mirror of
https://mau.dev/maunium/synapse.git
synced 2024-12-14 17:44:01 +01:00
Split out password/captcha/email logic.
This commit is contained in:
parent
34878bc26a
commit
285ecaacd0
2 changed files with 220 additions and 143 deletions
|
@ -40,8 +40,7 @@ class RegistrationHandler(BaseHandler):
|
||||||
self.distributor.declare("registered_user")
|
self.distributor.declare("registered_user")
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def register(self, localpart=None, password=None, threepidCreds=None,
|
def register(self, localpart=None, password=None):
|
||||||
captcha_info={}):
|
|
||||||
"""Registers a new client on the server.
|
"""Registers a new client on the server.
|
||||||
|
|
||||||
Args:
|
Args:
|
||||||
|
@ -54,37 +53,6 @@ class RegistrationHandler(BaseHandler):
|
||||||
Raises:
|
Raises:
|
||||||
RegistrationError if there was a problem registering.
|
RegistrationError if there was a problem registering.
|
||||||
"""
|
"""
|
||||||
if captcha_info:
|
|
||||||
captcha_response = yield self._validate_captcha(
|
|
||||||
captcha_info["ip"],
|
|
||||||
captcha_info["private_key"],
|
|
||||||
captcha_info["challenge"],
|
|
||||||
captcha_info["response"]
|
|
||||||
)
|
|
||||||
if not captcha_response["valid"]:
|
|
||||||
logger.info("Invalid captcha entered from %s. Error: %s",
|
|
||||||
captcha_info["ip"], captcha_response["error_url"])
|
|
||||||
raise InvalidCaptchaError(
|
|
||||||
error_url=captcha_response["error_url"]
|
|
||||||
)
|
|
||||||
else:
|
|
||||||
logger.info("Valid captcha entered from %s", captcha_info["ip"])
|
|
||||||
|
|
||||||
if threepidCreds:
|
|
||||||
for c in threepidCreds:
|
|
||||||
logger.info("validating theeepidcred sid %s on id server %s",
|
|
||||||
c['sid'], c['idServer'])
|
|
||||||
try:
|
|
||||||
threepid = yield self._threepid_from_creds(c)
|
|
||||||
except:
|
|
||||||
logger.err()
|
|
||||||
raise RegistrationError(400, "Couldn't validate 3pid")
|
|
||||||
|
|
||||||
if not threepid:
|
|
||||||
raise RegistrationError(400, "Couldn't validate 3pid")
|
|
||||||
logger.info("got threepid medium %s address %s",
|
|
||||||
threepid['medium'], threepid['address'])
|
|
||||||
|
|
||||||
password_hash = None
|
password_hash = None
|
||||||
if password:
|
if password:
|
||||||
password_hash = bcrypt.hashpw(password, bcrypt.gensalt())
|
password_hash = bcrypt.hashpw(password, bcrypt.gensalt())
|
||||||
|
@ -126,15 +94,54 @@ class RegistrationHandler(BaseHandler):
|
||||||
raise RegistrationError(
|
raise RegistrationError(
|
||||||
500, "Cannot generate user ID.")
|
500, "Cannot generate user ID.")
|
||||||
|
|
||||||
|
defer.returnValue((user_id, token))
|
||||||
|
|
||||||
|
@defer.inlineCallbacks
|
||||||
|
def check_recaptcha(self, ip, private_key, challenge, response):
|
||||||
|
"""Checks a recaptcha is correct."""
|
||||||
|
|
||||||
|
captcha_response = yield self._validate_captcha(
|
||||||
|
ip,
|
||||||
|
private_key,
|
||||||
|
challenge,
|
||||||
|
response
|
||||||
|
)
|
||||||
|
if not captcha_response["valid"]:
|
||||||
|
logger.info("Invalid captcha entered from %s. Error: %s",
|
||||||
|
ip, captcha_response["error_url"])
|
||||||
|
raise InvalidCaptchaError(
|
||||||
|
error_url=captcha_response["error_url"]
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
logger.info("Valid captcha entered from %s", ip)
|
||||||
|
|
||||||
|
@defer.inlineCallbacks
|
||||||
|
def register_email(self, threepidCreds):
|
||||||
|
"""Registers emails with an identity server."""
