2016-01-05 19:01:18 +01:00
|
|
|
# Copyright 2014 - 2016 OpenMarket Ltd
|
2021-12-03 17:42:44 +01:00
|
|
|
# Copyright 2021 The Matrix.org Foundation C.I.C.
|
2014-08-12 16:10:52 +02:00
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
2014-08-13 04:14:34 +02:00
|
|
|
|
2014-08-12 16:10:52 +02:00
|
|
|
"""Contains functions for registering clients."""
|
2021-02-01 18:30:42 +01:00
|
|
|
|
2016-07-26 17:46:53 +02:00
|
|
|
import logging
|
2021-06-24 15:33:20 +02:00
|
|
|
from typing import TYPE_CHECKING, Iterable, List, Optional, Tuple
|
2016-07-26 17:46:53 +02:00
|
|
|
|
2021-03-04 17:39:27 +01:00
|
|
|
from prometheus_client import Counter
|
2021-06-24 15:33:20 +02:00
|
|
|
from typing_extensions import TypedDict
|
2021-03-04 17:39:27 +01:00
|
|
|
|
2018-07-09 08:09:20 +02:00
|
|
|
from synapse import types
|
2021-09-08 16:00:43 +02:00
|
|
|
from synapse.api.constants import (
|
|
|
|
MAX_USERID_LENGTH,
|
|
|
|
EventContentFields,
|
|
|
|
EventTypes,
|
|
|
|
JoinRules,
|
|
|
|
LoginType,
|
|
|
|
)
|
2022-08-22 15:17:59 +02:00
|
|
|
from synapse.api.errors import (
|
|
|
|
AuthError,
|
|
|
|
Codes,
|
|
|
|
ConsentNotGivenError,
|
|
|
|
InvalidClientTokenError,
|
|
|
|
SynapseError,
|
|
|
|
)
|
2020-11-23 19:28:03 +01:00
|
|
|
from synapse.appservice import ApplicationService
|
2019-02-20 08:47:31 +01:00
|
|
|
from synapse.config.server import is_threepid_reserved
|
|
|
|
from synapse.http.servlet import assert_params_in_dict
|
2019-02-18 17:49:38 +01:00
|
|
|
from synapse.replication.http.login import RegisterDeviceReplicationServlet
|
2019-02-20 08:47:31 +01:00
|
|
|
from synapse.replication.http.register import (
|
|
|
|
ReplicationPostRegisterActionsServlet,
|
|
|
|
ReplicationRegisterServlet,
|
|
|
|
)
|
2020-08-20 21:42:58 +02:00
|
|
|
from synapse.spam_checker_api import RegistrationBehaviour
|
2020-06-30 21:41:36 +02:00
|
|
|
from synapse.storage.state import StateFilter
|
|
|
|
from synapse.types import RoomAlias, UserID, create_requester
|
2018-07-09 08:09:20 +02:00
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
if TYPE_CHECKING:
|
2021-03-23 12:12:48 +01:00
|
|
|
from synapse.server import HomeServer
|
2020-11-23 19:28:03 +01:00
|
|
|
|
2014-09-03 19:22:27 +02:00
|
|
|
logger = logging.getLogger(__name__)
|
2014-08-12 16:10:52 +02:00
|
|
|
|
|
|
|
|
2021-03-04 17:39:27 +01:00
|
|
|
registration_counter = Counter(
|
|
|
|
"synapse_user_registrations_total",
|
|
|
|
"Number of new users registered (since restart)",
|
|
|
|
["guest", "shadow_banned", "auth_provider"],
|
|
|
|
)
|
|
|
|
|
|
|
|
login_counter = Counter(
|
|
|
|
"synapse_user_logins_total",
|
|
|
|
"Number of user logins (since restart)",
|
|
|
|
["guest", "auth_provider"],
|
|
|
|
)
|
|
|
|
|
2021-07-19 16:28:05 +02:00
|
|
|
|
2021-08-24 11:17:51 +02:00
|
|
|
def init_counters_for_auth_provider(auth_provider_id: str) -> None:
|
|
|
|
"""Ensure the prometheus counters for the given auth provider are initialised
|
|
|
|
|
|
|
|
This fixes a problem where the counters are not reported for a given auth provider
|
|
|
|
until the user first logs in/registers.
|
|
|
|
"""
|
|
|
|
for is_guest in (True, False):
|
|
|
|
login_counter.labels(guest=is_guest, auth_provider=auth_provider_id)
|
|
|
|
for shadow_banned in (True, False):
|
|
|
|
registration_counter.labels(
|
|
|
|
guest=is_guest,
|
|
|
|
shadow_banned=shadow_banned,
|
|
|
|
auth_provider=auth_provider_id,
|
|
|
|
)
|
|
|
|
|
|
|
|
|
2021-07-19 16:28:05 +02:00
|
|
|
class LoginDict(TypedDict):
|
|
|
|
device_id: str
|
|
|
|
access_token: str
|
|
|
|
valid_until_ms: Optional[int]
|
|
|
|
refresh_token: Optional[str]
|
2021-06-24 15:33:20 +02:00
|
|
|
|
2021-03-04 17:39:27 +01:00
|
|
|
|
2021-10-08 13:44:43 +02:00
|
|
|
class RegistrationHandler:
|
2020-11-23 19:28:03 +01:00
|
|
|
def __init__(self, hs: "HomeServer"):
|
2022-02-23 12:04:02 +01:00
|
|
|
self.store = hs.get_datastores().main
|
2022-06-01 17:02:53 +02:00
|
|
|
self._storage_controllers = hs.get_storage_controllers()
|
2021-10-08 13:44:43 +02:00
|
|
|
self.clock = hs.get_clock()
|
2018-07-30 16:55:57 +02:00
|
|
|
self.hs = hs
|
2016-01-05 19:01:18 +01:00
|
|
|
self.auth = hs.get_auth()
|
2022-06-14 10:51:15 +02:00
|
|
|
self.auth_blocking = hs.get_auth_blocking()
|
2017-11-01 11:29:34 +01:00
|
|
|
self._auth_handler = hs.get_auth_handler()
|
2017-08-25 15:34:56 +02:00
|
|
|
self.profile_handler = hs.get_profile_handler()
|
2017-11-29 19:33:34 +01:00
|
|
|
self.user_directory_handler = hs.get_user_directory_handler()
|
2020-10-09 13:24:34 +02:00
|
|
|
self.identity_handler = self.hs.get_identity_handler()
|
2019-03-06 12:02:42 +01:00
|
|
|
self.ratelimiter = hs.get_registration_ratelimiter()
|
2017-02-02 11:53:36 +01:00
|
|
|
self.macaroon_gen = hs.get_macaroon_generator()
|
2021-07-16 18:11:53 +02:00
|
|
|
self._account_validity_handler = hs.get_account_validity_handler()
|
2021-09-23 13:13:34 +02:00
|
|
|
self._user_consent_version = self.hs.config.consent.user_consent_version
|
2021-09-24 13:25:21 +02:00
|
|
|
self._server_notices_mxid = hs.config.servernotices.server_notices_mxid
|
2020-11-17 11:51:25 +01:00
|
|
|
self._server_name = hs.hostname
|
2018-03-26 13:02:20 +02:00
|
|
|
|
2020-08-20 21:42:58 +02:00
|
|
|
self.spam_checker = hs.get_spam_checker()
|
|
|
|
|
2021-09-13 19:07:12 +02:00
|
|
|
if hs.config.worker.worker_app:
|
2019-02-18 13:12:57 +01:00
|
|
|
self._register_client = ReplicationRegisterServlet.make_client(hs)
|
2019-06-20 11:32:02 +02:00
|
|
|
self._register_device_client = RegisterDeviceReplicationServlet.make_client(
|
|
|
|
hs
|
2019-02-18 17:49:38 +01:00
|
|
|
)
|
2021-02-16 23:32:34 +01:00
|
|
|
self._post_registration_client = (
|
|
|
|
ReplicationPostRegisterActionsServlet.make_client(hs)
|
2019-02-20 08:47:31 +01:00
|
|
|
)
|
2019-02-18 17:49:38 +01:00
|
|
|
else:
|
|
|
|
self.device_handler = hs.get_device_handler()
|
2021-03-10 19:15:03 +01:00
|
|
|
self._register_device_client = self.register_device_inner
|
2019-02-20 08:47:31 +01:00
|
|
|
self.pusher_pool = hs.get_pusherpool()
|
2019-02-18 13:12:57 +01:00
|
|
|
|
2021-10-04 13:18:54 +02:00
|
|
|
