Fix incorrectly sending authentication tokens to application service as headers (#14301)

This commit is contained in:
David Robertson 2022-10-26 14:00:01 +01:00 committed by GitHub
parent 23fa636ed7
commit 04fd6221de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 8 deletions

1
changelog.d/14301.bugfix Normal file
View File

@ -0,0 +1 @@
Fix a bug introduced in Synapse 1.70.0rc1 where access tokens would be incorrectly sent to application services as headers. Application services which were obtaining access tokens from query parameters were not affected.

View File

@ -123,7 +123,7 @@ class ApplicationServiceApi(SimpleHttpClient):
response = await self.get_json( response = await self.get_json(
uri, uri,
{"access_token": service.hs_token}, {"access_token": service.hs_token},
headers={"Authorization": f"Bearer {service.hs_token}"}, headers={"Authorization": [f"Bearer {service.hs_token}"]},
) )
if response is not None: # just an empty json object if response is not None: # just an empty json object
return True return True
@ -147,7 +147,7 @@ class ApplicationServiceApi(SimpleHttpClient):
response = await self.get_json( response = await self.get_json(
uri, uri,
{"access_token": service.hs_token}, {"access_token": service.hs_token},
headers={"Authorization": f"Bearer {service.hs_token}"}, headers={"Authorization": [f"Bearer {service.hs_token}"]},
) )
if response is not None: # just an empty json object if response is not None: # just an empty json object
return True return True
@ -190,7 +190,9 @@ class ApplicationServiceApi(SimpleHttpClient):
b"access_token": service.hs_token, b"access_token": service.hs_token,
} }
response = await self.get_json( response = await self.get_json(
uri, args=args, headers={"Authorization": f"Bearer {service.hs_token}"} uri,
args=args,
headers={"Authorization": [f"Bearer {service.hs_token}"]},
) )
if not isinstance(response, list): if not isinstance(response, list):
logger.warning( logger.warning(
@ -230,7 +232,7 @@ class ApplicationServiceApi(SimpleHttpClient):
info = await self.get_json( info = await self.get_json(
uri, uri,
{"access_token": service.hs_token}, {"access_token": service.hs_token},
headers={"Authorization": f"Bearer {service.hs_token}"}, headers={"Authorization": [f"Bearer {service.hs_token}"]},
) )
if not _is_valid_3pe_metadata(info): if not _is_valid_3pe_metadata(info):
@ -327,7 +329,7 @@ class ApplicationServiceApi(SimpleHttpClient):
uri=uri, uri=uri,
json_body=body, json_body=body,
args={"access_token": service.hs_token}, args={"access_token": service.hs_token},
headers={"Authorization": f"Bearer {service.hs_token}"}, headers={"Authorization": [f"Bearer {service.hs_token}"]},
) )
if logger.isEnabledFor(logging.DEBUG): if logger.isEnabledFor(logging.DEBUG):
logger.debug( logger.debug(

View File

@ -11,7 +11,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
from typing import Any, List, Mapping from typing import Any, List, Mapping, Sequence, Union
from unittest.mock import Mock from unittest.mock import Mock
from twisted.test.proto_helpers import MemoryReactor from twisted.test.proto_helpers import MemoryReactor
@ -70,13 +70,15 @@ class ApplicationServiceApiTestCase(unittest.HomeserverTestCase):
self.request_url = None self.request_url = None
async def get_json( async def get_json(
url: str, args: Mapping[Any, Any], headers: Mapping[Any, Any] url: str,
args: Mapping[Any, Any],
headers: Mapping[Union[str, bytes], Sequence[Union[str, bytes]]],
) -> List[JsonDict]: ) -> List[JsonDict]:
# Ensure the access token is passed as both a header and query arg. # Ensure the access token is passed as both a header and query arg.
if not headers.get("Authorization") or not args.get(b"access_token"): if not headers.get("Authorization") or not args.get(b"access_token"):
raise RuntimeError("Access token not provided") raise RuntimeError("Access token not provided")
self.assertEqual(headers.get("Authorization"), f"Bearer {TOKEN}") self.assertEqual(headers.get("Authorization"), [f"Bearer {TOKEN}"])
self.assertEqual(args.get(b"access_token"), TOKEN) self.assertEqual(args.get(b"access_token"), TOKEN)
self.request_url = url self.request_url = url
if url == URL_USER: if url == URL_USER: