Brendan Abolivier
651ad8bc96
Add ratelimiting on failed login attempts ( #4865 )
2019-03-18 12:57:20 +00:00
Brendan Abolivier
899e523d6d
Add ratelimiting on login ( #4821 )
...
Add two ratelimiters on login (per-IP address and per-userID).
2019-03-15 17:46:16 +00:00
Richard van der Hoff
c588b9b9e4
Factor SSO success handling out of CAS login ( #4264 )
...
This is mostly factoring out the post-CAS-login code to somewhere we can reuse
it for other SSO flows, but it also fixes the userid mapping while we're at it.
2018-12-07 13:10:07 +01:00
Travis Ralston
ab4526a153
Remove duplicate slashes in generated consent URLs
2018-11-15 20:41:53 -07:00
Travis Ralston
0f5e51f726
Add config variables for enabling terms auth and the policy name ( #4142 )
...
So people can still collect consent the old way if they want to.
2018-11-06 10:32:34 +00:00
Travis Ralston
a8d41c6aff
Include a version query string arg for the consent route
2018-10-31 13:19:28 -06:00
Travis Ralston
54def42c19
Merge branch 'develop' into travis/login-terms
2018-10-24 13:22:59 -06:00
Richard van der Hoff
5c445114d3
Correctly account for cpu usage by background threads ( #4074 )
...
Wrap calls to deferToThread() in a thing which uses a child logcontext to
attribute CPU usage to the right request.
While we're in the area, remove the logcontext_tracer stuff, which is never
used, and afaik doesn't work.
Fixes #4064
2018-10-23 13:12:32 +01:00
Travis Ralston
a8ed93a4b5
pep8
2018-10-15 16:10:29 -06:00
Travis Ralston
442734ff9e
Ensure the terms params are actually provided
2018-10-15 14:56:13 -06:00
Travis Ralston
762a0982aa
Python is hard
2018-10-15 14:46:09 -06:00
Travis Ralston
dd99db846d
Update login terms structure for the proposed language support
2018-10-12 18:03:27 -06:00
Travis Ralston
537d0b7b36
Use a flag rather than a new route for the public policy
...
This also means that the template now has optional parameters, which will need to be documented somehow.
2018-10-03 17:50:11 -06:00
Travis Ralston
149c4f1765
Supply params for terms auth stage
...
As per https://github.com/matrix-org/matrix-doc/pull/1692
2018-10-03 15:57:42 -06:00
Travis Ralston
fd99787162
Incorporate Dave's work for GDPR login flows
...
As per https://github.com/vector-im/riot-web/issues/7168#issuecomment-419996117
2018-10-03 15:57:42 -06:00
Amber Brown
2608ebc04c
Port handlers/ to Python 3 ( #3803 )
2018-09-07 00:22:23 +10:00
Neil Johnson
86a00e05e1
Merge branch 'develop' of github.com:matrix-org/synapse into neilj/fix_off_by_1+maus
2018-08-15 16:27:08 +01:00
Erik Johnston
fef2e65d12
Merge pull request #3667 from matrix-org/erikj/fixup_unbind
...
Don't fail requests to unbind 3pids for non supporting ID servers
2018-08-15 10:32:12 +01:00
Neil Johnson
ed4bc3d2fc
fix off by 1s on mau
2018-08-14 15:04:48 +01:00
Erik Johnston
360ba89c50
Don't fail requests to unbind 3pids for non supporting ID servers
...
Older identity servers may not support the unbind 3pid request, so we
shouldn't fail the requests if we received one of 400/404/501. The
request still fails if we receive e.g. 500 responses, allowing clients
to retry requests on transient identity server errors that otherwise do
support the API.
Fixes #3661
2018-08-08 12:06:18 +01:00
Neil Johnson
886be75ad1
bug fixes
2018-08-03 22:29:03 +01:00
Neil Johnson
74b1d46ad9
do mau checks based on monthly_active_users table
2018-08-02 16:57:35 +01:00
Neil Johnson
085435e13a
Merge pull request #3630 from matrix-org/neilj/mau_sign_in_log_in_limits
...