self.session_lifetime = hs.config.registration.session_lifetime
|
2021-12-03 17:42:44 +01:00
|
|
|
self.nonrefreshable_access_token_lifetime = (
|
|
|
|
hs.config.registration.nonrefreshable_access_token_lifetime
|
|
|
|
)
|
2021-11-23 18:01:34 +01:00
|
|
|
self.refreshable_access_token_lifetime = (
|
|
|
|
hs.config.registration.refreshable_access_token_lifetime
|
|
|
|
)
|
2021-11-26 15:27:14 +01:00
|
|
|
self.refresh_token_lifetime = hs.config.registration.refresh_token_lifetime
|
2019-07-12 18:26:02 +02:00
|
|
|
|
2021-08-24 11:17:51 +02:00
|
|
|
init_counters_for_auth_provider("")
|
|
|
|
|
2020-06-08 17:15:02 +02:00
|
|
|
async def check_username(
|
2020-11-23 19:28:03 +01:00
|
|
|
self,
|
|
|
|
localpart: str,
|
|
|
|
guest_access_token: Optional[str] = None,
|
|
|
|
assigned_user_id: Optional[str] = None,
|
2022-01-26 13:02:54 +01:00
|
|
|
inhibit_user_in_use_error: bool = False,
|
2021-09-20 14:56:23 +02:00
|
|
|
) -> None:
|
2017-11-09 22:57:24 +01:00
|
|
|
if types.contains_invalid_mxid_characters(localpart):
|
2015-04-16 20:56:44 +02:00
|
|
|
raise SynapseError(
|
|
|
|
400,
|
2017-10-21 00:42:53 +02:00
|
|
|
"User ID can only contain characters a-z, 0-9, or '=_-./'",
|
2019-06-20 11:32:02 +02:00
|
|
|
Codes.INVALID_USERNAME,
|
2015-04-16 20:56:44 +02:00
|
|
|
)
|
|
|
|
|
2017-05-10 18:34:30 +02:00
|
|
|
if not localpart:
|
2019-06-20 11:32:02 +02:00
|
|
|
raise SynapseError(400, "User ID cannot be empty", Codes.INVALID_USERNAME)
|
2017-05-10 18:17:12 +02:00
|
|
|
|
2019-06-20 11:32:02 +02:00
|
|
|
if localpart[0] == "_":
|
2016-07-27 18:54:26 +02:00
|
|
|
raise SynapseError(
|
2019-06-20 11:32:02 +02:00
|
|
|
400, "User ID may not begin with _", Codes.INVALID_USERNAME
|
2016-07-27 18:54:26 +02:00
|
|
|
)
|
|
|
|
|
2015-04-16 20:56:44 +02:00
|
|
|
user = UserID(localpart, self.hs.hostname)
|
|
|
|
user_id = user.to_string()
|
|
|
|
|
2016-03-16 20:36:57 +01:00
|
|
|
if assigned_user_id:
|
|
|
|
if user_id == assigned_user_id:
|
|
|
|
return
|
|
|
|
else:
|
|
|
|
raise SynapseError(
|
|
|
|
400,
|
|
|
|
"A different user ID has already been registered for this session",
|
|
|
|
)
|
|
|
|
|
2017-10-21 00:37:22 +02:00
|
|
|
self.check_user_id_not_appservice_exclusive(user_id)
|
2015-04-16 20:56:44 +02:00
|
|
|
|
2019-05-20 12:20:08 +02:00
|
|
|
if len(user_id) > MAX_USERID_LENGTH:
|
|
|
|
raise SynapseError(
|
|
|
|
400,
|
2019-06-20 11:32:02 +02:00
|
|
|
"User ID may not be longer than %s characters" % (MAX_USERID_LENGTH,),
|
|
|
|
Codes.INVALID_USERNAME,
|
2019-05-20 12:20:08 +02:00
|
|
|
)
|
|
|
|
|
2020-06-08 17:15:02 +02:00
|
|
|
users = await self.store.get_users_by_id_case_insensitive(user_id)
|
2015-08-26 14:42:45 +02:00
|
|
|
if users:
|
2022-01-26 13:02:54 +01:00
|
|
|
if not inhibit_user_in_use_error and not guest_access_token:
|
2016-01-05 19:01:18 +01:00
|
|
|
raise SynapseError(
|
2019-06-20 11:32:02 +02:00
|
|
|
400, "User ID already taken.", errcode=Codes.USER_IN_USE
|
2016-01-05 19:01:18 +01:00
|
|
|
)
|
2022-01-26 13:02:54 +01:00
|
|
|
if guest_access_token:
|
|
|
|
user_data = await self.auth.get_user_by_access_token(guest_access_token)
|
2022-08-22 15:17:59 +02:00
|
|
|
if not user_data.is_guest or user_data.user.localpart != localpart:
|
2022-01-26 13:02:54 +01:00
|
|
|
raise AuthError(
|
|
|
|
403,
|
|
|
|
"Cannot register taken user ID without valid guest "
|
|
|
|
"credentials for that user.",
|
|
|
|
errcode=Codes.FORBIDDEN,
|
|
|
|
)
|
2015-04-16 20:56:44 +02:00
|
|
|
|
2020-06-03 16:55:02 +02:00
|
|
|
if guest_access_token is None:
|
|
|
|
try:
|
|
|
|
int(localpart)
|
|
|
|
raise SynapseError(
|
2020-08-20 16:39:41 +02:00
|
|
|
400,
|
|
|
|
"Numeric user IDs are reserved for guest users.",
|
|
|
|
errcode=Codes.INVALID_USERNAME,
|
2020-06-03 16:55:02 +02:00
|
|
|
)
|
|
|
|
except ValueError:
|
|
|
|
pass
|
|
|
|
|
2020-06-08 17:15:02 +02:00
|
|
|
async def register_user(
|
2016-01-05 19:01:18 +01:00
|
|
|
self,
|
2020-11-23 19:28:03 +01:00
|
|
|
localpart: Optional[str] = None,
|
|
|
|
password_hash: Optional[str] = None,
|
|
|
|
guest_access_token: Optional[str] = None,
|
|
|
|
make_guest: bool = False,
|
|
|
|
admin: bool = False,
|
|
|
|
threepid: Optional[dict] = None,
|
|
|
|
user_type: Optional[str] = None,
|
|
|
|
default_display_name: Optional[str] = None,
|
|
|
|
address: Optional[str] = None,
|
2021-04-08 23:38:54 +02:00
|
|
|
bind_emails: Optional[Iterable[str]] = None,
|
2020-11-23 19:28:03 +01:00
|
|
|
by_admin: bool = False,
|
|
|
|
user_agent_ips: Optional[List[Tuple[str, str]]] = None,
|
2021-03-04 17:39:27 +01:00
|
|
|
auth_provider_id: Optional[str] = None,
|
2020-11-23 19:28:03 +01:00
|
|
|
) -> str:
|
2014-08-12 16:10:52 +02:00
|
|
|
"""Registers a new client on the server.
|
|
|
|
|
|
|
|
Args:
|
2020-05-01 16:15:36 +02:00
|
|
|
localpart: The local part of the user ID to register. If None,
|
2016-02-05 12:22:30 +01:00
|
|
|
one will be generated.
|
2020-11-23 19:28:03 +01:00
|
|
|
password_hash: The hashed password to assign to this user so they can
|
2016-07-19 19:46:19 +02:00
|
|
|
login again. This can be None which means they cannot login again
|
|
|
|
via a password (e.g. the user is an application service user).
|
2020-11-23 19:28:03 +01:00
|
|
|
guest_access_token: The access token used when this was a guest
|
|
|
|
account.
|
|
|
|
make_guest: True if the the new user should be guest,
|
|
|
|
false to add a regular user account.
|
|
|
|
admin: True if the user should be registered as a server admin.
|
|
|
|
threepid: The threepid used for registering, if any.
|
|
|
|
user_type: type of user. One of the values from
|
2018-12-14 19:20:59 +01:00
|
|
|
api.constants.UserTypes, or None for a normal user.
|
2020-11-23 19:28:03 +01:00
|
|
|
default_display_name: if set, the new user's displayname
|
2018-12-07 14:44:46 +01:00
|
|
|
will be set to this. Defaults to 'localpart'.
|
2020-11-23 19:28:03 +01:00
|
|
|
address: the IP address used to perform the registration.
|
|
|
|
bind_emails: list of emails to bind to this account.
|
|
|
|
by_admin: True if this registration is being made via the
|
2020-06-05 14:08:49 +02:00
|
|
|
admin api, otherwise False.
