
||||
raise SynapseError(400, "Sorry, only m.login.recaptcha " +
|
||||
"requests are supported.")
|
||||
challenge = register_json["captcha"]["challenge"]
|
||||
user_response = register_json["captcha"]["response"]
|
||||
except KeyError:
|
||||
raise SynapseError(400, "Captcha response is required",
|
||||
errcode=Codes.CAPTCHA_NEEDED)
|
||||
|
||||
# TODO determine the source IP : May be an X-Forwarding-For header depending on config
|
||||
ip_addr = request.getClientIP()
|
||||
if self.hs.config.captcha_ip_origin_is_x_forwarded:
|
||||
# use the header
|
||||
if request.requestHeaders.hasHeader("X-Forwarded-For"):
|
||||
ip_addr = request.requestHeaders.getRawHeaders(
|
||||
"X-Forwarded-For")[0]
|
||||
|
||||
captcha = {
|
||||
"ip": ip_addr,
|
||||
"private_key": self.hs.config.recaptcha_private_key,
|
||||
"challenge": challenge,
|
||||
"response": user_response
|
||||
def _get_session_info(self, request, session_id):
|
||||
if not session_id:
|
||||
# create a new session
|
||||
while session_id is None or session_id in self.sessions:
|
||||
session_id = stringutils.random_string(24)
|
||||
self.sessions[session_id] = {
|
||||
"id": session_id,
|
||||
LoginType.EMAIL_IDENTITY: False,
|
||||
LoginType.RECAPTCHA: False
|
||||
}
|
||||
|
||||
return self.sessions[session_id]
|
||||
|
||||
def _save_session(self, session):
|
||||
# TODO: Persistent storage
|
||||
logger.debug("Saving session %s", session)
|
||||
self.sessions[session["id"]] = session
|
||||
|
||||
def _remove_session(self, session):
|
||||
logger.debug("Removing session %s", session)
|
||||
self.sessions.pop(session["id"])
|
||||
|
||||
def _do_recaptcha(self, request, register_json, session):
|
||||
if not self.hs.config.enable_registration_captcha:
|
||||
raise SynapseError(400, "Captcha not required.")
|
||||
|
||||
challenge = None
|
||||
user_response = None
|
||||
try:
|
||||
challenge = register_json["challenge"]
|
||||
user_response = register_json["response"]
|
||||
except KeyError:
|
||||
raise SynapseError(400, "Captcha response is required",
|
||||
errcode=Codes.CAPTCHA_NEEDED)
|
||||
|
||||
# May be an X-Forwarding-For header depending on config
|
||||
ip_addr = request.getClientIP()
|
||||
if self.hs.config.captcha_ip_origin_is_x_forwarded:
|
||||
# use the header
|
||||
if request.requestHeaders.hasHeader("X-Forwarded-For"):
|
||||
ip_addr = request.requestHeaders.getRawHeaders(
|
||||
"X-Forwarded-For")[0]
|
||||
|
||||
handler = self.handlers.registration_handler
|
||||
yield handler.check_recaptcha(
|
||||
ip_addr,
|
||||
self.hs.config.recaptcha_private_key,
|
||||
challenge,
|
||||
user_response
|
||||
)
|
||||
session[LoginType.RECAPTCHA] = True # mark captcha as done
|
||||
self._save_session(session)
|
||||
defer.returnValue({
|
||||
"next": [LoginType.PASSWORD, LoginType.EMAIL_IDENTITY]
|
||||
})
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def _do_email_identity(self, request, register_json, session):
|
||||
if (self.hs.config.enable_registration_captcha and
|
||||
not session[LoginType.RECAPTCHA]):
|
||||
raise SynapseError(400, "Captcha is required.")
|
||||
|
||||
threepidCreds = register_json['threepidCreds']
|
||||
handler = self.handlers.registration_handler
|
||||
yield handler.register_email(threepidCreds)
|
||||
session["threepidCreds"] = threepidCreds # store creds for next stage
|
||||
session[LoginType.EMAIL_IDENTITY] = True # mark email as done
|
||||
self._save_session(session)
|
||||
defer.returnValue({
|
||||
"next": LoginType.PASSWORD
|
||||
})
|
||||
|
||||
@defer.inlineCallbacks
|
||||
def _do_password(self, request, register_json, session):
|
||||
if (self.hs.config.enable_registration_captcha and
|
||||
not session[LoginType.RECAPTCHA]):
|
||||
# captcha should've been done by this stage!
|
||||
raise SynapseError(400, "Captcha is required.")
|
||||
|
||||
password = register_json["password"].encode("utf-8")
|
||||
desired_user_id = (register_json["user_id"].encode("utf-8") if "user_id"
|
||||
in register_json else None)
|
||||
if desired_user_id and urllib.quote(desired_user_id) != desired_user_id:
|
||||
raise SynapseError(
|
||||
400,
|
||||
"User ID must only contain characters which do not " +
|
||||
"require URL encoding.")
|
||||
handler = self.handlers.registration_handler
|
||||
(user_id, token) = yield handler.register(
|
||||
localpart=desired_user_id,
|
||||
password=password,
|
||||
threepidCreds=threepidCreds,
|
||||
captcha_info=captcha)
|
||||
password=password
|
||||
)
|
||||
|
||||
if session[LoginType.EMAIL_IDENTITY]:
|
||||
yield handler.bind_emails(user_id, session["threepidCreds"])
|
||||
|
||||
result = {
|
||||
"user_id": user_id,
|
||||
"access_token": token,
|
||||
"home_server": self.hs.hostname,
|
||||
}
|
||||
defer.returnValue(
|
||||
(200, result)
|
||||
)
|
||||
|
||||
def on_OPTIONS(self, request):
|
||||
return (200, {})
|
||||
|
||||
def _get_session_info(self, session_id):
|
||||
pass
|
||||
|
||||
def _do_recaptcha(self, register_json, session):
|
||||
pass
|
||||
|
||||
def _do_email_identity(self, register_json, session):
|
||||
pass
|
||||
|
||||
def _do_password(self, register_json, session):
|
||||
pass
|
||||
self._remove_session(session)
|
||||
defer.returnValue(result)
|
||||
|
||||
|
||||
def _parse_json(request):
|
||||
|
@ -157,5 +225,6 @@ def _parse_json(request):
|
|||
except ValueError:
|
||||
raise SynapseError(400, "Content not JSON.")
|
||||
|
||||
|
||||
def register_servlets(hs, http_server):
|
||||
RegisterRestServlet(hs).register(http_server)
|
||||
|
|
Loading…
Reference in a new issue