Initial impl of capping MAU
2018-08-01 15:58:45 +00:00
Amber Brown
da7785147d
Python 3: Convert some unicode/bytes uses ( #3569 )
2018-08-02 00:54:06 +10:00
Neil Johnson
0aba3d361a
count_monthly_users() async
2018-08-01 11:47:58 +01:00
Neil Johnson
df2235e7fa
coding style
2018-07-31 13:16:20 +01:00
Neil Johnson
251e6c1210
limit register and sign in on number of monthly users
2018-07-30 15:55:57 +01:00
Amber Brown
49af402019
run isort
2018-07-09 16:09:20 +10:00
Amber Brown
6350bf925e
Attempt to be more performant on PyPy ( #3462 )
2018-06-28 14:49:57 +01:00
Amber Brown
77ac14b960
Pass around the reactor explicitly ( #3385 )
2018-06-22 09:37:10 +01:00
Amber Brown
a61738b316
Remove run_on_reactor ( #3395 )
2018-06-14 18:27:37 +10:00
David Baker
187a546bff
Merge pull request #3276 from matrix-org/dbkr/unbind
...
Remove email addresses / phone numbers from ID servers when they're removed from synapse
2018-06-11 16:02:00 +01:00
David Baker
e44150a6de
Missing yield
2018-06-04 12:01:13 +01:00
Amber Brown
c936a52a9e
Consistently use six's iteritems and wrap lazy keys/values in list() if they're not meant to be lazy ( #3307 )
2018-05-31 19:03:47 +10:00
David Baker
9700d15611
pep8
2018-05-24 11:23:15 +01:00
David Baker
b3bff53178
Unbind 3pids when they're deleted too
2018-05-24 11:08:05 +01:00
Krombel
ed9b5eced4
use bcrypt.checkpw
...
in bcrypt 3.1.0 checkpw got introduced (already 2 years ago)
This makes use of that with enhancements which might get introduced
by that
Signed-Off-by: Matthias Kesler <krombel@krombel.de>
2018-03-05 18:02:59 +01:00
Erik Johnston
825a07a974
Merge pull request #2773 from matrix-org/erikj/hash_bg
...
Do bcrypt hashing in a background thread
2018-01-10 18:11:41 +00:00
Erik Johnston
f8e1ab5fee
Do bcrypt hashing in a background thread
2018-01-10 18:01:28 +00:00
Richard van der Hoff
da1010c83a
support custom login types for validating users
...
Wire the custom login type support from password providers into the UI-auth
user-validation flows.
2017-12-05 09:43:30 +00:00
Richard van der Hoff
d7ea8c4800
Factor out a validate_user_via_ui_auth method
...
Collect together all the places that validate a logged-in user via UI auth.
2017-12-05 09:42:30 +00:00
Richard van der Hoff
d5f9fb06b0
Refactor UI auth implementation
...
Instead of returning False when auth is incomplete, throw an exception which
can be caught with a wrapper.
2017-12-05 09:40:05 +00:00
Richard van der Hoff
ae31f8ce45
Move set_password into its own handler
...
Non-functional refactoring to move set_password. This means that we'll be able
to properly deactivate devices and access tokens without introducing a
dependency loop.
2017-11-29 16:44:35 +00:00
Richard van der Hoff
7ca5c68233
Move deactivate_account into its own handler
...
Non-functional refactoring to move deactivate_account. This means that we'll be
able to properly deactivate devices and access tokens without introducing a
dependency loop.
2017-11-29 16:44:35 +00:00
Richard van der Hoff
2c6d63922a
Remove pushers when deleting access tokens
...
Whenever an access token is invalidated, we should remove the associated
pushers.
2017-11-29 16:44:35 +00:00
Jurek
624a8bbd67
Fix auth handler #2678
2017-11-16 17:19:02 +00:00
Richard van der Hoff
1189be43a2
Factor _AccountHandler proxy out to ModuleApi
...
We're going to need to use this from places that aren't password auth, so let's
move it to a proper class.
2017-11-02 14:36:11 +00:00
David Baker
b19d9e2174
Merge pull request #2624 from matrix-org/rav/password_provider_notify_logout
...