|
2021-06-18 13:15:52 +02:00
|
|
|
user_agent_ips: Tuples of user-agents and IP addresses used
|
2020-08-20 21:42:58 +02:00
|
|
|
during the registration process.
|
2021-03-16 13:41:41 +01:00
|
|
|
auth_provider_id: The SSO IdP the user used, if any.
|
2014-08-12 16:10:52 +02:00
|
|
|
Returns:
|
2021-03-04 17:39:27 +01:00
|
|
|
The registered user_id.
|
2014-08-12 16:10:52 +02:00
|
|
|
Raises:
|
2020-01-13 13:48:22 +01:00
|
|
|
SynapseError if there was a problem registering.
|
2014-08-12 16:10:52 +02:00
|
|
|
"""
|
2021-04-08 23:38:54 +02:00
|
|
|
bind_emails = bind_emails or []
|
|
|
|
|
2021-03-30 13:06:09 +02:00
|
|
|
await self.check_registration_ratelimit(address)
|
2020-08-20 21:42:58 +02:00
|
|
|
|
2020-12-11 20:05:15 +01:00
|
|
|
result = await self.spam_checker.check_registration_for_spam(
|
2021-02-16 23:32:34 +01:00
|
|
|
threepid,
|
|
|
|
localpart,
|
|
|
|
user_agent_ips or [],
|
2021-03-16 13:41:41 +01:00
|
|
|
auth_provider_id=auth_provider_id,
|
2020-08-20 21:42:58 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
if result == RegistrationBehaviour.DENY:
|
|
|
|
logger.info(
|
2021-02-16 23:32:34 +01:00
|
|
|
"Blocked registration of %r",
|
|
|
|
localpart,
|
2020-08-20 21:42:58 +02:00
|
|
|
)
|
|
|
|
# We return a 429 to make it not obvious that they've been
|
|
|
|
# denied.
|
|
|
|
raise SynapseError(429, "Rate limited")
|
|
|
|
|
|
|
|
shadow_banned = result == RegistrationBehaviour.SHADOW_BAN
|
|
|
|
if shadow_banned:
|
|
|
|
logger.info(
|
2021-02-16 23:32:34 +01:00
|
|
|
"Shadow banning registration of %r",
|
|
|
|
localpart,
|
2020-08-20 21:42:58 +02:00
|
|
|
)
|
2018-08-13 19:00:23 +02:00
|
|
|
|
2020-06-05 14:08:49 +02:00
|
|
|
# do not check_auth_blocking if the call is coming through the Admin API
|
|
|
|
if not by_admin:
|
2022-06-14 10:51:15 +02:00
|
|
|
await self.auth_blocking.check_auth_blocking(threepid=threepid)
|
2014-08-12 16:10:52 +02:00
|
|
|
|
2020-01-13 13:47:30 +01:00
|
|
|
if localpart is not None:
|
2020-06-08 17:15:02 +02:00
|
|
|
await self.check_username(localpart, guest_access_token=guest_access_token)
|
2015-03-18 12:33:46 +01:00
|
|
|
|
2016-02-05 12:22:30 +01:00
|
|
|
was_guest = guest_access_token is not None
|
|
|
|
|
2014-12-08 10:24:37 +01:00
|
|
|
user = UserID(localpart, self.hs.hostname)
|
2014-08-12 16:10:52 +02:00
|
|
|
user_id = user.to_string()
|
|
|
|
|
2018-12-07 14:44:46 +01:00
|
|
|
if was_guest:
|
|
|
|
# If the user was a guest then they already have a profile
|
|
|
|
default_display_name = None
|
|
|
|
|
|
|
|
elif default_display_name is None:
|
|
|
|
default_display_name = localpart
|
|
|
|
|
2020-06-08 17:15:02 +02:00
|
|
|
await self.register_with_store(
|
2014-10-30 12:10:17 +01:00
|
|
|
user_id=user_id,
|
2016-01-05 19:01:18 +01:00
|
|
|
password_hash=password_hash,
|
2016-02-05 12:22:30 +01:00
|
|
|
was_guest=was_guest,
|
2016-01-06 18:44:10 +01:00
|
|
|
make_guest=make_guest,
|
2018-12-07 14:44:46 +01:00
|
|
|
create_profile_with_displayname=default_display_name,
|
2016-07-05 18:30:22 +02:00
|
|
|
admin=admin,
|
2018-12-14 19:20:59 +01:00
|
|
|
user_type=user_type,
|
2019-03-05 15:25:33 +01:00
|
|
|
address=address,
|
2020-08-14 18:37:59 +02:00
|
|
|
shadow_banned=shadow_banned,
|
2014-10-30 12:10:17 +01:00
|
|
|
)
|
2017-11-29 19:33:34 +01:00
|
|
|
|
2021-09-21 14:02:34 +02:00
|
|
|
profile = await self.store.get_profileinfo(localpart)
|
|
|
|
await self.user_directory_handler.handle_local_profile_change(
|
|
|
|
user_id, profile
|
|
|
|
)
|
2017-11-29 19:33:34 +01:00
|
|
|
|
2014-08-12 16:10:52 +02:00
|
|
|
else:
|
2016-02-05 12:22:30 +01:00
|
|
|
# autogen a sequential user ID
|
2019-11-06 17:52:54 +01:00
|
|
|
fail_count = 0
|
2020-11-23 19:28:03 +01:00
|
|
|
# If a default display name is not given, generate one.
|
|
|
|
generate_display_name = default_display_name is None
|
|
|
|
# This breaks on successful registration *or* errors after 10 failures.
|
|
|
|
while True:
|
2019-11-06 17:52:54 +01:00
|
|
|
# Fail after being unable to find a suitable ID a few times
|
|
|
|
if fail_count > 10:
|
|
|
|
raise SynapseError(500, "Unable to find a suitable guest user ID")
|
|
|
|
|
2022-02-21 19:37:04 +01:00
|
|
|
generated_localpart = await self.store.generate_user_id()
|
|
|
|
user = UserID(generated_localpart, self.hs.hostname)
|
2016-02-05 12:22:30 +01:00
|
|
|
user_id = user.to_string()
|
2020-06-08 17:15:02 +02:00
|
|
|
self.check_user_id_not_appservice_exclusive(user_id)
|
2020-11-23 19:28:03 +01:00
|
|
|
if generate_display_name:
|
2022-02-21 19:37:04 +01:00
|
|
|
default_display_name = generated_localpart
|
2014-08-12 16:10:52 +02:00
|
|
|
try:
|
2020-06-08 17:15:02 +02:00
|
|
|
await self.register_with_store(
|
2014-08-12 16:10:52 +02:00
|
|
|
user_id=user_id,
|
2016-02-02 15:42:31 +01:00
|
|
|
password_hash=password_hash,
|
2016-06-17 20:14:16 +02:00
|
|
|
make_guest=make_guest,
|
2018-12-07 14:44:46 +01:00
|
|
|
create_profile_with_displayname=default_display_name,
|
2019-03-05 15:25:33 +01:00
|
|
|
address=address,
|
2020-08-14 18:37:59 +02:00
|
|
|
shadow_banned=shadow_banned,
|
2016-02-02 15:42:31 +01:00
|
|
|
)
|
2019-11-06 15:54:24 +01:00
|
|
|
|
|
|
|
# Successfully registered
|
|
|
|
break
|
2014-08-12 16:10:52 +02:00
|
|
|
except SynapseError:
|
|
|
|
# if user id is taken, just generate another
|
2019-11-06 17:52:54 +01:00
|
|
|
fail_count += 1
|
2019-07-08 18:14:51 +02:00
|
|
|
|
2021-03-04 17:39:27 +01:00
|
|
|
registration_counter.labels(
|
|
|
|
guest=make_guest,
|
|
|
|
shadow_banned=shadow_banned,
|
|
|
|
auth_provider=(auth_provider_id or ""),
|
|
|
|
).inc()
