Regstration with email in v2

synapse/handlers/__init__.py

@@ -30,6 +30,7 @@ from .admin import AdminHandler
 from .appservice import ApplicationServicesHandler
 from .sync import SyncHandler
 from .auth import AuthHandler
+from .identity import IdentityHandler
 
 
 class Handlers(object):
@@ -60,3 +61,4 @@ class Handlers(object):
         )
         self.sync_handler = SyncHandler(hs)
         self.auth_handler = AuthHandler(hs)
+        self.identity_handler = IdentityHandler(hs)

synapse/handlers/auth.py

@@ -20,6 +20,7 @@ from synapse.api.constants import LoginType
 from synapse.types import UserID
 from synapse.api.errors import LoginError, Codes
 from synapse.http.client import SimpleHttpClient
+from synapse.util.async import run_on_reactor
 
 from twisted.web.client import PartialDownloadError
 
@@ -40,6 +41,7 @@ class AuthHandler(BaseHandler):
         self.checkers = {
             LoginType.PASSWORD: self._check_password_auth,
             LoginType.RECAPTCHA: self._check_recaptcha,
+            LoginType.EMAIL_IDENTITY: self._check_email_identity,
         }
         self.sessions = {}
 
@@ -54,24 +56,37 @@ class AuthHandler(BaseHandler):
             authdict: The dictionary from the client root level, not the
                       'auth' key: this method prompts for auth if none is sent.
         Returns:
-            A tuple of authed, dict where authed is true if the client
+            A tuple of authed, dict, dict where authed is true if the client
-            has successfully completed an auth flow. If it is true, the dict
+            has successfully completed an auth flow. If it is true, the first
-            contains the authenticated credentials of each stage.
+            dict contains the authenticated credentials of each stage.
-            If authed is false, the dictionary is the server response to the
+
-            login request and should be passed back to the client.
+            If authed is false, the first dictionary is the server response to
+            the login request and should be passed back to the client.
+
+            In either case, the second dict contains the parameters for this
+            request (which may have been given only in a previous call).
         """
 
-        if not clientdict or 'auth' not in clientdict:
+        authdict = None
-            sess = self._get_session_info(None)
+        sid = None
-            defer.returnValue(
+        if clientdict and 'auth' in clientdict:
-                (False, self._auth_dict_for_flows(flows, sess))
-            )
-
             authdict = clientdict['auth']
+            del clientdict['auth']
+            if 'session' in authdict:
+                sid = authdict['session']
+        sess = self._get_session_info(sid)
 
-        sess = self._get_session_info(
+        if len(clientdict) > 0:
-            authdict['session'] if 'session' in authdict else None
+            sess['clientdict'] = clientdict
+            self._save_session(sess)
+        elif 'clientdict' in sess:
+            clientdict = sess['clientdict']
+
+        if not authdict:
+            defer.returnValue(
+                (False, self._auth_dict_for_flows(flows, sess), clientdict)
             )
+
         if 'creds' not in sess:
             sess['creds'] = {}
         creds = sess['creds']
@@ -89,11 +104,11 @@ class AuthHandler(BaseHandler):
             if len(set(f) - set(creds.keys())) == 0:
                 logger.info("Auth completed with creds: %r", creds)
                 self._remove_session(sess)
-                defer.returnValue((True, creds))
+                defer.returnValue((True, creds, clientdict))
 
         ret = self._auth_dict_for_flows(flows, sess)
         ret['completed'] = creds.keys()
-        defer.returnValue((False, ret))
+        defer.returnValue((False, ret, clientdict))
 
     @defer.inlineCallbacks
     def add_oob_auth(self, stagetype, authdict, clientip):
@@ -175,17 +190,24 @@ class AuthHandler(BaseHandler):
             defer.returnValue(True)
         raise LoginError(401, "", errcode=Codes.UNAUTHORIZED)
 