Notify auth providers on logout
2017-11-02 10:55:17 +00:00
David Baker
1f080a6c97
Merge pull request #2623 from matrix-org/rav/callbacks_for_auth_providers
...
Allow password_auth_providers to return a callback
2017-11-02 10:49:03 +00:00
David Baker
04897c9dc1
Merge pull request #2622 from matrix-org/rav/db_access_for_auth_providers
...
Let auth providers get to the database
2017-11-02 10:41:25 +00:00
Richard van der Hoff
979eed4362
Fix user-interactive password auth
...
this got broken in the previous commit
2017-11-01 17:03:20 +00:00
Richard van der Hoff
bc8a5c0330
Notify auth providers on logout
...
Provide a hook by which auth providers can be notified of logouts.
2017-11-01 16:51:51 +00:00
Richard van der Hoff
4c8f94ac94
Allow password_auth_providers to return a callback
...
... so that they have a way to record access tokens.
2017-11-01 16:51:03 +00:00
Richard van der Hoff
846a94fbc9
Merge pull request #2620 from matrix-org/rav/auth_non_password
...
Let password auth providers handle arbitrary login types
2017-11-01 16:45:33 +00:00
Richard van der Hoff
3cd6b22c7b
Let password auth providers handle arbitrary login types
...
Provide a hook where password auth providers can say they know about other
login types, and get passed the relevant parameters
2017-11-01 16:43:57 +00:00
David Baker
4f0488b307
Merge remote-tracking branch 'origin/develop' into rav/refactor_accesstoken_delete
2017-11-01 16:20:19 +00:00
Richard van der Hoff
dd13310fb8
Move access token deletion into auth handler
...
Also move duplicated deactivation code into the auth handler.
I want to add some hooks when we deactivate an access token, so let's bring it
all in here so that there's somewhere to put it.
2017-11-01 15:46:22 +00:00
Richard van der Hoff
74c56f794c
Break dependency of auth_handler on device_handler
...
I'm going to need to make the device_handler depend on the auth_handler, so I
need to break this dependency to avoid a cycle.
It turns out that the auth_handler was only using the device_handler in one
place which was an edge case which we can more elegantly handle by throwing an
error rather than fixing it up.
2017-11-01 10:27:06 +00:00
Richard van der Hoff
3e0aaad190
Let auth providers get to the database
...
Somewhat open to abuse, but also somewhat unavoidable :/
2017-10-31 17:22:29 +00:00
Richard van der Hoff
1b65ae00ac
Refactor some logic from LoginRestServlet into AuthHandler
...
I'm going to need some more flexibility in handling login types in password
auth providers, so as a first step, move some stuff from LoginRestServlet into
AuthHandler.
In particular, we pass everything other than SAML, JWT and token logins down to
the AuthHandler, which now has responsibility for checking the login type and
fishing the password out of the login dictionary, as well as qualifying the
user_id if need be. Ideally SAML, JWT and token would go that way too, but
there's no real need for it right now and I'm trying to minimise impact.
This commit *should* be non-functional.
2017-10-31 10:48:41 +00:00
Richard van der Hoff
785bd7fd75
Allow ASes to deactivate their own users
2017-10-27 00:01:00 +01:00
Richard van der Hoff
631d7b87b5
Remove pointless create() method
...
It just calls the constructor, so we may as well kill it rather than having
random codepaths.
2017-10-20 22:14:55 +01:00
Erik Johnston
c72058bcc6
Use an ExpiringCache for storing registration sessions
...
This is because pruning them was a significant performance drain on
matrix.org
2017-06-29 14:08:37 +01:00
David Baker
73a5f06652
Support registration / login with phone number
...
Changes from https://github.com/matrix-org/synapse/pull/1971
2017-03-13 17:27:51 +00:00
Erik Johnston
7eae6eaa2f
Revert "Support registration & login with phone number"
2017-03-13 09:59:33 +00:00
David Baker
0e0aee25c4
Fix log line
2017-03-08 11:46:22 +00:00
David Baker
88df6c0c9a
Factor out msisdn canonicalisation
...
Plus a couple of other minor fixes
2017-03-08 11:03:39 +00:00
David Baker
402a7bf63d
Fix pep8
2017-03-08 09:33:40 +00:00
David Baker
ad882cd54d
Just return the deferred straight off
...
defer.returnValue doth not maketh a generator: it would need a
yield to be a generator, and this doesn't need a yield.
