MatrixSynapse

Commit Graph

Author	SHA1	Message	Date
Patrick Cloke	acea4d7a2f	Add missing types to tests.util. (#14597 ) Removes files under tests.util from the ignored by list, then fully types all tests/util/*.py files.	2022-12-02 17:58:56 +00:00
Quentin Gliech	8756d5c87e	Save login tokens in database (#13844 ) * Save login tokens in database Signed-off-by: Quentin Gliech <quenting@element.io> * Add upgrade notes * Track login token reuse in a Prometheus metric Signed-off-by: Quentin Gliech <quenting@element.io>	2022-10-26 11:45:41 +01:00
Quentin Gliech	fe1daad672	Move the "email unsubscribe" resource, refactor the macaroon generator & simplify the access token verification logic. (#12986 ) This simplifies the access token verification logic by removing the `rights` parameter which was only ever used for the unsubscribe link in email notifications. The latter has been moved under the `/_synapse` namespace, since it is not a standard API. This also makes the email verification link more secure, by embedding the app_id and pushkey in the macaroon and verifying it. This prevents the user from tampering the query parameters of that unsubscribe link. Macaroon generation is refactored: - Centralised all macaroon generation and verification logic to the `MacaroonGenerator` - Moved to `synapse.utils` - Changed the constructor to require only a `Clock`, hostname, and a secret key (instead of a full `Homeserver`). - Added tests for all methods.	2022-06-14 09:12:08 -04:00

Author

SHA1

Message

Date

Patrick Cloke

acea4d7a2f

Add missing types to tests.util. (#14597 )

Removes files under tests.util from the ignored by list, then
fully types all tests/util/*.py files.

2022-12-02 17:58:56 +00:00

Quentin Gliech

8756d5c87e

Save login tokens in database (#13844 )

* Save login tokens in database

Signed-off-by: Quentin Gliech <quenting@element.io>

* Add upgrade notes

* Track login token reuse in a Prometheus metric

Signed-off-by: Quentin Gliech <quenting@element.io>

2022-10-26 11:45:41 +01:00

Quentin Gliech

fe1daad672

Move the "email unsubscribe" resource, refactor the macaroon generator & simplify the access token verification logic. (#12986 )

This simplifies the access token verification logic by removing the `rights`
parameter which was only ever used for the unsubscribe link in email
notifications. The latter has been moved under the `/_synapse` namespace,
since it is not a standard API.

This also makes the email verification link more secure, by embedding the
app_id and pushkey in the macaroon and verifying it. This prevents the user
from tampering the query parameters of that unsubscribe link.

Macaroon generation is refactored:

- Centralised all macaroon generation and verification logic to the
  `MacaroonGenerator`
- Moved to `synapse.utils`
- Changed the constructor to require only a `Clock`, hostname, and a secret key
  (instead of a full `Homeserver`).
- Added tests for all methods.

2022-06-14 09:12:08 -04:00

3 Commits (acea4d7a2ff61b5beda420b54a8451088060a8cd)