rei-mirrors/synapse
1
0
Fork 0
mirror of https://github.com/matrix-org/synapse.git synced 2025-02-08 00:05:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enable login_via_existing_session by default

Browse Source
This commit is contained in:
Hugh Nimmo-Smith 2023-06-05 14:42:31 +01:00
parent ca8906be2c
commit 2eb74c6bdb
3 changed files with 5 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/usage/configuration/config_documentation.md
View File

@ -2598,14 +2598,11 @@ ui_auth:
Matrix supports the ability of an existing session to mint a login token for Matrix supports the ability of an existing session to mint a login token for
another client. another client.
Synapse disables this by default as it has security ramifications -- a malicious
client could use the mechanism to spawn more than one session.
The duration of time the generated token is valid for can be configured with the The duration of time the generated token is valid for can be configured with the
`token_timeout` sub-option. `token_timeout` sub-option.
User-interactive authentication is required when this is enabled unless the To protect against malicious clients abusing this capability, user-interactive authentication
`require_ui_auth` sub-option is set to `False`. is required unless the `require_ui_auth` sub-option is set to `False`.
Example configuration: Example configuration:
```yaml ```yaml

2
synapse/config/auth.py
View File

@ -63,7 +63,7 @@ class AuthConfig(Config):
# Logging in with an existing session. # Logging in with an existing session.
login_via_existing = config.get("login_via_existing_session", {}) login_via_existing = config.get("login_via_existing_session", {})
self.login_via_existing_enabled = login_via_existing.get("enabled", False) self.login_via_existing_enabled = login_via_existing.get("enabled", True)
self.login_via_existing_require_ui_auth = login_via_existing.get( self.login_via_existing_require_ui_auth = login_via_existing.get(
"require_ui_auth", True "require_ui_auth", True
) )

9
tests/rest/client/test_login_token_request.py
View File

@ -46,6 +46,7 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase):
self.user = "user123" self.user = "user123"
self.password = "password" self.password = "password"
@override_config({"login_via_existing_session": {"enabled": False}})
def test_disabled(self) -> None: def test_disabled(self) -> None:
channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=None) channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=None)
self.assertEqual(channel.code, 404) self.assertEqual(channel.code, 404)
@ -56,12 +57,10 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase):
channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=token) channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=token)
self.assertEqual(channel.code, 404) self.assertEqual(channel.code, 404)
@override_config({"login_via_existing_session": {"enabled": True}})
def test_require_auth(self) -> None: def test_require_auth(self) -> None:
channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=None) channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=None)
self.assertEqual(channel.code, 401) self.assertEqual(channel.code, 401)
@override_config({"login_via_existing_session": {"enabled": True}})
def test_uia_on(self) -> None: def test_uia_on(self) -> None:
user_id = self.register_user(self.user, self.password) user_id = self.register_user(self.user, self.password)
token = self.login(self.user, self.password) token = self.login(self.user, self.password)
@ -95,9 +94,7 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase):
self.assertEqual(channel.code, 200, channel.result) self.assertEqual(channel.code, 200, channel.result)
self.assertEqual(channel.json_body["user_id"], user_id) self.assertEqual(channel.json_body["user_id"], user_id)
@override_config( @override_config({"login_via_existing_session": {"require_ui_auth": False}})
{"login_via_existing_session": {"enabled": True, "require_ui_auth": False}}
)
def test_uia_off(self) -> None: def test_uia_off(self) -> None:
user_id = self.register_user(self.user, self.password) user_id = self.register_user(self.user, self.password)
token = self.login(self.user, self.password) token = self.login(self.user, self.password)
@ -119,7 +116,6 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase):
@override_config( @override_config(
{ {
"login_via_existing_session": { "login_via_existing_session": {
"enabled": True,
"require_ui_auth": False, "require_ui_auth": False,
"token_timeout": "15s", "token_timeout": "15s",
} }
@ -136,7 +132,6 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase):
@override_config( @override_config(
{ {
"login_via_existing_session": { "login_via_existing_session": {
"enabled": True,
"require_ui_auth": False, "require_ui_auth": False,
"token_timeout": "15s", "token_timeout": "15s",
} }