0136a522b1
Bug fix: expire invalid access tokens
2016-07-13 15:00:37 +02:00
14362bf359
Fix password config
2016-07-05 19:12:53 +09:00
1ee2584307
Fix pep8
2016-07-05 19:01:00 +09:00
8bdaf5f7af
Add pepper to password hashing
...
Signed-off-by: Kent Shikama <kent@kentshikama.com>
2016-07-05 02:13:52 +09:00
0a32208e5d
Rework ldap integration with ldap3
...
Use the pure-python ldap3 library, which eliminates the need for a
system dependency.
Offer both a `search` and `simple_bind` mode, for more sophisticated
ldap scenarios.
- `search` tries to find a matching DN within the `user_base` while
employing the `user_filter`, then tries the bind when a single
matching DN was found.
- `simple_bind` tries the bind against a specific DN by combining the
localpart and `user_base`
Offer support for STARTTLS on a plain connection.
The configuration was changed to reflect these new possibilities.
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
2016-06-22 17:51:59 +02:00
ed5f43a55a
Fix TypeError in call to bcrypt.hashpw
...
- At the very least, this TypeError caused logins to fail on my own
running instance of Synapse, and the simple (explicit) UTF-8
conversion resolved login errors for me.
Signed-off-by: Salvatore LaMendola <salvatore.lamendola@gmail.com>
2016-06-16 00:43:42 -04:00
a15ad60849
Email unsubscribing that may in theory, work
...
Were it not for that fact that you can't use the base handler in the pusher because it pulls in the world. Comitting while I fix that on a different branch.
2016-06-02 11:44:15 +01:00
cc84f7cb8e
Send down correct error response if user not found
2016-05-27 10:35:15 +01:00
99b5a2e560
Merge pull request #741 from negzi/create_user_with_expiry
...
Create user with expiry
2016-05-13 14:46:53 +01:00
40aa6e8349
Create user with expiry
...
- Add unittests for client, api and handler
Signed-off-by: Negar Fazeli <negar.fazeli@ericsson.com>
2016-05-13 15:34:15 +02:00
1400bb1663
Correctly handle NULL password hashes from the database
2016-05-11 12:06:02 +01:00
6fd2f685fe
Simplify _check_password
2016-04-15 11:17:18 +01:00
3c79bdd7a0
Fix check_password rather than inverting the meaning of _check_local_password ( #730 )
2016-04-14 19:00:21 +01:00
4c1b32d7e2
Fix login to error for nonexistent users
...
Fixes SYN-680
2016-04-14 18:28:42 +01:00
ed4d18f516
fix check for failed authentication
2016-04-06 18:30:11 +02:00
9c62fcdb68
remove line
2016-04-06 18:23:46 +02:00
27a0c21c38
make tests for ldap more specific to not be fooled by Mocks
2016-04-06 18:23:46 +02:00
3555a659ec
output ldap version for info and to pacify pep8
2016-04-06 18:23:46 +02:00
4c5e8adf8b
conditionally import ldap
2016-04-06 18:23:46 +02:00
875ed05bdc
fix pep8
2016-04-06 18:23:46 +02:00
67f3a50e9a
fix exception handling
2016-04-06 18:23:46 +02:00
afff321e9a
code style
2016-04-06 18:23:46 +02:00
823b8be4b7
add tls property and twist my head around twisted
2016-04-06 18:23:45 +02:00
7b9319b1c8
move LDAP authentication to AuthenticationHandler
2016-04-06 18:23:45 +02:00
2a37467fa1
Use google style doc strings.
...
pycharm supports them so there is no need to use the other format.
Might as well convert the existing strings to reduce the risk of
people accidentally cargo culting the wrong doc string format.
2016-04-01 16:12:07 +01:00
a7daa5ae13
Make registration idempotent, part 2: be idempotent if the client specifies a username.
2016-03-16 19:36:57 +00:00
b58d10a875
pep8
2016-03-16 16:22:20 +00:00
3ee7d7dc7f
time_msec()
2016-03-16 16:18:52 +00:00
3176aebf9d
string with symbols is a bit too symboly.
2016-03-16 15:55:49 +00:00
9671e6750c
Replace other time.time().
2016-03-16 15:51:28 +00:00
742b6c6d15
Use hs get_clock instead of time.time()
2016-03-16 15:42:35 +00:00
99797947aa
pep8 & remove debug logging
2016-03-16 12:51:34 +00:00
c12b9d719a
Make registration idempotent: if you specify the same session, make it give you an access token for the user that was registered on previous uses of that session. Tweak the UI auth layer to not delete sessions when their auth has completed and hence expire themn so they don't hang around until server restart. Allow server-side data to be associated with UI auth sessions.
2016-03-16 11:56:24 +00:00
af59826a2f
Make select more sensible when dseleting access tokens, rename pusher deletion to match access token deletion and make exception arg optional.
2016-03-11 14:34:09 +00:00
f523177850
Delete old, unused methods and rename new one to just be `user_delete_access_tokens` with an `except_token_ids` argument doing what it says on the tin.
2016-03-11 14:29:01 +00:00
57c444b3ad
Dear PyCharm, please indent sensibly for me. Thx.
2016-03-11 14:25:05 +00:00
aa11db5f11
Fix cache invalidation so deleting access tokens (which we did when changing password) actually takes effect without HS restart. Reinstate the code to avoid logging out the session that changed the password, removed in 415c2f0549
2016-03-11 13:14:18 +00:00
ff8b87118d
Stop using checkpw as it seems to have vanished from bcrypt. Use `bcrypt.hashpw(password, hashed) == hashed` as per the bcrypt README.
