32e7c9e7f2
Run Black. ( #5482 )
2019-06-20 19:32:02 +10:00
426049247b
Code cleanups and simplifications.
...
Also: share the saml client between redirect and response handlers.
2019-06-11 00:03:57 +01:00
69a43d9974
Merge remote-tracking branch 'origin/develop' into rav/saml2_client
2019-06-10 20:28:08 +01:00
2889b05554
Unify v1 and v2 REST client APIs ( #5226 )
2019-06-03 21:28:59 +10:00
dc3e586938
SAML2 Improvements and redirect stuff
...
Signed-off-by: Alexander Trost <galexrt@googlemail.com>
2019-06-02 18:14:40 +02:00
532b825ed9
Serve CAS login over r0 ( #5286 )
2019-05-30 00:55:18 +10:00
bbd244c7b2
Support 3PID login in password providers ( #4931 )
...
Adds a new method, check_3pid_auth, which gives password providers
the chance to allow authentication with third-party identifiers such
as email or msisdn.
2019-03-26 17:48:30 +00:00
899e523d6d
Add ratelimiting on login ( #4821 )
...
Add two ratelimiters on login (per-IP address and per-userID).
2019-03-15 17:46:16 +00:00
dbdc565dfd
Fix registration on workers ( #4682 )
...
* Move RegistrationHandler init to HomeServer
* Move post registration actions to RegistrationHandler
* Add post regisration replication endpoint
* Newsfile
2019-02-20 18:47:31 +11:00
af691e415c
Move register_device into handler
2019-02-18 16:49:38 +00:00
f85676cc93
Return well_known in /login response ( #4319 )
...
... as per MSC1730.
2018-12-24 10:44:33 +01:00
30da50a5b8
Initialise user displayname from SAML2 data ( #4272 )
...
When we register a new user from SAML2 data, initialise their displayname
correctly.
2018-12-07 14:44:46 +01:00
c588b9b9e4
Factor SSO success handling out of CAS login ( #4264 )
...
This is mostly factoring out the post-CAS-login code to somewhere we can reuse
it for other SSO flows, but it also fixes the userid mapping while we're at it.
2018-12-07 13:10:07 +01:00
b0c24a66ec
Rip out half-implemented m.login.saml2 support ( #4265 )
...
* Rip out half-implemented m.login.saml2 support
This was implemented in an odd way that left most of the work to the client, in
a way that I really didn't understand. It's going to be a pain to maintain, so
let's start by ripping it out.
* drop undocumented dependency on dateutil
It turns out we were relying on dateutil being pulled in transitively by
pysaml2. There's no need for that bloat.
2018-12-06 19:44:38 +11:00
944d524f18
Support m.login.sso ( #4220 )
...
* Clean up the CSS for the fallback login form
I was finding this hard to work with, so simplify a bunch of things. Each
flow is now a form inside a div of class login_flow.
The login_flow class now has a fixed width, as that looks much better than each
flow having a differnt width.
* Support m.login.sso
MSC1721 renames m.login.cas to m.login.sso. This implements the change
(retaining support for m.login.cas for older clients).
* changelog
2018-11-27 18:51:52 +11:00
02aa41809b
Port rest/ to Python 3 ( #3823 )
2018-09-12 20:41:31 +10:00
49af402019
run isort
2018-07-09 16:09:20 +10:00
6350bf925e
Attempt to be more performant on PyPy ( #3462 )
2018-06-28 14:49:57 +01:00
2a3c33ff03
Use six.moves.urlparse
...
The imports were shuffled around a bunch in py3
Signed-off-by: Adrian Tschira <nota@notafile.com>
2018-04-15 21:22:43 +02:00
75c1b8df01
Better logging when login can't find a 3pid
2017-12-20 19:31:00 +00:00
4c8f94ac94
Allow password_auth_providers to return a callback
...
... so that they have a way to record access tokens.
2017-11-01 16:51:03 +00:00
e5e930aec3
Merge pull request #2615 from matrix-org/rav/break_auth_device_dep
...
Break dependency of auth_handler on device_handler
2017-11-01 16:06:31 +00:00
0bb253f37b
Apparently this is python
2017-11-01 14:02:52 +00:00
59e7e62c4b
Log login requests
...
Carefully though, to avoid logging passwords
2017-11-01 13:58:01 +00:00
74c56f794c
Break dependency of auth_handler on device_handler
...
I'm going to need to make the device_handler depend on the auth_handler, so I
need to break this dependency to avoid a cycle.
It turns out that the auth_handler was only using the device_handler in one
place which was an edge case which we can more elegantly handle by throwing an
error rather than fixing it up.
2017-11-01 10:27:06 +00:00
1b65ae00ac
Refactor some logic from LoginRestServlet into AuthHandler
...
I'm going to need some more flexibility in handling login types in password
auth providers, so as a first step, move some stuff from LoginRestServlet into
AuthHandler.
In particular, we pass everything other than SAML, JWT and token logins down to
the AuthHandler, which now has responsibility for checking the login type and
fishing the password out of the login dictionary, as well as qualifying the
user_id if need be. Ideally SAML, JWT and token would go that way too, but
there's no real need for it right now and I'm trying to minimise impact.
This commit *should* be non-functional.
2017-10-31 10:48:41 +00:00
631d7b87b5
Remove pointless create() method
...
It just calls the constructor, so we may as well kill it rather than having
random codepaths.
2017-10-20 22:14:55 +01:00
0ad44acb5a
Merge pull request #1997 from matrix-org/dbkr/cas_partialdownload
...
Handle PartialDownloadError in CAS login
2017-03-15 13:52:34 +00:00
1ece06273e
Handle PartialDownloadError in CAS login
2017-03-14 13:37:36 +00:00
73a5f06652
Support registration / login with phone number
...
Changes from https://github.com/matrix-org/synapse/pull/1971
2017-03-13 17:27:51 +00:00
7eae6eaa2f
Revert "Support registration & login with phone number"
2017-03-13 09:59:33 +00:00
727124a762
Not any more, it doesn't
2017-03-08 19:00:23 +00:00
65d43f3ca5
Minor fixes from PR feedback
2017-03-08 11:48:43 +00:00
88df6c0c9a
Factor out msisdn canonicalisation
...
Plus a couple of other minor fixes
2017-03-08 11:03:39 +00:00
402a7bf63d
Fix pep8
2017-03-08 09:33:40 +00:00
00466e2feb
Support new login format
...
https://docs.google.com/document/d/1-6ZSSW5YvCGhVFDyD2QExAUAdpCWjccvJT5xiyTTG2Y/edit#
2017-03-07 16:37:23 +00:00
51adaac953
Fix email push in pusher worker
...
This was broken when device list updates were implemented, as Mailer
could no longer instantiate an AuthHandler due to a dependency on
federation sending.
2017-02-02 10:53:36 +00:00
8c5009b628
Lowercase all email addresses before querying db
...
Since we store all emails in the DB in lowercase
(https://github.com/matrix-org/synapse/pull/1170 )
2017-01-18 13:25:56 +00:00
5c4edc83b5
Stop generating refresh tokens
...
Since we're not doing refresh tokens any more, we should start killing off the
dead code paths. /tokenrefresh itself is a bit of a thornier subject, since
there might be apps out there using it, but we can at least not generate
refresh tokens on new logins.
2016-11-28 10:13:01 +00:00
29205e9596
Conform better to the CAS protocol specification
...
Redirect to CAS's /login endpoint properly, and
don't require an <attributes> element.
Signed-off-by: Shell Turner <cam.turn@gmail.com>
2016-09-09 21:20:14 +01:00
866a5320de
Dont invoke get_handlers fromClientV1RestServlet
...
hs.get_handlers() can not be invoked from split out processes. Moving
the invocations down a level means that we can slowly split out
individual servlets.
