Add a human-readable description to the fallback template.
parent
018cd02b24
commit
dc5ef6c9fd
|
@ -174,6 +174,7 @@ class AuthHandler(BaseHandler):
|
||||||
request: SynapseRequest,
|
request: SynapseRequest,
|
||||||
request_body: Dict[str, Any],
|
request_body: Dict[str, Any],
|
||||||
clientip: str,
|
clientip: str,
|
||||||
|
description: str,
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
Checks that the user is who they claim to be, via a UI auth.
|
Checks that the user is who they claim to be, via a UI auth.
|
||||||
|
@ -191,6 +192,9 @@ class AuthHandler(BaseHandler):
|
||||||
|
|
||||||
clientip: The IP address of the client.
|
clientip: The IP address of the client.
|
||||||
|
|
||||||
|
description: A human readable string to be displayed to the user that
|
||||||
|
describes the operation happening on their account.
|
||||||
|
|
||||||
Returns:
|
Returns:
|
||||||
defer.Deferred[dict]: the parameters for this request (which may
|
defer.Deferred[dict]: the parameters for this request (which may
|
||||||
have been given only in a previous call).
|
have been given only in a previous call).
|
||||||
|
@ -223,7 +227,7 @@ class AuthHandler(BaseHandler):
|
||||||
|
|
||||||
try:
|
try:
|
||||||
result, params, _ = yield self.check_auth(
|
result, params, _ = yield self.check_auth(
|
||||||
flows, request, request_body, clientip
|
flows, request, request_body, clientip, description
|
||||||
)
|
)
|
||||||
except LoginError:
|
except LoginError:
|
||||||
# Update the ratelimite to say we failed (`can_do_action` doesn't raise).
|
# Update the ratelimite to say we failed (`can_do_action` doesn't raise).
|
||||||
|
@ -268,6 +272,7 @@ class AuthHandler(BaseHandler):
|
||||||
request: SynapseRequest,
|
request: SynapseRequest,
|
||||||
clientdict: Dict[str, Any],
|
clientdict: Dict[str, Any],
|
||||||
clientip: str,
|
clientip: str,
|
||||||
|
description: str,
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
Takes a dictionary sent by the client in the login / registration
|
Takes a dictionary sent by the client in the login / registration
|
||||||
|
@ -294,6 +299,9 @@ class AuthHandler(BaseHandler):
|
||||||
|
|
||||||
clientip: The IP address of the client.
|
clientip: The IP address of the client.
|
||||||
|
|
||||||
|
description: A human readable string to be displayed to the user that
|
||||||
|
describes the operation happening on their account.
|
||||||
|
|
||||||
Returns:
|
Returns:
|
||||||
defer.Deferred[dict, dict, str]: a deferred tuple of
|
defer.Deferred[dict, dict, str]: a deferred tuple of
|
||||||
(creds, params, session_id).
|
(creds, params, session_id).
|
||||||
|
@ -343,12 +351,18 @@ class AuthHandler(BaseHandler):
|
||||||
comparator = (request.uri, request.method, clientdict)
|
comparator = (request.uri, request.method, clientdict)
|
||||||
if "ui_auth" not in session:
|
if "ui_auth" not in session:
|
||||||
session["ui_auth"] = comparator
|
session["ui_auth"] = comparator
|
||||||
|
self._save_session(session)
|
||||||
elif session["ui_auth"] != comparator:
|
elif session["ui_auth"] != comparator:
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
403,
|
403,
|
||||||
"Requested operation has changed during the UI authentication session.",
|
"Requested operation has changed during the UI authentication session.",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Add a human readable description to the session.
|
||||||
|
if "description" not in session:
|
||||||
|
session["description"] = description
|
||||||
|
self._save_session(session)
|
||||||
|
|
||||||
if not authdict:
|
if not authdict:
|
||||||
raise InteractiveAuthIncompleteError(
|
raise InteractiveAuthIncompleteError(
|
||||||
self._auth_dict_for_flows(flows, session)
|
self._auth_dict_for_flows(flows, session)
|
||||||
|
@ -1035,17 +1049,24 @@ class AuthHandler(BaseHandler):
|
||||||
else:
|
else:
|
||||||
return defer.succeed(False)
|
return defer.succeed(False)
|
||||||
|
|
||||||
def start_sso_ui_auth(self, redirect_url: str) -> str:
|
def start_sso_ui_auth(self, redirect_url: str, session_id: str) -> str:
|
||||||
"""
|
"""
|
||||||
Get the HTML for the SSO redirect confirmation page.
|
Get the HTML for the SSO redirect confirmation page.
|
||||||
|
|
||||||
Args:
|
Args:
|
||||||
redirect_url: The URL to redirect to the SSO provider.
|
redirect_url: The URL to redirect to the SSO provider.
|
||||||
|
session_id: The user interactive authentication session ID.
|
||||||
|
|
||||||
Returns:
|
Returns:
|
||||||
The HTML to render.
|
The HTML to render.
|
||||||
"""
|
"""
|
||||||
return self._sso_auth_confirm_template.render(redirect_url=redirect_url,)
|
session = self._get_session_info(session_id)
|
||||||
|
# Get the human readable operation of what is occurring, falling back to
|
||||||
|
# a generic message if it isn't available for some reason.
|
||||||
|
description = session.get("description", "modify your account")
|
||||||
|
return self._sso_auth_confirm_template.render(
|
||||||
|
description=description, redirect_url=redirect_url,
|
||||||
|
)
|
||||||
|
|
||||||
def complete_sso_ui_auth(
|
def complete_sso_ui_auth(
|
||||||
self, registered_user_id: str, session_id: str, request: SynapseRequest,
|
self, registered_user_id: str, session_id: str, request: SynapseRequest,
|
||||||
|
|
|
@ -5,8 +5,7 @@
|
||||||
<body>
|
<body>
|
||||||
<div>
|
<div>
|
||||||
<p>
|
<p>
|
||||||
A client is trying to remove a device/add an email address/take over
|
A client is trying to {{ description | e }}. To confirm this action,
|
||||||
your account. To confirm this action,
|
|
||||||
<a href="{{ redirect_url | e }}">re-authenticate with single sign-on</a>.
|
<a href="{{ redirect_url | e }}">re-authenticate with single sign-on</a>.
|
||||||
If you did not expect this, your account may be compromised!
|
If you did not expect this, your account may be compromised!
|
||||||
</p>
|
</p>
|
||||||
|
|
|
@ -234,7 +234,11 @@ class PasswordRestServlet(RestServlet):
|
||||||
if self.auth.has_access_token(request):
|
if self.auth.has_access_token(request):
|
||||||
requester = await self.auth.get_user_by_req(request)
|
requester = await self.auth.get_user_by_req(request)
|
||||||
params = await self.auth_handler.validate_user_via_ui_auth(
|
params = await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"modify your account password",
|
||||||
)
|
)
|
||||||
user_id = requester.user.to_string()
|
user_id = requester.user.to_string()
|
||||||
else:
|
else:
|
||||||
|
@ -244,6 +248,7 @@ class PasswordRestServlet(RestServlet):
|
||||||
request,
|
request,
|
||||||
body,
|
body,
|
||||||
self.hs.get_ip_from_request(request),
|
self.hs.get_ip_from_request(request),
|
||||||
|
"modify your account password",
|
||||||
)
|
)
|
||||||
|
|
||||||
if LoginType.EMAIL_IDENTITY in result:
|
if LoginType.EMAIL_IDENTITY in result:
|
||||||
|
@ -311,7 +316,11 @@ class DeactivateAccountRestServlet(RestServlet):
|
||||||
return 200, {}
|
return 200, {}
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"deactivate your account",
|
||||||
)
|
)
|
||||||
result = await self._deactivate_account_handler.deactivate_account(
|
result = await self._deactivate_account_handler.deactivate_account(
|
||||||
requester.user.to_string(), erase, id_server=body.get("id_server")
|
requester.user.to_string(), erase, id_server=body.get("id_server")
|
||||||
|
@ -669,7 +678,11 @@ class ThreepidAddRestServlet(RestServlet):
|
||||||
assert_valid_client_secret(client_secret)
|
assert_valid_client_secret(client_secret)
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"add a third-party identifier to your account",
|
||||||
)
|
)
|
||||||
|
|
||||||
validation_session = await self.identity_handler.validate_threepid_session(
|
validation_session = await self.identity_handler.validate_threepid_session(
|
||||||
|
|
|
@ -140,7 +140,7 @@ class AuthRestServlet(RestServlet):
|
||||||
sso_redirect_url = self._saml_handler.handle_redirect_request(
|
sso_redirect_url = self._saml_handler.handle_redirect_request(
|
||||||
client_redirect_url, session
|
client_redirect_url, session
|
||||||
)
|
)
|
||||||
html = self.auth_handler.start_sso_ui_auth(sso_redirect_url)
|
html = self.auth_handler.start_sso_ui_auth(sso_redirect_url, session)
|
||||||
else:
|
else:
|
||||||
raise SynapseError(404, "Unknown auth stage type")
|
raise SynapseError(404, "Unknown auth stage type")
|
||||||
|
|
||||||
|
|
|
@ -81,7 +81,11 @@ class DeleteDevicesRestServlet(RestServlet):
|
||||||
assert_params_in_dict(body, ["devices"])
|
assert_params_in_dict(body, ["devices"])
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"remove device(s) from your account",
|
||||||
)
|
)
|
||||||
|
|
||||||
await self.device_handler.delete_devices(
|
await self.device_handler.delete_devices(
|
||||||
|
@ -127,7 +131,11 @@ class DeviceRestServlet(RestServlet):
|
||||||
raise
|
raise
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"remove a device from your account",
|
||||||
)
|
)
|
||||||
|
|
||||||
await self.device_handler.delete_device(requester.user.to_string(), device_id)
|
await self.device_handler.delete_device(requester.user.to_string(), device_id)
|
||||||
|
|
|
@ -263,7 +263,11 @@ class SigningKeyUploadServlet(RestServlet):
|
||||||
body = parse_json_object_from_request(request)
|
body = parse_json_object_from_request(request)
|
||||||
|
|
||||||
await self.auth_handler.validate_user_via_ui_auth(
|
await self.auth_handler.validate_user_via_ui_auth(
|
||||||
requester, request, body, self.hs.get_ip_from_request(request),
|
requester,
|
||||||
|
request,
|
||||||
|
body,
|
||||||
|
self.hs.get_ip_from_request(request),
|
||||||
|
"add a device signing key to your account",
|
||||||
)
|
)
|
||||||
|
|
||||||
result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)
|
result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)
|
||||||
|
|
|
@ -505,6 +505,7 @@ class RegisterRestServlet(RestServlet):
|
||||||
request,
|
request,
|
||||||
body,
|
body,
|
||||||
self.hs.get_ip_from_request(request),
|
self.hs.get_ip_from_request(request),
|
||||||
|
"log into your account",
|
||||||
)
|
)
|
||||||
|
|
||||||
# Check that we're not trying to register a denied 3pid.
|
# Check that we're not trying to register a denied 3pid.
|
||||||
|
|
Loading…
Reference in New Issue