|
|
|
|
|
2021-09-30 20:06:02 +02:00
|
|
|
# If the user does not need to consent at registration, auto-join any
|
|
|
|
# configured rooms.
|
2021-09-23 13:13:34 +02:00
|
|
|
if not self.hs.config.consent.user_consent_at_registration:
|
2021-10-04 13:18:54 +02:00
|
|
|
if (
|
|
|
|
not self.hs.config.registration.auto_join_rooms_for_guests
|
|
|
|
and make_guest
|
|
|
|
):
|
2020-06-05 19:18:15 +02:00
|
|
|
logger.info(
|
|
|
|
"Skipping auto-join for %s because auto-join for guests is disabled",
|
|
|
|
user_id,
|
|
|
|
)
|
|
|
|
else:
|
2020-06-08 17:15:02 +02:00
|
|
|
await self._auto_join_rooms(user_id)
|
2019-07-08 18:14:51 +02:00
|
|
|
else:
|
|
|
|
logger.info(
|
|
|
|
"Skipping auto-join for %s because consent is required at registration",
|
|
|
|
user_id,
|
|
|
|
)
|
2014-08-12 16:10:52 +02:00
|
|
|
|
2019-03-28 16:48:07 +01:00
|
|
|
# Bind any specified emails to this account
|
|
|
|
current_time = self.hs.get_clock().time_msec()
|
|
|
|
for email in bind_emails:
|
|
|
|
# generate threepid dict
|
|
|
|
threepid_dict = {
|
|
|
|
"medium": "email",
|
|
|
|
"address": email,
|
|
|
|
"validated_at": current_time,
|
|
|
|
}
|
|
|
|
|
|
|
|
# Bind email to new account
|
2020-06-08 17:15:02 +02:00
|
|
|
await self._register_email_threepid(user_id, threepid_dict, None)
|
2019-03-28 16:48:07 +01:00
|
|
|
|
2019-07-23 15:00:55 +02:00
|
|
|
return user_id
|
2018-11-28 12:24:57 +01:00
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
async def _create_and_join_rooms(self, user_id: str) -> None:
|
2020-06-30 21:41:36 +02:00
|
|
|
"""
|
|
|
|
Create the auto-join rooms and join or invite the user to them.
|
|
|
|
|
|
|
|
This should only be called when the first "real" user registers.
|
2018-11-28 12:24:57 +01:00
|
|
|
|
|
|
|
Args:
|
2020-06-30 21:41:36 +02:00
|
|
|
user_id: The user to join
|
2018-11-28 12:24:57 +01:00
|
|
|
"""
|
2020-06-30 21:41:36 +02:00
|
|
|
# Getting the handlers during init gives a dependency loop.
|
|
|
|
room_creation_handler = self.hs.get_room_creation_handler()
|
|
|
|
room_member_handler = self.hs.get_room_member_handler()
|
2018-10-04 18:00:27 +02:00
|
|
|
|
2020-06-30 21:41:36 +02:00
|
|
|
# Generate a stub for how the rooms will be configured.
|
|
|
|
stub_config = {
|
|
|
|
"preset": self.hs.config.registration.autocreate_auto_join_room_preset,
|
|
|
|
}
|
|
|
|
|
2021-09-30 20:06:02 +02:00
|
|
|
# If the configuration provides a user ID to create rooms with, use
|
2020-06-30 21:41:36 +02:00
|
|
|
# that instead of the first user registered.
|
|
|
|
requires_join = False
|
|
|
|
if self.hs.config.registration.auto_join_user_id:
|
|
|
|
fake_requester = create_requester(
|
2020-11-17 11:51:25 +01:00
|
|
|
self.hs.config.registration.auto_join_user_id,
|
|
|
|
authenticated_entity=self._server_name,
|
2020-06-30 21:41:36 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
# If the room requires an invite, add the user to the list of invites.
|
|
|
|
if self.hs.config.registration.auto_join_room_requires_invite:
|
|
|
|
stub_config["invite"] = [user_id]
|
|
|
|
|
|
|
|
# If the room is being created by a different user, the first user
|
|
|
|
# registered needs to join it. Note that in the case of an invitation
|
|
|
|
# being necessary this will occur after the invite was sent.
|
|
|
|
requires_join = True
|
|
|
|
else:
|
2020-11-17 11:51:25 +01:00
|
|
|
fake_requester = create_requester(
|
|
|
|
user_id, authenticated_entity=self._server_name
|
|
|
|
)
|
2020-06-30 21:41:36 +02:00
|
|
|
|
|
|
|
# Choose whether to federate the new room.
|
|
|
|
if not self.hs.config.registration.autocreate_auto_join_rooms_federated:
|
2021-09-08 16:00:43 +02:00
|
|
|
stub_config["creation_content"] = {EventContentFields.FEDERATE: False}
|
2020-06-30 21:41:36 +02:00
|
|
|
|
|
|
|
for r in self.hs.config.registration.auto_join_rooms:
|
2019-07-08 18:14:51 +02:00
|
|
|
logger.info("Auto-joining %s to %s", user_id, r)
|
2020-06-30 21:41:36 +02:00
|
|
|
|
2018-03-14 16:45:37 +01:00
|
|
|
try:
|
2020-06-30 21:41:36 +02:00
|
|
|
room_alias = RoomAlias.from_string(r)
|
|
|
|
|
|
|
|
if self.hs.hostname != room_alias.domain:
|
2021-06-23 16:14:52 +02:00
|
|
|
# If the alias is remote, try to join the room. This might fail
|
|
|
|
# because the room might be invite only, but we don't have any local
|
|
|
|
# user in the room to invite this one with, so at this point that's
|
|
|
|
# the best we can do.
|
|
|
|
logger.info(
|
|
|
|
"Cannot automatically create room with alias %s as it isn't"
|
|
|
|
" local, trying to join the room instead",
|
2020-06-30 21:41:36 +02:00
|
|
|
r,
|
|
|
|
)
|
2021-06-23 16:14:52 +02:00
|
|
|
|
|
|
|
(
|
|
|
|
room,
|
|
|
|
remote_room_hosts,
|
|
|
|
) = await room_member_handler.lookup_room_alias(room_alias)
|
|
|
|
room_id = room.to_string()
|
|
|
|
|
|
|
|
await room_member_handler.update_membership(
|
|
|
|
requester=create_requester(
|
|
|
|
user_id, authenticated_entity=self._server_name
|
|
|
|
),
|
|
|
|
target=UserID.from_string(user_id),
|
|
|
|
room_id=room_id,
|
|
|
|
remote_room_hosts=remote_room_hosts,
|
|
|
|
action="join",
|
|
|
|
ratelimit=False,
|
|
|
|
)
|
2020-06-30 21:41:36 +02:00
|
|
|
else:
|
|
|
|
# A shallow copy is OK here since the only key that is
|
|
|
|
# modified is room_alias_name.
|
|
|
|
config = stub_config.copy()
|
|
|
|
# create room expects the localpart of the room alias
|
|
|
|
config["room_alias_name"] = room_alias.localpart
|
|
|
|
|
|
|
|
info, _ = await room_creation_handler.create_room(
|
2021-02-16 23:32:34 +01:00
|
|
|
fake_requester,
|
|
|
|
config=config,
|
|
|
|
ratelimit=False,
|
2020-06-30 21:41:36 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
# If the room does not require an invite, but another user
|
|
|
|
# created it, then ensure the first user joins it.
|
|
|
|
if requires_join:
|
|
|
|
await room_member_handler.update_membership(
|
2020-11-17 11:51:25 +01:00
|
|
|
requester=create_requester(
|
|
|
|
user_id, authenticated_entity=self._server_name
|
|
|
|
),
|
2020-06-30 21:41:36 +02:00
|
|
|
target=UserID.from_string(user_id),
|
|
|
|
room_id=info["room_id"],
|
|
|
|
# Since it was just created, there are no remote hosts.
|
|
|
|
remote_room_hosts=[],
|
|
|
|
action="join",
|
2018-10-17 12:36:41 +02:00
|
|
|
ratelimit=False,
|
2018-10-12 19:17:36 +02:00
|
|
|
)
|
2020-06-30 21:41:36 +02:00
|
|
|
except Exception as e:
|
|
|
|
logger.error("Failed to join new user to %r: %r", r, e)
|
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
async def _join_rooms(self, user_id: str) -> None:
|
2020-06-30 21:41:36 +02:00
|
|
|
"""
|
|
|
|
Join or invite the user to the auto-join rooms.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
user_id: The user to join
|
|
|
|
"""
|
|
|
|
room_member_handler = self.hs.get_room_member_handler()
|
|
|
|
|
|
|
|
for r in self.hs.config.registration.auto_join_rooms:
|
|
|
|
logger.info("Auto-joining %s to %s", user_id, r)
|
|
|
|
|
|
|
|
try:
|
|
|
|
room_alias = RoomAlias.from_string(r)
|
|
|
|
|
|
|
|
if RoomAlias.is_valid(r):
|
|
|
|
(
|
2021-03-17 12:14:39 +01:00
|
|
|
room,
|
2020-06-30 21:41:36 +02:00
|
|
|
remote_room_hosts,
|
|
|
|
) = await room_member_handler.lookup_room_alias(room_alias)
|
2021-03-17 12:14:39 +01:00
|
|
|
room_id = room.to_string()
|
2018-10-13 22:14:21 +02:00
|
|
|
else:
|
2020-06-30 21:41:36 +02:00
|
|
|
raise SynapseError(
|
|
|
|
400, "%s was not legal room ID or room alias" % (r,)
|
|
|
|
)