|
||||||
|
|
||||||
|
for c in threepidCreds:
|
||||||
|
logger.info("validating theeepidcred sid %s on id server %s",
|
||||||
|
c['sid'], c['idServer'])
|
||||||
|
try:
|
||||||
|
threepid = yield self._threepid_from_creds(c)
|
||||||
|
except:
|
||||||
|
logger.err()
|
||||||
|
raise RegistrationError(400, "Couldn't validate 3pid")
|
||||||
|
|
||||||
|
if not threepid:
|
||||||
|
raise RegistrationError(400, "Couldn't validate 3pid")
|
||||||
|
logger.info("got threepid medium %s address %s",
|
||||||
|
threepid['medium'], threepid['address'])
|
||||||
|
|
||||||
|
@defer.inlineCallbacks
|
||||||
|
def bind_emails(self, user_id, threepidCreds):
|
||||||
|
"""Links emails with a user ID and informs an identity server."""
|
||||||
|
|
||||||
# Now we have a matrix ID, bind it to the threepids we were given
|
# Now we have a matrix ID, bind it to the threepids we were given
|
||||||
if threepidCreds:
|
|
||||||
for c in threepidCreds:
|
for c in threepidCreds:
|
||||||
# XXX: This should be a deferred list, shouldn't it?
|
# XXX: This should be a deferred list, shouldn't it?
|
||||||
yield self._bind_threepid(c, user_id)
|
yield self._bind_threepid(c, user_id)
|
||||||
|
|
||||||
|
|
||||||
defer.returnValue((user_id, token))
|
|
||||||
|
|
||||||
def _generate_token(self, user_id):
|
def _generate_token(self, user_id):
|
||||||
# urlsafe variant uses _ and - so use . as the separator and replace
|
# urlsafe variant uses _ and - so use . as the separator and replace
|
||||||
# all =s with .s so http clients don't quote =s when it is used as
|
# all =s with .s so http clients don't quote =s when it is used as
|
||||||
|
@ -200,7 +207,8 @@ class RegistrationHandler(BaseHandler):
|
||||||
data = yield client.post_urlencoded_get_raw(
|
data = yield client.post_urlencoded_get_raw(
|
||||||
"www.google.com:80",
|
"www.google.com:80",
|
||||||
"/recaptcha/api/verify",
|
"/recaptcha/api/verify",
|
||||||
accept_partial=True, # twisted dislikes google's response, no content length.
|
# twisted dislikes google's response, no content length.
|
||||||
|
accept_partial=True,
|
||||||
args={
|
args={
|
||||||
'privatekey': private_key,
|
'privatekey': private_key,
|
||||||
'remoteip': ip_addr,
|
'remoteip': ip_addr,
|
||||||
|
|
|
@ -19,26 +19,60 @@ from twisted.internet import defer
|
||||||
from synapse.api.errors import SynapseError, Codes
|
from synapse.api.errors import SynapseError, Codes
|
||||||
from synapse.api.constants import LoginType
|
from synapse.api.constants import LoginType
|
||||||
from base import RestServlet, client_path_pattern
|
from base import RestServlet, client_path_pattern
|
||||||
|
import synapse.util.stringutils as stringutils
|
||||||
|
|
||||||
import json
|
import json
|
||||||
|
import logging
|
||||||
import urllib
|
import urllib
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
class RegisterRestServlet(RestServlet):
|
class RegisterRestServlet(RestServlet):
|
||||||
|
"""Handles registration with the home server.
|
||||||
|
|
||||||
|
This servlet is in control of the registration flow; the registration
|
||||||
|
handler doesn't have a concept of multi-stages or sessions.