2016-08-12 10:03:19 +01:00
cd41c6ece2
Merge pull request #995 from matrix-org/rav/clean_up_cas_login
...
Clean up CAS login code
2016-08-09 10:21:56 +01:00
65666fedd5
Clean up CAS login code
...
Remove some apparently unused code.
Clean up parse_cas_response, mostly to catch the exception if the CAS response
isn't valid XML.
2016-08-08 17:17:25 +01:00
0682ca04b3
Fix CAS login
...
Attempting to log in with CAS was giving a 500 error.
2016-08-08 17:01:30 +01:00
436bffd15f
Implement deleting devices
2016-07-26 07:35:48 +01:00
f863a52cea
Add device_id support to /login
...
Add a 'devices' table to the storage, as well as a 'device_id' column to
refresh_tokens.
Allow the client to pass a device_id, and initial_device_display_name, to
/login. If login is successful, then register the device in the devices table
if it wasn't known already. If no device_id was supplied, make one up.
Associate the device_id with the access token and refresh token, so that we can
get at it again later. Ensure that the device_id is copied from the refresh
token to the access_token when the token is refreshed.
2016-07-18 16:39:44 +01:00
dcfd71aa4c
Refactor login flow
...
Make sure that we have the canonical user_id *before* calling
get_login_tuple_for_user_id.
Replace login_with_password with a method which just validates the password,
and have the caller call get_login_tuple_for_user_id. This brings the password
flow into line with the other flows, and will give us a place to register the
device_id if necessary.
2016-07-18 15:23:54 +01:00
4a10510cd5
Split out the auth handler
2016-06-02 13:31:45 +01:00
52ecbc2843
Make pyjwt dependency optional
2016-04-25 14:30:15 +01:00
565c2edb0a
Fix issues with JWT login
2016-04-21 18:10:48 +02:00
3f9948a069
Add JWT support
2016-03-29 14:36:36 +02:00
b7dbe5147a
Add a parse_json_object function
...
to deduplicate all the copy+pasted _parse_json functions. Also document
the parse_.* functions.
2016-03-09 11:26:26 +00:00
7076082ae6
Fix relative imports so they work in both py3 and py27
2016-03-08 11:45:50 +00:00
239badea9b
Use syntax that works on both py2.7 and py3
2016-03-07 20:13:10 +00:00
87acd8fb07
Fix to appease the PEP8 dragon
2016-02-26 12:05:38 +01:00
a53774721a
Add error codes for malformed/bad JSON in /login
...
Signed-off-by: Gergely Polonkai <gergely@polonkaieu>
2016-02-26 10:22:35 +01:00
58c9f20692
Catch the exceptions thrown by twisted when you write to a closed connection
2016-02-12 13:46:59 +00:00
d83d004ccd
Fix flake8 warnings for new flake8
2016-02-02 17:18:50 +00:00
6c28ac260c
copyrights
2016-01-07 04:26:29 +00:00
32d9fd0b26
Expose /login under r0
...
The spec says /login should be available at r0 and 'unstable', so make it so.
2016-01-02 17:24:28 +00:00
872c134807
Update endpoints to reflect current spec
2015-12-02 15:45:04 +00:00
37b2d69bbc
Reuse a single http client, rather than creating new ones
2015-12-02 11:36:02 +00:00
14d7acfad4
Host /unstable and /r0 versions of r0 APIs
2015-12-01 17:34:32 +00:00
e3dae653e8
Comment
2015-11-20 14:05:22 +00:00
37de8a7f4a
Remove m.login.token from advertised flows.
2015-11-19 16:16:49 +00:00
ffdc8e5e1c
Snakes not camels
2015-11-11 14:26:47 +00:00
2b779af10f
Minor review fixes
2015-11-11 11:21:43 +00:00
414a4a71b4
Allow hs to do CAS login completely and issue the client with a login token that can be redeemed for the usual successful login response
2015-11-05 14:06:48 +00:00
259d10f0e4
Merge branch 'release-v0.10.1' of github.com:matrix-org/synapse into develop
2015-10-23 11:11:56 +01:00
5025ba959f
Add config option to disable password login
2015-10-22 10:37:04 +01:00
ede07434e0
Use 403 and message to match handlers/auth
2015-10-21 09:42:07 +01:00
b02a342750
Don't 500 when the email doesn't map to a valid user ID.