|
|
|
|
|
|
|
|
# Calculate whether the room requires an invite or can be
|
2021-06-23 16:14:52 +02:00
|
|
|
# joined directly. By default, we consider the room as requiring an
|
|
|
|
# invite if the homeserver is in the room (unless told otherwise by the
|
|
|
|
# join rules). Otherwise we consider it as being joinable, at the risk of
|
|
|
|
# failing to join, but in this case there's little more we can do since
|
|
|
|
# we don't have a local user in the room to craft up an invite with.
|
|
|
|
requires_invite = await self.store.is_host_joined(
|
|
|
|
room_id,
|
2021-10-08 13:44:43 +02:00
|
|
|
self._server_name,
|
2020-06-30 21:41:36 +02:00
|
|
|
)
|
|
|
|
|
2021-06-23 16:14:52 +02:00
|
|
|
if requires_invite:
|
|
|
|
# If the server is in the room, check if the room is public.
|
2022-06-01 17:02:53 +02:00
|
|
|
state = await self._storage_controllers.state.get_current_state_ids(
|
2021-06-23 16:14:52 +02:00
|
|
|
room_id, StateFilter.from_types([(EventTypes.JoinRules, "")])
|
2020-06-30 21:41:36 +02:00
|
|
|
)
|
2021-06-23 16:14:52 +02:00
|
|
|
|
|
|
|
event_id = state.get((EventTypes.JoinRules, ""))
|
|
|
|
if event_id:
|
|
|
|
join_rules_event = await self.store.get_event(
|
|
|
|
event_id, allow_none=True
|
|
|
|
)
|
|
|
|
if join_rules_event:
|
|
|
|
join_rule = join_rules_event.content.get("join_rule", None)
|
|
|
|
requires_invite = (
|
|
|
|
join_rule and join_rule != JoinRules.PUBLIC
|
|
|
|
)
|
2020-06-30 21:41:36 +02:00
|
|
|
|
|
|
|
# Send the invite, if necessary.
|
|
|
|
if requires_invite:
|
2020-11-23 19:28:03 +01:00
|
|
|
# If an invite is required, there must be a auto-join user ID.
|
|
|
|
assert self.hs.config.registration.auto_join_user_id
|
|
|
|
|
2020-06-30 21:41:36 +02:00
|
|
|
await room_member_handler.update_membership(
|
|
|
|
requester=create_requester(
|
2020-11-17 11:51:25 +01:00
|
|
|
self.hs.config.registration.auto_join_user_id,
|
|
|
|
authenticated_entity=self._server_name,
|
2020-06-30 21:41:36 +02:00
|
|
|
),
|
|
|
|
target=UserID.from_string(user_id),
|
|
|
|
room_id=room_id,
|
|
|
|
remote_room_hosts=remote_room_hosts,
|
|
|
|
action="invite",
|
|
|
|
ratelimit=False,
|
|
|
|
)
|
|
|
|
|
|
|
|
# Send the join.
|
|
|
|
await room_member_handler.update_membership(
|
2020-11-17 11:51:25 +01:00
|
|
|
requester=create_requester(
|
|
|
|
user_id, authenticated_entity=self._server_name
|
|
|
|
),
|
2020-06-30 21:41:36 +02:00
|
|
|
target=UserID.from_string(user_id),
|
|
|
|
room_id=room_id,
|
|
|
|
remote_room_hosts=remote_room_hosts,
|
|
|
|
action="join",
|
|
|
|
ratelimit=False,
|
|
|
|
)
|
|
|
|
|
2019-03-19 12:38:59 +01:00
|
|
|
except ConsentNotGivenError as e:
|
|
|
|
# Technically not necessary to pull out this error though
|
|
|
|
# moving away from bare excepts is a good thing to do.
|
|
|
|
logger.error("Failed to join new user to %r: %r", r, e)
|
2018-03-14 16:45:37 +01:00
|
|
|
except Exception as e:
|
|
|
|
logger.error("Failed to join new user to %r: %r", r, e)
|
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
async def _auto_join_rooms(self, user_id: str) -> None:
|
2020-06-30 21:41:36 +02:00
|
|
|
"""Automatically joins users to auto join rooms - creating the room in the first place
|
|
|
|
if the user is the first to be created.
|
|
|
|
|
|
|
|
Args:
|
|
|
|
user_id: The user to join
|
|
|
|
"""
|
|
|
|
# auto-join the user to any rooms we're supposed to dump them into
|
|
|
|
|
|
|
|
# try to create the room if we're the first real user on the server. Note
|
|
|
|
# that an auto-generated support or bot user is not a real user and will never be
|
|
|
|
# the user to create the room
|
|
|
|
should_auto_create_rooms = False
|
|
|
|
is_real_user = await self.store.is_real_user(user_id)
|
|
|
|
if self.hs.config.registration.autocreate_auto_join_rooms and is_real_user:
|
|
|
|
count = await self.store.count_real_users()
|
|
|
|
should_auto_create_rooms = count == 1
|
|
|
|
|
|
|
|
if should_auto_create_rooms:
|
|
|
|
await self._create_and_join_rooms(user_id)
|
|
|
|
else:
|
|
|
|
await self._join_rooms(user_id)
|
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
async def post_consent_actions(self, user_id: str) -> None:
|
2018-11-28 12:24:57 +01:00
|
|
|
"""A series of registration actions that can only be carried out once consent
|
|
|
|
has been granted
|
|
|
|
|
|
|
|
Args:
|
2020-11-23 19:28:03 +01:00
|
|
|
user_id: The user to join
|
2018-11-28 12:24:57 +01:00
|
|
|
"""
|
2020-05-01 16:15:36 +02:00
|
|
|
await self._auto_join_rooms(user_id)
|
2014-09-03 19:22:27 +02:00
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
async def appservice_register(self, user_localpart: str, as_token: str) -> str:
|
2015-02-05 18:29:27 +01:00
|
|
|
user = UserID(user_localpart, self.hs.hostname)
|
|
|
|
user_id = user.to_string()
|
2016-10-06 10:43:32 +02:00
|
|
|
service = self.store.get_app_service_by_token(as_token)
|
2015-02-05 18:29:27 +01:00
|
|
|
if not service:
|
2022-08-22 15:17:59 +02:00
|
|
|
raise InvalidClientTokenError()
|
2015-02-05 18:29:27 +01:00
|
|
|
if not service.is_interested_in_user(user_id):
|
|
|
|
raise SynapseError(
|
2019-06-20 11:32:02 +02:00
|
|
|
400,
|
|
|
|
"Invalid user localpart for this application service.",
|
|
|
|
errcode=Codes.EXCLUSIVE,
|
2015-02-05 18:29:27 +01:00
|
|
|
)
|
2016-02-11 18:37:38 +01:00
|
|
|
|
2016-03-10 16:58:22 +01:00
|
|
|
service_id = service.id if service.is_exclusive_user(user_id) else None
|
|
|
|
|
2020-06-08 17:15:02 +02:00
|
|
|
self.check_user_id_not_appservice_exclusive(user_id, allowed_appservice=service)
|
2016-02-11 18:37:38 +01:00
|
|
|
|
2020-06-08 17:15:02 +02:00
|
|
|
await self.register_with_store(
|
2015-02-05 18:29:27 +01:00
|
|
|
user_id=user_id,
|
2016-03-10 16:58:22 +01:00
|
|
|
password_hash="",
|
|
|
|
appservice_id=service_id,
|
2018-12-07 14:44:46 +01:00
|
|
|
create_profile_with_displayname=user.localpart,
|
2015-02-05 18:29:27 +01:00
|
|
|
)
|
2019-07-23 15:00:55 +02:00
|
|
|
return user_id
|
2015-02-05 18:29:27 +01:00
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
def check_user_id_not_appservice_exclusive(
|
|
|
|
self, user_id: str, allowed_appservice: Optional[ApplicationService] = None
|
|
|
|
) -> None:
|
2018-05-17 12:34:28 +02:00
|
|
|
# don't allow people to register the server notices mxid
|
|
|
|
if self._server_notices_mxid is not None:
|
|
|
|
if user_id == self._server_notices_mxid:
|
|
|
|
raise SynapseError(
|
2019-06-20 11:32:02 +02:00
|
|
|
400, "This user ID is reserved.", errcode=Codes.EXCLUSIVE
|
2018-05-17 12:34:28 +02:00
|
|
|
)