|
||||||
|
"""
|
||||||
|
|
||||||
PATTERN = client_path_pattern("/register$")
|
PATTERN = client_path_pattern("/register$")
|
||||||
|
|
||||||
|
def __init__(self, hs):
|
||||||
|
super(RegisterRestServlet, self).__init__(hs)
|
||||||
|
# sessions are stored as:
|
||||||
|
# self.sessions = {
|
||||||
|
# "session_id" : { __session_dict__ }
|
||||||
|
# }
|
||||||
|
# TODO: persistent storage
|
||||||
|
self.sessions = {}
|
||||||
|
|
||||||
def on_GET(self, request):
|
def on_GET(self, request):
|
||||||
|
if self.hs.config.enable_registration_captcha:
|
||||||
return (200, {
|
return (200, {
|
||||||
"flows": [
|
"flows": [
|
||||||
{
|
{
|
||||||
"type": LoginType.RECAPTCHA,
|
"type": LoginType.RECAPTCHA,
|
||||||
"stages": ([LoginType.RECAPTCHA, LoginType.EMAIL_IDENTITY,
|
"stages": ([LoginType.RECAPTCHA,
|
||||||
|
LoginType.EMAIL_IDENTITY,
|
||||||
LoginType.PASSWORD])
|
LoginType.PASSWORD])
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": LoginType.RECAPTCHA,
|
"type": LoginType.RECAPTCHA,
|
||||||
"stages": [LoginType.RECAPTCHA, LoginType.PASSWORD]
|
"stages": [LoginType.RECAPTCHA, LoginType.PASSWORD]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
})
|
||||||
|
else:
|
||||||
|
return (200, {
|
||||||
|
"flows": [
|
||||||
|
{
|
||||||
|
"type": LoginType.EMAIL_IDENTITY,
|
||||||
|
"stages": ([LoginType.EMAIL_IDENTITY,
|
||||||
|
LoginType.PASSWORD])
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"type": LoginType.PASSWORD
|
||||||
|
}
|
||||||
]
|
]
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -56,51 +90,63 @@ class RegisterRestServlet(RestServlet):
|
||||||
LoginType.EMAIL_IDENTITY: self._do_email_identity
|
LoginType.EMAIL_IDENTITY: self._do_email_identity
|
||||||
}
|
}
|
||||||
|
|
||||||
session_info = None
|
session_info = self._get_session_info(request, session)
|
||||||
if session:
|
logger.debug("%s : session info %s request info %s",
|
||||||
session_info = self._get_session_info(session)
|
login_type, session_info, register_json)
|
||||||
|
response = yield stages[login_type](
|
||||||
|
request,
|
||||||
|
register_json,
|
||||||
|
session_info
|
||||||
|
)
|
||||||
|
|
||||||
|
if "access_token" not in response:
|
||||||
|
# isn't a final response
|
||||||
|
response["session"] = session_info["id"]
|
||||||
|
|
||||||
response = yield stages[login_type](register_json, session_info)
|
|
||||||
defer.returnValue((200, response))
|
defer.returnValue((200, response))
|
||||||
except KeyError:
|
except KeyError as e:
|
||||||
raise SynapseError(400, "Bad login type.")
|
logger.exception(e)
|
||||||
|
raise SynapseError(400, "Missing JSON keys or bad login type.")
|
||||||
|
|
||||||
|
def on_OPTIONS(self, request):
|
||||||
|
return (200, {})
|
||||||
|
|
||||||
desired_user_id = None
|
def _get_session_info(self, request, session_id):
|
||||||
password = None
|
if not session_id:
|
||||||
|
# create a new session
|
||||||
|
while session_id is None or session_id in self.sessions:
|
||||||
|
session_id = stringutils.random_string(24)
|
||||||
|
self.sessions[session_id] = {
|
||||||
|
"id": session_id,
|
||||||
|
LoginType.EMAIL_IDENTITY: False,
|
||||||
|
LoginType.RECAPTCHA: False
|
||||||
|
}
|
||||||
|
|
||||||
if "password" in register_json:
|
return self.sessions[session_id]
|
||||||
password = register_json["password"].encode("utf-8")
|
|
||||||
|
|
||||||
if ("user_id" in register_json and
|
def _save_session(self, session):
|
||||||
type(register_json["user_id"]) == unicode):
|
# TODO: Persistent storage
|
||||||
desired_user_id = register_json["user_id"].encode("utf-8")
|
logger.debug("Saving session %s", session)
|
||||||
if urllib.quote(desired_user_id) != desired_user_id:
|
self.sessions[session["id"]] = session
|
||||||
raise SynapseError(
|
|
||||||
400,
|
|
||||||
"User ID must only contain characters which do not " +
|
|
||||||
"require URL encoding.")