2015-10-20 11:07:50 +01:00
1a934e8bfd
synapse.client.v1.login.LoginFallbackRestServlet and synapse.client.v1.login.PasswordResetRestServlet are unused
2015-10-15 11:09:57 +01:00
739464fbc5
Add a comment to clarify why we split on closing curly brace when reading CAS attribute tags
2015-10-12 16:02:17 +01:00
83b464e4f7
Unpack dictionary in for loop for nicer syntax
2015-10-12 15:05:34 +01:00
7f8fdc9814
Remove not required parenthesis
2015-10-12 14:45:24 +01:00
01a5f1991c
Support multiple required attributes in CAS response, and in a nicer config format too
2015-10-12 14:43:17 +01:00
76421c496d
Allow optional config params for a required attribute and it's value, if specified any CAS user must have the given attribute and the value must equal
2015-10-12 11:11:49 +01:00
7845f62c22
Parse both user and attributes from CAS response
2015-10-12 10:55:13 +01:00
95f7661170
Raise LoginError if CasResponse doensn't contain user
2015-10-10 10:54:19 +01:00
a9c299c0be
Fix my broken line splitting
2015-10-10 10:54:19 +01:00
e52f4dc599
Use UserId to create FQ user id
2015-10-10 10:54:19 +01:00
625e13bfde
Add get_raw method to SimpleHttpClient, use this in CAS auth rather than requests
2015-10-10 10:54:19 +01:00
22112f8d14
Formatting changes
2015-10-10 10:49:42 +01:00
c33f5c1a24
Provide ability to login using CAS
2015-10-10 10:49:42 +01:00
d3c0e48859
Merge erikj/user_dedup to develop
2015-08-26 13:42:45 +01:00
21b71b6d7c
Return fully qualified user_id as per spec
2015-08-20 21:54:53 +01:00
e8cf77fa49
Merge branch 'develop' into refresh
...
Conflicts:
synapse/rest/client/v1/login.py
2015-08-20 16:25:40 +01:00
cecbd636e9
/tokenrefresh POST endpoint
...
This allows refresh tokens to be exchanged for (access_token,
refresh_token).
It also starts issuing them on login, though no clients currently
interpret them.
2015-08-20 16:21:35 +01:00
4cf302de5b
Comma comma comma comma comma chameleon
2015-08-20 10:31:18 +01:00
c50ad14bae
Merge branch 'develop' into email_login
2015-08-20 10:16:01 +01:00
415c2f0549
Simplify LoginHander and AuthHandler
...
* Merge LoginHandler -> AuthHandler
* Add a bunch of documentation
* Improve some naming
* Remove unused branches
I will start merging the actual logic of the two handlers shortly
2015-08-12 15:49:37 +01:00
185ac7ee6c
Allow sign in using email address
2015-08-04 16:29:54 +01:00
f3049d0b81
Small tweaks to SAML2 configuration.
...
- Add saml2 config docs to default config.
- Use existence of saml2 config to indicate if saml2 should be enabled.
2015-07-10 10:50:14 +01:00
8cd34dfe95
Make SAML2 optional and add some references/comments
2015-07-09 13:34:47 +05:30
d2caa5351a
code beautify
2015-07-09 12:58:15 +05:30
77c5db5977
code beautify
2015-07-08 16:05:20 +05:30
81682d0f82
Integrate SAML2 basic authentication - uses pysaml2
2015-07-08 15:36:54 +05:30
4ebbaf0d43
Blunty replace json with simplejson
2015-02-11 14:23:10 +00:00
4be637cb12
Extract the client v1 base RestServlet to a separate class
2015-01-23 14:09:51 +00:00
Amber Brown