+    @defer.inlineCallbacks
+    def _check_email_identity(self, authdict, _):
+        yield run_on_reactor()
+
+        threepidCreds = authdict['threepidCreds']
+        identity_handler = self.hs.get_handlers().identity_handler
+
+        logger.debug("Getting validated threepid. threepidcreds: %r" % (threepidCreds,))
+        threepid = yield identity_handler.threepid_from_creds(threepidCreds)
+
+        defer.returnValue(threepid)
+
     def _get_params_recaptcha(self):
         return {"public_key": self.hs.config.recaptcha_public_key}
 
     def _auth_dict_for_flows(self, flows, session):
         public_flows = []
         for f in flows:
-            hidden = False
-            for stagetype in f:
-                if stagetype in LoginType.HIDDEN_TYPES:
-                    hidden = True
-            if not hidden:
             public_flows.append(f)
 
         get_params = {

synapse/handlers/identity.py

@@ -0,0 +1,66 @@
+# -*- coding: utf-8 -*-
+# Copyright 2015 OpenMarket Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Utilities for interacting with Identity Servers"""
+from twisted.internet import defer
+
+from synapse.api.errors import (
+    CodeMessageException
+)
+from ._base import BaseHandler
+from synapse.http.client import SimpleHttpClient
+from synapse.util.async import run_on_reactor
+
+import json
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class IdentityHandler(BaseHandler):
+
+    def __init__(self, hs):
+        super(IdentityHandler, self).__init__(hs)
+
+    @defer.inlineCallbacks
+    def threepid_from_creds(self, creds):
+        yield run_on_reactor()
+
+        # TODO: get this from the homeserver rather than creating a new one for
+        # each request
+        http_client = SimpleHttpClient(self.hs)
+        # XXX: make this configurable!
+        #trustedIdServers = ['matrix.org', 'localhost:8090']
+        trustedIdServers = ['matrix.org']
+        if not creds['idServer'] in trustedIdServers:
+            logger.warn('%s is not a trusted ID server: rejecting 3pid ' +
+                        'credentials', creds['idServer'])
+            defer.returnValue(None)
+
+        data = {}
+        try:
+            data = yield http_client.get_json(
+                "https://%s%s" % (
+                    creds['idServer'],
+                    "/_matrix/identity/api/v1/3pid/getValidated3pid"
+                ),
+                {'sid': creds['sid'], 'clientSecret': creds['clientSecret']}
+            )
+        except CodeMessageException as e:
+            data = json.loads(e.msg)
+
+        if 'medium' in data:
+            defer.returnValue(data)
+        defer.returnValue(None)

synapse/handlers/register.py

@@ -180,7 +180,11 @@ class RegistrationHandler(BaseHandler):
 
     @defer.inlineCallbacks
     def register_email(self, threepidCreds):
-        """Registers emails with an identity server."""
+        """
+        Registers emails with an identity server.
+
+        Used only by c/s api v1
+        """
 
         for c in threepidCreds:
             logger.info("validating theeepidcred sid %s on id server %s",

synapse/rest/client/v2_alpha/password.py

@@ -41,7 +41,7 @@ class PasswordRestServlet(RestServlet):
     def on_POST(self, request):
         body = parse_json_dict_from_request(request)
 
-        authed, result = yield self.auth_handler.check_auth([
+        authed, result, params = yield self.auth_handler.check_auth([
             [LoginType.PASSWORD]
         ], body)
 
@@ -61,9 +61,9 @@ class PasswordRestServlet(RestServlet):
 
         user_id = auth_user.to_string()
 
-        if 'new_password' not in body:
+        if 'new_password' not in params:
             raise SynapseError(400, "", Codes.MISSING_PARAM)
-        new_password = body['new_password']
+        new_password = params['new_password']
 
         yield self.login_handler.set_password(
             user_id, new_password, client.token_id

synapse/rest/client/v2_alpha/register.py

@@ -74,7 +74,7 @@ class RegisterRestServlet(RestServlet):
             )
             is_using_shared_secret = True
         else:
-            authed, result = yield self.auth_handler.check_auth([
+            authed, result, params = yield self.auth_handler.check_auth([
                 [LoginType.RECAPTCHA],
                 [LoginType.EMAIL_IDENTITY, LoginType.RECAPTCHA],
             ], body, self.hs.get_ip_from_request(request))
@@ -90,10 +90,10 @@ class RegisterRestServlet(RestServlet):
         if not can_register:
             raise SynapseError(403, "Registration has been disabled")
 
-        if 'username' not in body or 'password' not in body:
+        if 'username' not in params or 'password' not in params:
             raise SynapseError(400, "", Codes.MISSING_PARAM)
-        desired_username = body['username']
+        desired_username = params['username']
-        new_password = body['password']
+        new_password = params['password']
 
         (user_id, token) = yield self.registration_handler.register(
             localpart=desired_username,