|
|
|
|
|
2015-02-05 17:46:56 +01:00
|
|
|
# valid user IDs must not clash with any user ID namespaces claimed by
|
|
|
|
# application services.
|
2016-10-06 10:43:32 +02:00
|
|
|
services = self.store.get_app_services()
|
2015-02-05 17:46:56 +01:00
|
|
|
interested_services = [
|
2019-06-20 11:32:02 +02:00
|
|
|
s
|
|
|
|
for s in services
|
|
|
|
if s.is_interested_in_user(user_id) and s != allowed_appservice
|
2015-02-05 17:46:56 +01:00
|
|
|
]
|
2015-02-27 14:51:41 +01:00
|
|
|
for service in interested_services:
|
|
|
|
if service.is_exclusive_user(user_id):
|
|
|
|
raise SynapseError(
|
2019-06-20 11:32:02 +02:00
|
|
|
400,
|
|
|
|
"This user ID is reserved by an application service.",
|
|
|
|
errcode=Codes.EXCLUSIVE,
|
2015-02-27 14:51:41 +01:00
|
|
|
)
|
2015-02-05 17:46:56 +01:00
|
|
|
|
2021-03-30 13:06:09 +02:00
|
|
|
async def check_registration_ratelimit(self, address: Optional[str]) -> None:
|
2019-11-06 12:55:00 +01:00
|
|
|
"""A simple helper method to check whether the registration rate limit has been hit
|
|
|
|
for a given IP address
|
|
|
|
|
|
|
|
Args:
|
2020-11-23 19:28:03 +01:00
|
|
|
address: the IP address used to perform the registration. If this is
|
2019-11-06 15:54:24 +01:00
|
|
|
None, no ratelimiting will be performed.
|
2019-11-06 12:55:00 +01:00
|
|
|
|
|
|
|
Raises:
|
|
|
|
LimitExceededError: If the rate limit has been exceeded.
|
|
|
|
"""
|
2019-11-06 15:54:24 +01:00
|
|
|
if not address:
|
|
|
|
return
|
|
|
|
|
2021-03-30 13:06:09 +02:00
|
|
|
await self.ratelimiter.ratelimit(None, address)
|
2019-11-06 12:55:00 +01:00
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
async def register_with_store(
|
2019-06-20 11:32:02 +02:00
|
|
|
self,
|
2020-11-23 19:28:03 +01:00
|
|
|
user_id: str,
|
|
|
|
password_hash: Optional[str] = None,
|
|
|
|
was_guest: bool = False,
|
|
|
|
make_guest: bool = False,
|
|
|
|
appservice_id: Optional[str] = None,
|
|
|
|
create_profile_with_displayname: Optional[str] = None,
|
|
|
|
admin: bool = False,
|
|
|
|
user_type: Optional[str] = None,
|
|
|
|
address: Optional[str] = None,
|
|
|
|
shadow_banned: bool = False,
|
|
|
|
) -> None:
|
2019-02-18 13:12:57 +01:00
|
|
|
"""Register user in the datastore.
|
|
|
|
|
|
|
|
Args:
|
2020-11-23 19:28:03 +01:00
|
|
|
user_id: The desired user ID to register.
|
|
|
|
password_hash: Optional. The password hash for this user.
|
|
|
|
was_guest: Optional. Whether this is a guest account being
|
2019-02-18 13:12:57 +01:00
|
|
|
upgraded to a non-guest account.
|
2020-11-23 19:28:03 +01:00
|
|
|
make_guest: True if the the new user should be guest,
|
2019-02-18 13:12:57 +01:00
|
|
|
false to add a regular user account.
|
2020-11-23 19:28:03 +01:00
|
|
|
appservice_id: The ID of the appservice registering the user.
|
|
|
|
create_profile_with_displayname: Optionally create a
|
2019-02-18 13:12:57 +01:00
|
|
|
profile for the user, setting their displayname to the given value
|
2020-11-23 19:28:03 +01:00
|
|
|
admin: is an admin user?
|
|
|
|
user_type: type of user. One of the values from
|
2019-02-18 13:12:57 +01:00
|
|
|
api.constants.UserTypes, or None for a normal user.
|
2020-11-23 19:28:03 +01:00
|
|
|
address: the IP address used to perform the registration.
|
|
|
|
shadow_banned: Whether to shadow-ban the user
|
2019-02-18 13:12:57 +01:00
|
|
|
"""
|
2021-09-13 19:07:12 +02:00
|
|
|
if self.hs.config.worker.worker_app:
|
2020-11-23 19:28:03 +01:00
|
|
|
await self._register_client(
|
2019-02-18 13:12:57 +01:00
|
|
|
user_id=user_id,
|
|
|
|
password_hash=password_hash,
|
|
|
|
was_guest=was_guest,
|
|
|
|
make_guest=make_guest,
|
|
|
|
appservice_id=appservice_id,
|
|
|
|
create_profile_with_displayname=create_profile_with_displayname,
|
|
|
|
admin=admin,
|
|
|
|
user_type=user_type,
|
2019-03-05 15:25:33 +01:00
|
|
|
address=address,
|
2020-08-14 18:37:59 +02:00
|
|
|
shadow_banned=shadow_banned,
|
2019-02-18 13:12:57 +01:00
|
|
|
)
|
|
|
|
else:
|
2020-11-23 19:28:03 +01:00
|
|
|
await self.store.register_user(
|
2019-02-18 13:12:57 +01:00
|
|
|
user_id=user_id,
|
|
|
|
password_hash=password_hash,
|
|
|
|
was_guest=was_guest,
|
|
|
|
make_guest=make_guest,
|
|
|
|
appservice_id=appservice_id,
|
|
|
|
create_profile_with_displayname=create_profile_with_displayname,
|
|
|
|
admin=admin,
|
|
|
|
user_type=user_type,
|
2020-08-14 18:37:59 +02:00
|
|
|
shadow_banned=shadow_banned,
|
2019-02-18 13:12:57 +01:00
|
|
|
)
|
2019-02-18 17:49:38 +01:00
|
|
|
|
2021-07-16 18:11:53 +02:00
|
|
|
# Only call the account validity module(s) on the main process, to avoid
|
|
|
|
# repeating e.g. database writes on all of the workers.
|
|
|
|
await self._account_validity_handler.on_user_registration(user_id)
|
|
|
|
|
2020-06-08 17:15:02 +02:00
|
|
|
async def register_device(
|
2020-11-23 19:28:03 +01:00
|
|
|
self,
|
|
|
|
user_id: str,
|
|
|
|
device_id: Optional[str],
|
|
|
|
initial_display_name: Optional[str],
|
|
|
|
is_guest: bool = False,
|
2020-12-17 13:55:21 +01:00
|
|
|
is_appservice_ghost: bool = False,
|
2021-03-04 17:39:27 +01:00
|
|
|
auth_provider_id: Optional[str] = None,
|
2021-06-24 15:33:20 +02:00
|
|
|
should_issue_refresh_token: bool = False,
|
2021-12-06 18:43:06 +01:00
|
|
|
auth_provider_session_id: Optional[str] = None,
|
2021-06-24 15:33:20 +02:00
|
|
|
) -> Tuple[str, str, Optional[int], Optional[str]]:
|
2019-02-18 17:49:38 +01:00
|
|
|
"""Register a device for a user and generate an access token.
|
|
|
|
|
2019-07-12 18:26:02 +02:00
|
|
|
The access token will be limited by the homeserver's session_lifetime config.
|
|
|
|
|
2019-02-18 17:49:38 +01:00
|
|
|
Args:
|
2020-11-23 19:28:03 +01:00
|
|
|
user_id: full canonical @user:id
|
|
|
|
device_id: The device ID to check, or None to generate a new one.
|
|
|
|
initial_display_name: An optional display name for the device.
|
|
|
|
is_guest: Whether this is a guest account
|
2021-12-06 18:43:06 +01:00
|
|
|
auth_provider_id: The SSO IdP the user used, if any.
|
2021-06-24 15:33:20 +02:00
|
|
|
should_issue_refresh_token: Whether it should also issue a refresh token
|
2021-12-06 18:43:06 +01:00
|
|
|
auth_provider_session_id: The session ID received during login from the SSO IdP.