2017-03-01 18:08:51 +00:00
David Baker
ce3e583d94
WIP support for msisdn 3pid proxy methods
2017-02-14 15:05:55 +00:00
Erik Johnston
51adaac953
Fix email push in pusher worker
...
This was broken when device list updates were implemented, as Mailer
could no longer instantiate an AuthHandler due to a dependency on
federation sending.
2017-02-02 10:53:36 +00:00
David Baker
84cf00c645
Fix another comment typo
2016-12-21 09:51:43 +00:00
David Baker
0c88ab1844
Add /account/3pid/delete endpoint
...
Also fix a typo in a comment
2016-12-20 18:27:30 +00:00
Matthew Hodgson
f2a5aebf98
fix ability to change password to a non-ascii one
...
https://github.com/vector-im/riot-web/issues/2658
2016-12-18 22:25:21 +00:00
Erik Johnston
338df4f409
Merge pull request #1649 from matrix-org/dbkr/log_ui_auth_args
...
Log the args that we have on UI auth completion
2016-12-05 16:40:58 +00:00
Richard van der Hoff
aa09d6b8f0
Rip out more refresh_token code
...
We might as well treat all refresh_tokens as invalid. Just return a 403 from
/tokenrefresh, so that we don't have a load of dead, untestable code hanging
around.
Still TODO: removing the table from the schema.
2016-11-30 17:40:18 +00:00
Richard van der Hoff
dc4b23e1a1
Merge branch 'develop' into rav/no_more_refresh_tokens
2016-11-30 17:10:04 +00:00
Richard van der Hoff
1c4f05db41
Stop putting a time caveat on access tokens
...
The 'time' caveat on the access tokens was something of a lie, since we weren't
enforcing it; more pertinently its presence stops us ever adding useful time
caveats.
Let's move in the right direction by not lying in our caveats.
2016-11-29 16:49:41 +00:00
Richard van der Hoff
5c4edc83b5
Stop generating refresh tokens
...
Since we're not doing refresh tokens any more, we should start killing off the
dead code paths. /tokenrefresh itself is a bit of a thornier subject, since
there might be apps out there using it, but we can at least not generate
refresh tokens on new logins.
2016-11-28 10:13:01 +00:00
David Baker
c9d4e7b716
Clarify that creds doesn not contain passwords.
2016-11-24 10:54:59 +00:00
David Baker
f681aab895
Log the args that we have on UI auth completion
...
This will be super helpful for debugging if we have more
registration woes.
2016-11-24 10:11:45 +00:00
Erik Johnston
d56c39cf24
Use external ldap auth pacakge
2016-11-15 13:03:19 +00:00
David Baker
9084720993
Don't error on non-ascii passwords
2016-11-03 10:42:14 +00:00
David Baker
df2a616c7b
Convert emails to lowercase when storing
...
And db migration sql to convert existing addresses.
2016-10-19 11:13:55 +01:00
Erik Johnston
35e2cc8b52
Merge pull request #1155 from matrix-org/erikj/pluggable_pwd_auth
...
Implement pluggable password auth
2016-10-12 11:41:20 +01:00
Richard van der Hoff
fa74fcf512
Work around email-spamming Riot bug
...
5d9546f9
introduced a change to synapse behaviour, in that failures in the
interactive-auth process would return the flows and params data as well as an
error code (as specced in https://github.com/matrix-org/matrix-doc/pull/397 ).
That change exposed a bug in Riot which would make it request a new validation
token (and send a new email) each time it got a 401 with a `flows` parameter
(see https://github.com/vector-im/vector-web/issues/2447 and the fix at
https://github.com/matrix-org/matrix-react-sdk/pull/510 ).
To preserve compatibility with broken versions of Riot, grandfather in the old
behaviour for the email validation stage.
2016-10-11 11:34:40 +01:00
Richard van der Hoff
8681aff4f1
Merge pull request #1160 from matrix-org/rav/401_on_password_fail
...