2016-03-02 18:06:45 +00:00
cfd07aafff
Allow guests to upgrade their accounts
2016-01-05 18:01:18 +00:00
248cfd5eb3
Take a boolean not a list of lambdas
2015-11-19 15:16:25 +00:00
2b779af10f
Minor review fixes
2015-11-11 11:21:43 +00:00
dd2eb49385
Share more code between macaroon validation
2015-11-11 11:12:35 +00:00
414a4a71b4
Allow hs to do CAS login completely and issue the client with a login token that can be redeemed for the usual successful login response
2015-11-05 14:06:48 +00:00
f522f50a08
Allow guests to register and call /events?room_id=
...
This follows the same flows-based flow as regular registration, but as
the only implemented flow has no requirements, it auto-succeeds. In the
future, other flows (e.g. captcha) may be required, so clients should
treat this like the regular registration flow choices.
2015-11-04 17:29:07 +00:00
f2f031fd57
Add config for how many bcrypt rounds to use for password hashes
...
By default we leave it at the default value of 12. But now we can reduce
it for preparing users for loadtests or running integration tests.
2015-10-16 14:52:08 +01:00
22112f8d14
Formatting changes
2015-10-10 10:49:42 +01:00
c33f5c1a24
Provide ability to login using CAS
2015-10-10 10:49:42 +01:00
81a93ddcc8
Allow configuration to ignore invalid SSL certs
...
This will be useful for sytest, and sytest only, hence the aggressive
config key name.
2015-09-09 12:02:07 +01:00
3063383547
Swap out bcrypt for md5 in tests
...
This reduces our ~8 second sequential test time down to ~7 seconds
2015-08-26 15:59:32 +01:00
d3c0e48859
Merge erikj/user_dedup to develop
2015-08-26 13:42:45 +01:00
c7788685b0
Fix bad merge
2015-08-20 17:43:12 +01:00
8c74bd8960
Fix indentation
2015-08-20 17:26:52 +01:00
ea570ffaeb
Fix flake8 warnings
2015-08-20 17:22:41 +01:00
d5a825edee
Merge branch 'auth' into refresh
...
Conflicts:
synapse/handlers/register.py
2015-08-20 17:13:33 +01:00
e8cf77fa49
Merge branch 'develop' into refresh
...
Conflicts:
synapse/rest/client/v1/login.py
2015-08-20 16:25:40 +01:00
cecbd636e9
/tokenrefresh POST endpoint
...
This allows refresh tokens to be exchanged for (access_token,
refresh_token).
It also starts issuing them on login, though no clients currently
interpret them.
2015-08-20 16:21:35 +01:00
ca0d28ef34
Another use of check_password that got missed in the yield fix
2015-08-20 15:35:14 +01:00
617501dd2a
Move token generation to auth handler
...
I prefer the auth handler to worry about all auth, and register to call
into it as needed, than to smatter auth logic between the two.
2015-08-20 11:35:56 +01:00
40da1f200d
Remove an access token log line
2015-08-19 09:41:07 +01:00
abc6986a24
Fix regression where we incorrectly responded with a 200 to /login
2015-08-19 09:31:11 +01:00
5ce903e2f7
Merge password checking implementations
2015-08-12 16:09:19 +01:00
415c2f0549
Simplify LoginHander and AuthHandler
...
* Merge LoginHandler -> AuthHandler
* Add a bunch of documentation
* Improve some naming
* Remove unused branches
I will start merging the actual logic of the two handlers shortly
2015-08-12 15:49:37 +01:00
4da05fa0ae
Add back in support for remembering parameters submitted to a user-interactive auth call.
2015-07-15 19:28:57 +01:00
784aaa53df
Merge branch 'develop' into markjh/SYT-8-recaptcha
...
Conflicts:
synapse/handlers/auth.py
2015-05-29 13:49:44 +01:00
d94590ed48
Add config for setting the recaptcha verify api endpoint, so we can test it in sytest
2015-05-29 12:11:40 +01:00
afbd3b2fc4
SYN-395: Fix CAPTCHA, don't double decode json
2015-05-28 18:05:00 +01:00
1fae1b3166
This api now no longer returns an array
2015-05-01 13:26:41 +01:00
412ece18e7
Add commentage.
2015-04-27 14:08:45 +01:00
a218619626
Use underscores instead of camelcase for id server stuff
2015-04-24 11:27:38 +01:00
f7a79a37be
pep8
2015-04-24 09:42:37 +01:00
0eb61a3d16
Remove ultimately unused feature of saving params from the first call in the session: it's probably too open to abuse.
2015-04-23 14:44:12 +01:00
8db6832db8
Password reset, finally.
2015-04-17 19:53:47 +01:00
ea1776f556
Return user ID in use error straight away
2015-04-16 19:56:44 +01:00
766bd8e880
Dummy login so we can do the first POST request to get login flows without it just succeeding
2015-04-15 17:14:25 +01:00
a19b739909
Regstration with email in v2
2015-04-15 15:50:38 +01:00
e9c908ebc0
Completely replace fallback auth for C/S V2:
...
* Now only the auth part goes to fallback, not the whole operation
* Auth fallback is a normal API endpoint, not a static page
* Params like the recaptcha pubkey can just live in the config
Involves a little engineering on JsonResource so its servlets aren't always forced to return JSON. I should document this more, in fact I'll do that now.
2015-04-01 15:05:30 +01:00
9f642a93ec
pep8
2015-03-31 09:50:44 +01:00
59bf16eddc
New registration for C/S API v2. Only ReCAPTCHA working currently.
2015-03-30 18:13:10 +01:00
d98660a60d
Implement password changing (finally) along with a start on making client/server auth more general.
2015-03-23 14:20:28 +00:00
Negar Fazeli