mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2024-12-25 09:59:27 -05:00
Fix incorrectly sending authentication tokens to application service as headers (#14301)
This commit is contained in:
parent
23fa636ed7
commit
04fd6221de
1
changelog.d/14301.bugfix
Normal file
1
changelog.d/14301.bugfix
Normal file
@ -0,0 +1 @@
|
|||||||
|
Fix a bug introduced in Synapse 1.70.0rc1 where access tokens would be incorrectly sent to application services as headers. Application services which were obtaining access tokens from query parameters were not affected.
|
@ -123,7 +123,7 @@ class ApplicationServiceApi(SimpleHttpClient):
|
|||||||
response = await self.get_json(
|
response = await self.get_json(
|
||||||
uri,
|
uri,
|
||||||
{"access_token": service.hs_token},
|
{"access_token": service.hs_token},
|
||||||
headers={"Authorization": f"Bearer {service.hs_token}"},
|
headers={"Authorization": [f"Bearer {service.hs_token}"]},
|
||||||
)
|
)
|
||||||
if response is not None: # just an empty json object
|
if response is not None: # just an empty json object
|
||||||
return True
|
return True
|
||||||
@ -147,7 +147,7 @@ class ApplicationServiceApi(SimpleHttpClient):
|
|||||||
response = await self.get_json(
|
response = await self.get_json(
|
||||||
uri,
|
uri,
|
||||||
{"access_token": service.hs_token},
|
{"access_token": service.hs_token},
|
||||||
headers={"Authorization": f"Bearer {service.hs_token}"},
|
headers={"Authorization": [f"Bearer {service.hs_token}"]},
|
||||||
)
|
)
|
||||||
if response is not None: # just an empty json object
|
if response is not None: # just an empty json object
|
||||||
return True
|
return True
|
||||||
@ -190,7 +190,9 @@ class ApplicationServiceApi(SimpleHttpClient):
|
|||||||
b"access_token": service.hs_token,
|
b"access_token": service.hs_token,
|
||||||
}
|
}
|
||||||
response = await self.get_json(
|
response = await self.get_json(
|
||||||
uri, args=args, headers={"Authorization": f"Bearer {service.hs_token}"}
|
uri,
|
||||||
|
args=args,
|
||||||
|
headers={"Authorization": [f"Bearer {service.hs_token}"]},
|
||||||
)
|
)
|
||||||
if not isinstance(response, list):
|
if not isinstance(response, list):
|
||||||
logger.warning(
|
logger.warning(
|
||||||
@ -230,7 +232,7 @@ class ApplicationServiceApi(SimpleHttpClient):
|
|||||||
info = await self.get_json(
|
info = await self.get_json(
|
||||||
uri,
|
uri,
|
||||||
{"access_token": service.hs_token},
|
{"access_token": service.hs_token},
|
||||||
headers={"Authorization": f"Bearer {service.hs_token}"},
|
headers={"Authorization": [f"Bearer {service.hs_token}"]},
|
||||||
)
|
)
|
||||||
|
|
||||||
if not _is_valid_3pe_metadata(info):
|
if not _is_valid_3pe_metadata(info):
|
||||||
@ -327,7 +329,7 @@ class ApplicationServiceApi(SimpleHttpClient):
|
|||||||
uri=uri,
|
uri=uri,
|
||||||
json_body=body,
|
json_body=body,
|
||||||
args={"access_token": service.hs_token},
|
args={"access_token": service.hs_token},
|
||||||
headers={"Authorization": f"Bearer {service.hs_token}"},
|
headers={"Authorization": [f"Bearer {service.hs_token}"]},
|
||||||
)
|
)
|
||||||
if logger.isEnabledFor(logging.DEBUG):
|
if logger.isEnabledFor(logging.DEBUG):
|
||||||
logger.debug(
|
logger.debug(
|
||||||
|
@ -11,7 +11,7 @@
|
|||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
from typing import Any, List, Mapping
|
from typing import Any, List, Mapping, Sequence, Union
|
||||||
from unittest.mock import Mock
|
from unittest.mock import Mock
|
||||||
|
|
||||||
from twisted.test.proto_helpers import MemoryReactor
|
from twisted.test.proto_helpers import MemoryReactor
|
||||||
@ -70,13 +70,15 @@ class ApplicationServiceApiTestCase(unittest.HomeserverTestCase):
|
|||||||
self.request_url = None
|
self.request_url = None
|
||||||
|
|
||||||
async def get_json(
|
async def get_json(
|
||||||
url: str, args: Mapping[Any, Any], headers: Mapping[Any, Any]
|
url: str,
|
||||||
|
args: Mapping[Any, Any],
|
||||||
|
headers: Mapping[Union[str, bytes], Sequence[Union[str, bytes]]],
|
||||||
) -> List[JsonDict]:
|
) -> List[JsonDict]:
|
||||||
# Ensure the access token is passed as both a header and query arg.
|
# Ensure the access token is passed as both a header and query arg.
|
||||||
if not headers.get("Authorization") or not args.get(b"access_token"):
|
if not headers.get("Authorization") or not args.get(b"access_token"):
|
||||||
raise RuntimeError("Access token not provided")
|
raise RuntimeError("Access token not provided")
|
||||||
|
|
||||||
self.assertEqual(headers.get("Authorization"), f"Bearer {TOKEN}")
|
self.assertEqual(headers.get("Authorization"), [f"Bearer {TOKEN}"])
|
||||||
self.assertEqual(args.get(b"access_token"), TOKEN)
|
self.assertEqual(args.get(b"access_token"), TOKEN)
|
||||||
self.request_url = url
|
self.request_url = url
|
||||||
if url == URL_USER:
|
if url == URL_USER:
|
||||||
|
Loading…
Reference in New Issue
Block a user