Interactive Auth: Return 401 from for incorrect password
2016-10-07 10:57:43 +01:00
Richard van der Hoff
5d9546f9f4
Interactive Auth: Return 401 from for incorrect password
...
This requires a bit of fettling, because I want to return a helpful error
message too but we don't want to distinguish between unknown user and invalid
password. To avoid hardcoding the error message into 15 places in the code,
I've had to refactor a few methods to return None instead of throwing.
Fixes https://matrix.org/jira/browse/SYN-744
2016-10-07 00:00:00 +01:00
Erik Johnston
850b103b36
Implement pluggable password auth
...
Allows delegating the password auth to an external module. This also
moves the LDAP auth to using this system, allowing it to be removed from
the synapse tree entirely in the future.
2016-10-03 10:36:40 +01:00
Martin Weinelt
3027ea22b0
Restructure ldap authentication
...
- properly parse return values of ldap bind() calls
- externalize authentication methods
- change control flow to be more error-resilient
- unbind ldap connections in many places
- improve log messages and loglevels
2016-09-29 15:30:08 +01:00
Erik Johnston
dc3a00f24f
Refactor user_delete_access_tokens. Invalidate get_user_by_access_token to slaves.
2016-08-15 17:04:39 +01:00
Daniel Ehlers
dfaf0fee31
Log the value which is observed in the first place.
...
The name 'result' is of bool type and has no len property,
resulting in a TypeError. Futhermore in the flow control
conn.response is observed and hence should be reported.
Signed-off-by: Daniel Ehlers <sargon@toppoint.de>
2016-08-14 16:49:05 +02:00
Daniel Ehlers
e380538b59
Fix AttributeError when bind_dn is not defined.
...
In case one does not define bind_dn in ldap configuration, filter
attribute is not declared. Since auth code only uses ldap_filter attribute
when according LDAP mode is selected, it is safe to only declare the
attribute in that case.
Signed-off-by: Daniel Ehlers <sargon@toppoint.de>
2016-08-14 16:48:33 +02:00
Richard van der Hoff
79ebfbe7c6
/login: Respond with a 403 when we get an invalid m.login.token
2016-08-09 16:29:28 +01:00
Richard van der Hoff
6fe6a6f029
Fix login with m.login.token
...
login with token (as used by CAS auth) was broken by 067596d
, such that it
always returned a 401.
2016-08-08 16:40:39 +01:00
Richard van der Hoff
436bffd15f
Implement deleting devices
2016-07-26 07:35:48 +01:00
David Baker
7ed58bb347
Use get to avoid KeyErrors
2016-07-22 17:18:50 +01:00
David Baker
dad2da7e54
Log the hostname the reCAPTCHA was completed on
...
This could be useful information to have in the logs. Also comment about how & why we don't verify the hostname.
2016-07-22 17:00:56 +01:00
Richard van der Hoff
3413f1e284
Type annotations
...
Add some type annotations to help PyCharm (in particular) to figure out the
types of a bunch of things.
2016-07-19 18:56:16 +01:00
Richard van der Hoff
f863a52cea
Add device_id support to /login
...
Add a 'devices' table to the storage, as well as a 'device_id' column to
refresh_tokens.
Allow the client to pass a device_id, and initial_device_display_name, to
/login. If login is successful, then register the device in the devices table
if it wasn't known already. If no device_id was supplied, make one up.
Associate the device_id with the access token and refresh token, so that we can
get at it again later. Ensure that the device_id is copied from the refresh
token to the access_token when the token is refreshed.
2016-07-18 16:39:44 +01:00
Richard van der Hoff
dcfd71aa4c
Refactor login flow
...
Make sure that we have the canonical user_id *before* calling
get_login_tuple_for_user_id.
Replace login_with_password with a method which just validates the password,
and have the caller call get_login_tuple_for_user_id. This brings the password
flow into line with the other flows, and will give us a place to register the
device_id if necessary.
2016-07-18 15:23:54 +01:00
Negar Fazeli
0136a522b1
Bug fix: expire invalid access tokens
2016-07-13 15:00:37 +02:00
Kent Shikama
14362bf359
Fix password config
2016-07-05 19:12:53 +09:00
Kent Shikama
1ee2584307
Fix pep8
2016-07-05 19:01:00 +09:00
Kent Shikama
8bdaf5f7af
Add pepper to password hashing
...
