Fix validation problem that occurs when a user tries to deactivate their account or change their password. (#13563)
parent
2c42673a9b
commit
3a245f6cfe
|
@ -0,0 +1 @@
|
|||
Improve validation of request bodies for the following client-server API endpoints: [`/account/password`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpassword), [`/account/password/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpasswordemailrequesttoken), [`/account/deactivate`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountdeactivate) and [`/account/3pid/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3account3pidemailrequesttoken).
|
|
@ -196,7 +196,7 @@ class PasswordRestServlet(RestServlet):
|
|||
params, session_id = await self.auth_handler.validate_user_via_ui_auth(
|
||||
requester,
|
||||
request,
|
||||
body.dict(),
|
||||
body.dict(exclude_unset=True),
|
||||
"modify your account password",
|
||||
)
|
||||
except InteractiveAuthIncompleteError as e:
|
||||
|
@ -219,7 +219,7 @@ class PasswordRestServlet(RestServlet):
|
|||
result, params, session_id = await self.auth_handler.check_ui_auth(
|
||||
[[LoginType.EMAIL_IDENTITY]],
|
||||
request,
|
||||
body.dict(),
|
||||
body.dict(exclude_unset=True),
|
||||
"modify your account password",
|
||||
)
|
||||
except InteractiveAuthIncompleteError as e:
|
||||
|
@ -316,7 +316,7 @@ class DeactivateAccountRestServlet(RestServlet):
|
|||
await self.auth_handler.validate_user_via_ui_auth(
|
||||
requester,
|
||||
request,
|
||||
body.dict(),
|
||||
body.dict(exclude_unset=True),
|
||||
"deactivate your account",
|
||||
)
|
||||
result = await self._deactivate_account_handler.deactivate_account(
|
||||
|
|
|
@ -322,3 +322,18 @@ class DeactivateAccountTestCase(HomeserverTestCase):
|
|||
)
|
||||
),
|
||||
)
|
||||
|
||||
def test_deactivate_account_needs_auth(self) -> None:
|
||||
"""
|
||||
Tests that making a request to /deactivate with an empty body
|
||||
succeeds in starting the user-interactive auth flow.
|
||||
"""
|
||||
req = self.make_request(
|
||||
"POST",
|
||||
"account/deactivate",
|
||||
{},
|
||||
access_token=self.token,
|
||||
)
|
||||
|
||||
self.assertEqual(req.code, 401, req)
|
||||
self.assertEqual(req.json_body["flows"], [{"stages": ["m.login.password"]}])
|
||||
|
|
Loading…
Reference in New Issue