|
|
||||||
|
|
||||||
threepidCreds = None
|
def _remove_session(self, session):
|
||||||
if 'threepidCreds' in register_json:
|
logger.debug("Removing session %s", session)
|
||||||
threepidCreds = register_json['threepidCreds']
|
self.sessions.pop(session["id"])
|
||||||
|
|
||||||
|
def _do_recaptcha(self, request, register_json, session):
|
||||||
|
if not self.hs.config.enable_registration_captcha:
|
||||||
|
raise SynapseError(400, "Captcha not required.")
|
||||||
|
|
||||||
captcha = {}
|
|
||||||
if self.hs.config.enable_registration_captcha:
|
|
||||||
challenge = None
|
challenge = None
|
||||||
user_response = None
|
user_response = None
|
||||||
try:
|
try:
|
||||||
captcha_type = register_json["captcha"]["type"]
|
challenge = register_json["challenge"]
|
||||||
if captcha_type != "m.login.recaptcha":
|
user_response = register_json["response"]
|
||||||
raise SynapseError(400, "Sorry, only m.login.recaptcha " +
|
|
||||||
"requests are supported.")
|
|
||||||
challenge = register_json["captcha"]["challenge"]
|
|
||||||
user_response = register_json["captcha"]["response"]
|
|
||||||
except KeyError:
|
except KeyError:
|
||||||
raise SynapseError(400, "Captcha response is required",
|
raise SynapseError(400, "Captcha response is required",
|
||||||
errcode=Codes.CAPTCHA_NEEDED)
|
errcode=Codes.CAPTCHA_NEEDED)
|
||||||
|
|
||||||
# TODO determine the source IP : May be an X-Forwarding-For header depending on config
|
# May be an X-Forwarding-For header depending on config
|
||||||
ip_addr = request.getClientIP()
|
ip_addr = request.getClientIP()
|
||||||
if self.hs.config.captcha_ip_origin_is_x_forwarded:
|
if self.hs.config.captcha_ip_origin_is_x_forwarded:
|
||||||
# use the header
|
# use the header
|
||||||
|
@ -108,44 +154,66 @@ class RegisterRestServlet(RestServlet):
|
||||||
ip_addr = request.requestHeaders.getRawHeaders(
|
ip_addr = request.requestHeaders.getRawHeaders(
|
||||||
"X-Forwarded-For")[0]
|
"X-Forwarded-For")[0]
|
||||||
|
|
||||||
captcha = {
|
handler = self.handlers.registration_handler
|
||||||
"ip": ip_addr,
|
yield handler.check_recaptcha(
|
||||||
"private_key": self.hs.config.recaptcha_private_key,
|
ip_addr,
|
||||||
"challenge": challenge,
|
self.hs.config.recaptcha_private_key,
|
||||||
"response": user_response
|
challenge,
|
||||||
}
|
user_response
|
||||||
|
)
|
||||||
|
session[LoginType.RECAPTCHA] = True # mark captcha as done
|
||||||
|
self._save_session(session)
|
||||||
|
defer.returnValue({
|
||||||
|
"next": [LoginType.PASSWORD, LoginType.EMAIL_IDENTITY]
|
||||||
|
})
|
||||||
|
|
||||||
|
@defer.inlineCallbacks
|
||||||
|
def _do_email_identity(self, request, register_json, session):
|
||||||
|
if (self.hs.config.enable_registration_captcha and
|
||||||
|
not session[LoginType.RECAPTCHA]):
|
||||||
|
raise SynapseError(400, "Captcha is required.")