Signed-off-by: Kent Shikama <kent@kentshikama.com>
2016-07-05 02:13:52 +09:00
Martin Weinelt
0a32208e5d
Rework ldap integration with ldap3
...
Use the pure-python ldap3 library, which eliminates the need for a
system dependency.
Offer both a `search` and `simple_bind` mode, for more sophisticated
ldap scenarios.
- `search` tries to find a matching DN within the `user_base` while
employing the `user_filter`, then tries the bind when a single
matching DN was found.
- `simple_bind` tries the bind against a specific DN by combining the
localpart and `user_base`
Offer support for STARTTLS on a plain connection.
The configuration was changed to reflect these new possibilities.
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
2016-06-22 17:51:59 +02:00
Salvatore LaMendola
ed5f43a55a
Fix TypeError in call to bcrypt.hashpw
...
- At the very least, this TypeError caused logins to fail on my own
running instance of Synapse, and the simple (explicit) UTF-8
conversion resolved login errors for me.
Signed-off-by: Salvatore LaMendola <salvatore.lamendola@gmail.com>
2016-06-16 00:43:42 -04:00
David Baker
a15ad60849
Email unsubscribing that may in theory, work
...
Were it not for that fact that you can't use the base handler in the pusher because it pulls in the world. Comitting while I fix that on a different branch.
2016-06-02 11:44:15 +01:00
Erik Johnston
cc84f7cb8e
Send down correct error response if user not found
2016-05-27 10:35:15 +01:00
Erik Johnston
99b5a2e560
Merge pull request #741 from negzi/create_user_with_expiry
...
Create user with expiry
2016-05-13 14:46:53 +01:00
Negi Fazeli
40aa6e8349
Create user with expiry
...
- Add unittests for client, api and handler
Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com>
2016-05-13 15:34:15 +02:00
Erik Johnston
1400bb1663
Correctly handle NULL password hashes from the database
2016-05-11 12:06:02 +01:00
Erik Johnston
6fd2f685fe
Simplify _check_password
2016-04-15 11:17:18 +01:00
Mark Haines
3c79bdd7a0
Fix check_password rather than inverting the meaning of _check_local_password ( #730 )
2016-04-14 19:00:21 +01:00
David Baker
4c1b32d7e2
Fix login to error for nonexistent users
...
Fixes SYN-680
2016-04-14 18:28:42 +01:00
Christoph Witzany
ed4d18f516
fix check for failed authentication
2016-04-06 18:30:11 +02:00
Christoph Witzany
9c62fcdb68
remove line
2016-04-06 18:23:46 +02:00
Christoph Witzany
27a0c21c38
make tests for ldap more specific to not be fooled by Mocks
2016-04-06 18:23:46 +02:00
Christoph Witzany
3555a659ec
output ldap version for info and to pacify pep8
2016-04-06 18:23:46 +02:00
Christoph Witzany
4c5e8adf8b
conditionally import ldap
2016-04-06 18:23:46 +02:00
Christoph Witzany
875ed05bdc
fix pep8
2016-04-06 18:23:46 +02:00
Christoph Witzany
67f3a50e9a
fix exception handling
2016-04-06 18:23:46 +02:00
Christoph Witzany
afff321e9a
code style
2016-04-06 18:23:46 +02:00
Christoph Witzany
823b8be4b7
add tls property and twist my head around twisted
2016-04-06 18:23:45 +02:00
Christoph Witzany
7b9319b1c8
move LDAP authentication to AuthenticationHandler
2016-04-06 18:23:45 +02:00
Mark Haines
2a37467fa1
Use google style doc strings.
...
pycharm supports them so there is no need to use the other format.
Might as well convert the existing strings to reduce the risk of
people accidentally cargo culting the wrong doc string format.
2016-04-01 16:12:07 +01:00
David Baker
a7daa5ae13
Make registration idempotent, part 2: be idempotent if the client specifies a username.
2016-03-16 19:36:57 +00:00
David Baker
b58d10a875
pep8
2016-03-16 16:22:20 +00:00
David Baker
3ee7d7dc7f
time_msec()
2016-03-16 16:18:52 +00:00
David Baker
3176aebf9d
string with symbols is a bit too symboly.