|
2019-02-18 17:49:38 +01:00
|
|
|
Returns:
|
2021-06-24 15:33:20 +02:00
|
|
|
Tuple of device ID, access token, access token expiration time and refresh token
|
2019-02-18 17:49:38 +01:00
|
|
|
"""
|
2021-03-10 19:15:03 +01:00
|
|
|
res = await self._register_device_client(
|
|
|
|
user_id=user_id,
|
|
|
|
device_id=device_id,
|
|
|
|
initial_display_name=initial_display_name,
|
|
|
|
is_guest=is_guest,
|
|
|
|
is_appservice_ghost=is_appservice_ghost,
|
2021-06-24 15:33:20 +02:00
|
|
|
should_issue_refresh_token=should_issue_refresh_token,
|
2021-12-06 18:43:06 +01:00
|
|
|
auth_provider_id=auth_provider_id,
|
|
|
|
auth_provider_session_id=auth_provider_session_id,
|
2021-03-10 19:15:03 +01:00
|
|
|
)
|
2019-02-18 17:49:38 +01:00
|
|
|
|
2021-03-10 19:15:03 +01:00
|
|
|
login_counter.labels(
|
|
|
|
guest=is_guest,
|
|
|
|
auth_provider=(auth_provider_id or ""),
|
|
|
|
).inc()
|
|
|
|
|
2021-06-24 15:33:20 +02:00
|
|
|
return (
|
|
|
|
res["device_id"],
|
|
|
|
res["access_token"],
|
|
|
|
res["valid_until_ms"],
|
|
|
|
res["refresh_token"],
|
|
|
|
)
|
2021-03-10 19:15:03 +01:00
|
|
|
|
|
|
|
async def register_device_inner(
|
|
|
|
self,
|
|
|
|
user_id: str,
|
|
|
|
device_id: Optional[str],
|
|
|
|
initial_display_name: Optional[str],
|
|
|
|
is_guest: bool = False,
|
|
|
|
is_appservice_ghost: bool = False,
|
2021-06-24 15:33:20 +02:00
|
|
|
should_issue_refresh_token: bool = False,
|
2021-12-06 18:43:06 +01:00
|
|
|
auth_provider_id: Optional[str] = None,
|
|
|
|
auth_provider_session_id: Optional[str] = None,
|
2021-06-24 15:33:20 +02:00
|
|
|
) -> LoginDict:
|
2021-03-10 19:15:03 +01:00
|
|
|
"""Helper for register_device
|
2019-07-12 18:26:02 +02:00
|
|
|
|
2021-03-10 19:15:03 +01:00
|
|
|
Does the bits that need doing on the main process. Not for use outside this
|
|
|
|
class and RegisterDeviceReplicationServlet.
|
|
|
|
"""
|
2021-09-13 19:07:12 +02:00
|
|
|
assert not self.hs.config.worker.worker_app
|
2021-12-03 17:42:44 +01:00
|
|
|
now_ms = self.clock.time_msec()
|
2021-11-26 15:27:14 +01:00
|
|
|
access_token_expiry = None
|
2019-07-12 18:26:02 +02:00
|
|
|
if self.session_lifetime is not None:
|
2019-02-18 17:49:38 +01:00
|
|
|
if is_guest:
|
2019-07-12 18:26:02 +02:00
|
|
|
raise Exception(
|
|
|
|
"session_lifetime is not currently implemented for guest access"
|
2019-02-18 17:49:38 +01:00
|
|
|
)
|
2021-12-03 17:42:44 +01:00
|
|
|
access_token_expiry = now_ms + self.session_lifetime
|
|
|
|
|
|
|
|
if self.nonrefreshable_access_token_lifetime is not None:
|
|
|
|
if access_token_expiry is not None:
|
|
|
|
# Don't allow the non-refreshable access token to outlive the
|
|
|
|
# session.
|
|
|
|
access_token_expiry = min(
|
|
|
|
now_ms + self.nonrefreshable_access_token_lifetime,
|
|
|
|
access_token_expiry,
|
|
|
|
)
|
|
|
|
else:
|
|
|
|
access_token_expiry = now_ms + self.nonrefreshable_access_token_lifetime
|
2019-07-12 18:26:02 +02:00
|
|
|
|
2021-06-24 15:33:20 +02:00
|
|
|
refresh_token = None
|
|
|
|
refresh_token_id = None
|
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
registered_device_id = await self.device_handler.check_device_registered(
|
2021-12-06 18:43:06 +01:00
|
|
|
user_id,
|
|
|
|
device_id,
|
|
|
|
initial_display_name,
|
|
|
|
auth_provider_id=auth_provider_id,
|
|
|
|
auth_provider_session_id=auth_provider_session_id,
|
2019-07-12 18:26:02 +02:00
|
|
|
)
|
|
|
|
if is_guest:
|
2021-11-26 15:27:14 +01:00
|
|
|
assert access_token_expiry is None
|
2021-05-12 16:04:51 +02:00
|
|
|
access_token = self.macaroon_gen.generate_guest_access_token(user_id)
|
2019-07-12 18:26:02 +02:00
|
|
|
else:
|
2021-06-24 15:33:20 +02:00
|
|
|
if should_issue_refresh_token:
|
2021-11-29 14:34:14 +01:00
|
|
|
# A refreshable access token lifetime must be configured
|
|
|
|
# since we're told to issue a refresh token (the caller checks
|
|
|
|
# that this value is set before setting this flag).
|
|
|
|
assert self.refreshable_access_token_lifetime is not None
|
|
|
|
|
2021-11-26 15:27:14 +01:00
|
|
|
# Set the expiry time of the refreshable access token
|
|
|
|
access_token_expiry = now_ms + self.refreshable_access_token_lifetime
|
|
|
|
|
|
|
|
# Set the refresh token expiry time (if configured)
|
|
|
|
refresh_token_expiry = None
|
|
|
|
if self.refresh_token_lifetime is not None:
|
|
|
|
refresh_token_expiry = now_ms + self.refresh_token_lifetime
|
|
|
|
|
|
|
|
# Set an ultimate session expiry time (if configured)
|
|
|
|
ultimate_session_expiry_ts = None
|
|
|
|
if self.session_lifetime is not None:
|
|
|
|
ultimate_session_expiry_ts = now_ms + self.session_lifetime
|
|
|
|
|
|
|
|
# Also ensure that the issued tokens don't outlive the
|
|
|
|
# session.
|
|
|
|
# (It would be weird to configure a homeserver with a shorter
|
|
|
|
# session lifetime than token lifetime, but may as well handle
|
|
|
|
# it.)
|
|
|
|
access_token_expiry = min(
|
|
|
|
access_token_expiry, ultimate_session_expiry_ts
|
|
|
|
)
|
|
|
|
if refresh_token_expiry is not None:
|
|
|
|
refresh_token_expiry = min(
|
|
|
|
refresh_token_expiry, ultimate_session_expiry_ts
|
|
|
|
)
|
|
|
|
|
2021-06-24 15:33:20 +02:00
|
|
|
(
|
|
|
|
refresh_token,
|
|
|
|
refresh_token_id,
|
2021-11-18 15:45:38 +01:00
|
|
|
) = await self._auth_handler.create_refresh_token_for_user_id(
|
2021-06-24 15:33:20 +02:00
|
|
|
user_id,
|
|
|
|
device_id=registered_device_id,
|
2021-11-26 15:27:14 +01:00
|
|
|
expiry_ts=refresh_token_expiry,
|
|
|
|
ultimate_session_expiry_ts=ultimate_session_expiry_ts,
|
2021-11-23 18:01:34 +01:00
|
|
|
)
|
2021-06-24 15:33:20 +02:00
|
|
|
|
2021-11-17 15:10:57 +01:00
|
|
|
access_token = await self._auth_handler.create_access_token_for_user_id(
|
2020-12-17 13:55:21 +01:00
|
|
|
user_id,
|
|
|
|
device_id=registered_device_id,
|
2021-11-26 15:27:14 +01:00
|
|
|
valid_until_ms=access_token_expiry,
|
2020-12-17 13:55:21 +01:00
|
|
|
is_appservice_ghost=is_appservice_ghost,
|
2021-06-24 15:33:20 +02:00
|
|
|
refresh_token_id=refresh_token_id,
|
2019-07-12 18:26:02 +02:00
|
|
|
)
|
2019-02-18 17:49:38 +01:00
|
|
|
|
2021-06-24 15:33:20 +02:00
|
|
|
return {
|
|
|
|
"device_id": registered_device_id,
|
|
|
|
"access_token": access_token,
|
2021-11-26 15:27:14 +01:00
|
|
|
"valid_until_ms": access_token_expiry,
|
2021-06-24 15:33:20 +02:00
|
|
|
"refresh_token": refresh_token,
|
|
|
|
}
|
2019-02-20 08:47:31 +01:00
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
async def post_registration_actions(
|
|
|
|
self, user_id: str, auth_result: dict, access_token: Optional[str]
|
|
|
|
) -> None:
|
2019-02-20 08:47:31 +01:00
|
|
|
"""A user has completed registration
|
|
|
|
|
|
|
|
Args:
|
2020-11-23 19:28:03 +01:00
|
|
|
user_id: The user ID that consented
|
|
|
|
auth_result: The authenticated credentials of the newly registered user.