|
||||||
|
|
||||||
|
threepidCreds = register_json['threepidCreds']
|
||||||
|
handler = self.handlers.registration_handler
|
||||||
|
yield handler.register_email(threepidCreds)
|
||||||
|
session["threepidCreds"] = threepidCreds # store creds for next stage
|
||||||
|
session[LoginType.EMAIL_IDENTITY] = True # mark email as done
|
||||||
|
self._save_session(session)
|
||||||
|
defer.returnValue({
|
||||||
|
"next": LoginType.PASSWORD
|
||||||
|
})
|
||||||
|
|
||||||
|
@defer.inlineCallbacks
|
||||||
|
def _do_password(self, request, register_json, session):
|
||||||
|
if (self.hs.config.enable_registration_captcha and
|
||||||
|
not session[LoginType.RECAPTCHA]):
|
||||||
|
# captcha should've been done by this stage!
|
||||||
|
raise SynapseError(400, "Captcha is required.")
|
||||||
|
|
||||||
|
password = register_json["password"].encode("utf-8")
|
||||||
|
desired_user_id = (register_json["user_id"].encode("utf-8") if "user_id"
|
||||||
|
in register_json else None)
|
||||||
|
if desired_user_id and urllib.quote(desired_user_id) != desired_user_id:
|
||||||
|
raise SynapseError(
|
||||||
|
400,
|
||||||
|
"User ID must only contain characters which do not " +
|
||||||
|
"require URL encoding.")
|
||||||
handler = self.handlers.registration_handler
|
handler = self.handlers.registration_handler
|
||||||
(user_id, token) = yield handler.register(
|
(user_id, token) = yield handler.register(
|
||||||
localpart=desired_user_id,
|
localpart=desired_user_id,
|
||||||
password=password,
|
password=password
|
||||||
threepidCreds=threepidCreds,
|
)
|
||||||
captcha_info=captcha)
|
|
||||||
|
if session[LoginType.EMAIL_IDENTITY]:
|
||||||
|
yield handler.bind_emails(user_id, session["threepidCreds"])
|
||||||
|
|
||||||
result = {
|
result = {
|
||||||
"user_id": user_id,
|
"user_id": user_id,
|
||||||
"access_token": token,
|
"access_token": token,
|
||||||
"home_server": self.hs.hostname,
|
"home_server": self.hs.hostname,
|
||||||
}
|
}
|
||||||
defer.returnValue(
|
self._remove_session(session)
|
||||||
(200, result)
|
defer.returnValue(result)
|
||||||
)
|
|
||||||
|
|
||||||
def on_OPTIONS(self, request):
|
|
||||||
return (200, {})
|
|
||||||
|
|
||||||
def _get_session_info(self, session_id):
|
|
||||||
pass
|
|
||||||
|
|
||||||
def _do_recaptcha(self, register_json, session):
|
|
||||||
pass
|
|
||||||
|
|
||||||
def _do_email_identity(self, register_json, session):
|
|
||||||
pass
|
|
||||||
|
|
||||||
def _do_password(self, register_json, session):
|
|
||||||
pass
|
|
||||||
|
|
||||||
|
|
||||||
def _parse_json(request):
|
def _parse_json(request):
|
||||||
|
@ -157,5 +225,6 @@ def _parse_json(request):
|
||||||
except ValueError:
|
except ValueError:
|
||||||
raise SynapseError(400, "Content not JSON.")
|
raise SynapseError(400, "Content not JSON.")
|
||||||
|
|
||||||
|
|
||||||
def register_servlets(hs, http_server):
|
def register_servlets(hs, http_server):
|
||||||
RegisterRestServlet(hs).register(http_server)
|
RegisterRestServlet(hs).register(http_server)
|
||||||
|
|
Loading…
Reference in a new issue