2016-03-16 15:55:49 +00:00
David Baker
9671e6750c
Replace other time.time().
2016-03-16 15:51:28 +00:00
David Baker
742b6c6d15
Use hs get_clock instead of time.time()
2016-03-16 15:42:35 +00:00
David Baker
99797947aa
pep8 & remove debug logging
2016-03-16 12:51:34 +00:00
David Baker
c12b9d719a
Make registration idempotent: if you specify the same session, make it give you an access token for the user that was registered on previous uses of that session. Tweak the UI auth layer to not delete sessions when their auth has completed and hence expire themn so they don't hang around until server restart. Allow server-side data to be associated with UI auth sessions.
2016-03-16 11:56:24 +00:00
David Baker
af59826a2f
Make select more sensible when dseleting access tokens, rename pusher deletion to match access token deletion and make exception arg optional.
2016-03-11 14:34:09 +00:00
David Baker
f523177850
Delete old, unused methods and rename new one to just be `user_delete_access_tokens` with an `except_token_ids` argument doing what it says on the tin.
2016-03-11 14:29:01 +00:00
David Baker
57c444b3ad
Dear PyCharm, please indent sensibly for me. Thx.
2016-03-11 14:25:05 +00:00
David Baker
aa11db5f11
Fix cache invalidation so deleting access tokens (which we did when changing password) actually takes effect without HS restart. Reinstate the code to avoid logging out the session that changed the password, removed in 415c2f0549
2016-03-11 13:14:18 +00:00
David Baker
ff8b87118d
Stop using checkpw as it seems to have vanished from bcrypt. Use `bcrypt.hashpw(password, hashed) == hashed` as per the bcrypt README.
2016-03-02 18:06:45 +00:00
Daniel Wagner-Hall
cfd07aafff
Allow guests to upgrade their accounts
2016-01-05 18:01:18 +00:00
Daniel Wagner-Hall
248cfd5eb3
Take a boolean not a list of lambdas
2015-11-19 15:16:25 +00:00
Steven Hammerton
2b779af10f
Minor review fixes
2015-11-11 11:21:43 +00:00
Steven Hammerton
dd2eb49385
Share more code between macaroon validation
2015-11-11 11:12:35 +00:00
Steven Hammerton
414a4a71b4
Allow hs to do CAS login completely and issue the client with a login token that can be redeemed for the usual successful login response
2015-11-05 14:06:48 +00:00
Daniel Wagner-Hall
f522f50a08
Allow guests to register and call /events?room_id=
...
This follows the same flows-based flow as regular registration, but as
the only implemented flow has no requirements, it auto-succeeds. In the
future, other flows (e.g. captcha) may be required, so clients should
treat this like the regular registration flow choices.
2015-11-04 17:29:07 +00:00
Mark Haines
f2f031fd57
Add config for how many bcrypt rounds to use for password hashes
...
By default we leave it at the default value of 12. But now we can reduce
it for preparing users for loadtests or running integration tests.
2015-10-16 14:52:08 +01:00
Steven Hammerton
22112f8d14
Formatting changes
2015-10-10 10:49:42 +01:00
Steven Hammerton
c33f5c1a24
Provide ability to login using CAS
2015-10-10 10:49:42 +01:00
Daniel Wagner-Hall
81a93ddcc8
Allow configuration to ignore invalid SSL certs
...
This will be useful for sytest, and sytest only, hence the aggressive
config key name.
2015-09-09 12:02:07 +01:00
Daniel Wagner-Hall
3063383547
Swap out bcrypt for md5 in tests
...
This reduces our ~8 second sequential test time down to ~7 seconds
2015-08-26 15:59:32 +01:00
Daniel Wagner-Hall
d3c0e48859
Merge erikj/user_dedup to develop
2015-08-26 13:42:45 +01:00
Daniel Wagner-Hall
c7788685b0
Fix bad merge
2015-08-20 17:43:12 +01:00
Daniel Wagner-Hall
8c74bd8960
Fix indentation
2015-08-20 17:26:52 +01:00
Daniel Wagner-Hall
ea570ffaeb
Fix flake8 warnings
2015-08-20 17:22:41 +01:00
Daniel Wagner-Hall
d5a825edee
Merge branch 'auth' into refresh
...