|
|
|
|
access_token: The access token of the newly logged in device, or
|
|
|
|
None if `inhibit_login` enabled.
|
2019-02-20 08:47:31 +01:00
|
|
|
"""
|
2021-02-01 19:37:41 +01:00
|
|
|
# TODO: 3pid registration can actually happen on the workers. Consider
|
|
|
|
# refactoring it.
|
2021-09-13 19:07:12 +02:00
|
|
|
if self.hs.config.worker.worker_app:
|
2020-05-01 16:15:36 +02:00
|
|
|
await self._post_registration_client(
|
2019-09-04 19:24:23 +02:00
|
|
|
user_id=user_id, auth_result=auth_result, access_token=access_token
|
2019-02-20 08:47:31 +01:00
|
|
|
)
|
|
|
|
return
|
|
|
|
|
|
|
|
if auth_result and LoginType.EMAIL_IDENTITY in auth_result:
|
|
|
|
threepid = auth_result[LoginType.EMAIL_IDENTITY]
|
|
|
|
# Necessary due to auth checks prior to the threepid being
|
|
|
|
# written to the db
|
|
|
|
if is_threepid_reserved(
|
2021-09-29 12:44:15 +02:00
|
|
|
self.hs.config.server.mau_limits_reserved_threepids, threepid
|
2019-02-20 08:47:31 +01:00
|
|
|
):
|
2020-05-01 16:15:36 +02:00
|
|
|
await self.store.upsert_monthly_active_user(user_id)
|
2019-02-20 08:47:31 +01:00
|
|
|
|
2020-05-01 16:15:36 +02:00
|
|
|
await self._register_email_threepid(user_id, threepid, access_token)
|
2019-02-20 08:47:31 +01:00
|
|
|
|
|
|
|
if auth_result and LoginType.MSISDN in auth_result:
|
|
|
|
threepid = auth_result[LoginType.MSISDN]
|
2020-05-01 16:15:36 +02:00
|
|
|
await self._register_msisdn_threepid(user_id, threepid)
|
2019-02-20 08:47:31 +01:00
|
|
|
|
|
|
|
if auth_result and LoginType.TERMS in auth_result:
|
2021-09-23 13:13:34 +02:00
|
|
|
# The terms type should only exist if consent is enabled.
|
|
|
|
assert self._user_consent_version is not None
|
|
|
|
await self._on_user_consented(user_id, self._user_consent_version)
|
2019-02-20 08:47:31 +01:00
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
async def _on_user_consented(self, user_id: str, consent_version: str) -> None:
|
2019-02-20 08:47:31 +01:00
|
|
|
"""A user consented to the terms on registration
|
|
|
|
|
|
|
|
Args:
|
2020-11-23 19:28:03 +01:00
|
|
|
user_id: The user ID that consented.
|
|
|
|
consent_version: version of the policy the user has consented to.
|
2019-02-20 08:47:31 +01:00
|
|
|
"""
|
|
|
|
logger.info("%s has consented to the privacy policy", user_id)
|
2020-05-01 16:15:36 +02:00
|
|
|
await self.store.user_set_consent_version(user_id, consent_version)
|
|
|
|
await self.post_consent_actions(user_id)
|
2019-02-20 08:47:31 +01:00
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
async def _register_email_threepid(
|
|
|
|
self, user_id: str, threepid: dict, token: Optional[str]
|
|
|
|
) -> None:
|
2019-02-20 08:47:31 +01:00
|
|
|
"""Add an email address as a 3pid identifier
|
|
|
|
|
|
|
|
Also adds an email pusher for the email address, if configured in the
|
|
|
|
HS config
|
|
|
|
|
|
|
|
Must be called on master.
|
|
|
|
|
|
|
|
Args:
|
2020-11-23 19:28:03 +01:00
|
|
|
user_id: id of user
|
|
|
|
threepid: m.login.email.identity auth response
|
|
|
|
token: access_token for the user, or None if not logged in.
|
2019-02-20 08:47:31 +01:00
|
|
|
"""
|
2019-06-20 11:32:02 +02:00
|
|
|
reqd = ("medium", "address", "validated_at")
|
2019-02-20 08:47:31 +01:00
|
|
|
if any(x not in threepid for x in reqd):
|
|
|
|
# This will only happen if the ID server returns a malformed response
|
|
|
|
logger.info("Can't add incomplete 3pid")
|
|
|
|
return
|
|
|
|
|
2020-06-08 17:15:02 +02:00
|
|
|
await self._auth_handler.add_threepid(
|
2021-02-16 23:32:34 +01:00
|
|
|
user_id,
|
|
|
|
threepid["medium"],
|
|
|
|
threepid["address"],
|
|
|
|
threepid["validated_at"],
|
2019-02-20 08:47:31 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
# And we add an email pusher for them by default, but only
|
|
|
|
# if email notifications are enabled (so people don't start
|
|
|
|
# getting mail spam where they weren't before if email
|
2019-11-12 14:08:12 +01:00
|
|
|
# notifs are set up on a homeserver)
|
2019-06-20 11:32:02 +02:00
|
|
|
if (
|
2021-09-23 13:13:34 +02:00
|
|
|
self.hs.config.email.email_enable_notifs
|
|
|
|
and self.hs.config.email.email_notif_for_new_users
|
2022-01-20 15:37:34 +01:00
|
|
|
and token
|
2019-06-20 11:32:02 +02:00
|
|
|
):
|
2019-02-20 08:47:31 +01:00
|
|
|
# Pull the ID of the access token back out of the db
|
|
|
|
# It would really make more sense for this to be passed
|
|
|
|
# up when the access token is saved, but that's quite an
|
|
|
|
# invasive change I'd rather do separately.
|
2022-01-20 15:37:34 +01:00
|
|
|
user_tuple = await self.store.get_user_by_access_token(token)
|
|
|
|
# The token better still exist.
|
|
|
|
assert user_tuple
|
|
|
|
token_id = user_tuple.token_id
|
2019-02-20 08:47:31 +01:00
|
|
|
|
2020-06-08 17:15:02 +02:00
|
|
|
await self.pusher_pool.add_pusher(
|
2019-02-20 08:47:31 +01:00
|
|
|
user_id=user_id,
|
|
|
|
access_token=token_id,
|
|
|
|
kind="email",
|
|
|
|
app_id="m.email",
|
|
|
|
app_display_name="Email Notifications",
|
|
|
|
device_display_name=threepid["address"],
|
|
|
|
pushkey=threepid["address"],
|
|
|
|
lang=None, # We don't know a user's language here
|
|
|
|
data={},
|
|
|
|
)
|
|
|
|
|
2020-11-23 19:28:03 +01:00
|
|
|
async def _register_msisdn_threepid(self, user_id: str, threepid: dict) -> None:
|
2019-02-20 08:47:31 +01:00
|
|
|
"""Add a phone number as a 3pid identifier
|
|
|
|
|
|
|
|
Must be called on master.
|
|
|
|
|
|
|
|
Args:
|
2020-11-23 19:28:03 +01:00
|
|
|
user_id: id of user
|
|
|
|
threepid: m.login.msisdn auth response
|
2019-02-20 08:47:31 +01:00
|
|
|
"""
|
|
|
|
try:
|
2019-06-20 11:32:02 +02:00
|
|
|
assert_params_in_dict(threepid, ["medium", "address", "validated_at"])
|
2019-02-20 08:47:31 +01:00
|
|
|
except SynapseError as ex:
|
|
|
|
if ex.errcode == Codes.MISSING_PARAM:
|
|
|
|
# This will only happen if the ID server returns a malformed response
|
|
|
|
logger.info("Can't add incomplete 3pid")
|
2019-07-23 15:00:55 +02:00
|
|
|
return None
|
2019-02-20 08:47:31 +01:00
|
|
|
raise
|
|
|
|
|
2020-06-08 17:15:02 +02:00
|
|
|
await self._auth_handler.add_threepid(
|
2021-02-16 23:32:34 +01:00
|
|
|
user_id,
|
|
|
|
threepid["medium"],
|
|
|
|
threepid["address"],
|
|
|
|
threepid["validated_at"],
|
2019-02-20 08:47:31 +01:00
|
|
|
)
|