Conflicts:
synapse/handlers/register.py
2015-08-20 17:13:33 +01:00
Daniel Wagner-Hall
e8cf77fa49
Merge branch 'develop' into refresh
...
Conflicts:
synapse/rest/client/v1/login.py
2015-08-20 16:25:40 +01:00
Daniel Wagner-Hall
cecbd636e9
/tokenrefresh POST endpoint
...
This allows refresh tokens to be exchanged for (access_token,
refresh_token).
It also starts issuing them on login, though no clients currently
interpret them.
2015-08-20 16:21:35 +01:00
David Baker
ca0d28ef34
Another use of check_password that got missed in the yield fix
2015-08-20 15:35:14 +01:00
Daniel Wagner-Hall
617501dd2a
Move token generation to auth handler
...
I prefer the auth handler to worry about all auth, and register to call
into it as needed, than to smatter auth logic between the two.
2015-08-20 11:35:56 +01:00
Erik Johnston
40da1f200d
Remove an access token log line
2015-08-19 09:41:07 +01:00
Erik Johnston
abc6986a24
Fix regression where we incorrectly responded with a 200 to /login
2015-08-19 09:31:11 +01:00
Daniel Wagner-Hall
5ce903e2f7
Merge password checking implementations
2015-08-12 16:09:19 +01:00
Daniel Wagner-Hall
415c2f0549
Simplify LoginHander and AuthHandler
...
* Merge LoginHandler -> AuthHandler
* Add a bunch of documentation
* Improve some naming
* Remove unused branches
I will start merging the actual logic of the two handlers shortly
2015-08-12 15:49:37 +01:00
David Baker
4da05fa0ae
Add back in support for remembering parameters submitted to a user-interactive auth call.
2015-07-15 19:28:57 +01:00
Mark Haines
784aaa53df
Merge branch 'develop' into markjh/SYT-8-recaptcha
...
Conflicts:
synapse/handlers/auth.py
2015-05-29 13:49:44 +01:00
Mark Haines
d94590ed48
Add config for setting the recaptcha verify api endpoint, so we can test it in sytest
2015-05-29 12:11:40 +01:00
Erik Johnston
afbd3b2fc4
SYN-395: Fix CAPTCHA, don't double decode json
2015-05-28 18:05:00 +01:00
David Baker
1fae1b3166
This api now no longer returns an array
2015-05-01 13:26:41 +01:00
David Baker
412ece18e7
Add commentage.
2015-04-27 14:08:45 +01:00
David Baker
a218619626
Use underscores instead of camelcase for id server stuff
2015-04-24 11:27:38 +01:00
David Baker
f7a79a37be
pep8
2015-04-24 09:42:37 +01:00
David Baker
0eb61a3d16
Remove ultimately unused feature of saving params from the first call in the session: it's probably too open to abuse.
2015-04-23 14:44:12 +01:00
David Baker
8db6832db8
Password reset, finally.
2015-04-17 19:53:47 +01:00
David Baker
ea1776f556
Return user ID in use error straight away
2015-04-16 19:56:44 +01:00
David Baker
766bd8e880
Dummy login so we can do the first POST request to get login flows without it just succeeding
2015-04-15 17:14:25 +01:00
David Baker
a19b739909
Regstration with email in v2
2015-04-15 15:50:38 +01:00
David Baker
e9c908ebc0
Completely replace fallback auth for C/S V2:
...
* Now only the auth part goes to fallback, not the whole operation
* Auth fallback is a normal API endpoint, not a static page
* Params like the recaptcha pubkey can just live in the config
Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 15:05:30 +01:00
David Baker
9f642a93ec
pep8
2015-03-31 09:50:44 +01:00
David Baker
59bf16eddc
New registration for C/S API v2. Only ReCAPTCHA working currently.
2015-03-30 18:13:10 +01:00
David Baker
d98660a60d
Implement password changing (finally) along with a start on making client/server auth more general.
2015-03-23 14:20:28 +00:00