mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2025-05-03 16:14:49 -04:00
Add support for handling avatar with SSO login (#13917)
This commit adds support for handling a provided avatar picture URL when logging in via SSO. Signed-off-by: Ashish Kumar <ashfame@users.noreply.github.com> Fixes #9357.
This commit is contained in:
Ashish Kumar
GitHub
parent
39cde585bf
commit
09de2aecb0
6 changed files with 275 additions and 2 deletions
|
|
@ -12,6 +12,8 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
import abc
|
||||
import hashlib
|
||||
import io
|
||||
import logging
|
||||
from typing import (
|
||||
TYPE_CHECKING,
|
||||
|
|
@ -138,6 +140,7 @@ class UserAttributes:
|
|||
localpart: Optional[str]
|
||||
confirm_localpart: bool = False
|
||||
display_name: Optional[str] = None
|
||||
picture: Optional[str] = None
|
||||
emails: Collection[str] = attr.Factory(list)
|
||||
|
||||
|
||||
|
|
@ -196,6 +199,10 @@ class SsoHandler:
|
|||
self._error_template = hs.config.sso.sso_error_template
|
||||
self._bad_user_template = hs.config.sso.sso_auth_bad_user_template
|
||||
self._profile_handler = hs.get_profile_handler()
|
||||
self._media_repo = (
|
||||
hs.get_media_repository() if hs.config.media.can_load_media_repo else None
|
||||
)
|
||||
self._http_client = hs.get_proxied_blacklisted_http_client()
|
||||
|
||||
# The following template is shown after a successful user interactive
|
||||
# authentication session. It tells the user they can close the window.
|
||||
|
|
@ -495,6 +502,8 @@ class SsoHandler:
|
|||
await self._profile_handler.set_displayname(
|
||||
user_id_obj, requester, attributes.display_name, True
|
||||
)
|
||||
if attributes.picture:
|
||||
await self.set_avatar(user_id, attributes.picture)
|
||||
|
||||
await self._auth_handler.complete_sso_login(
|
||||
user_id,
|
||||
|
|
@ -703,8 +712,110 @@ class SsoHandler:
|
|||
await self._store.record_user_external_id(
|
||||
auth_provider_id, remote_user_id, registered_user_id
|
||||
)
|
||||
|
||||
# Set avatar, if available
|
||||
if attributes.picture:
|
||||
await self.set_avatar(registered_user_id, attributes.picture)
|
||||
|
||||
return registered_user_id
|
||||
|
||||
async def set_avatar(self, user_id: str, picture_https_url: str) -> bool:
|
||||
"""Set avatar of the user.
|
||||
|
||||
This downloads the image file from the URL provided, stores that in
|
||||
the media repository and then sets the avatar on the user's profile.
|
||||
|
||||
It can detect if the same image is being saved again and bails early by storing
|
||||
the hash of the file in the `upload_name` of the avatar image.
|
||||
|
||||
Currently, it only supports server configurations which run the media repository
|
||||
within the same process.
|
||||
|
||||
It silently fails and logs a warning by raising an exception and catching it
|
||||
internally if:
|
||||
* it is unable to fetch the image itself (non 200 status code) or
|
||||
* the image supplied is bigger than max allowed size or
|
||||
* the image type is not one of the allowed image types.
|
||||
|
||||
Args:
|
||||
user_id: matrix user ID in the form @localpart:domain as a string.
|
||||
|
||||
picture_https_url: HTTPS url for the picture image file.
|
||||
|
||||
Returns: `True` if the user's avatar has been successfully set to the image at
|
||||
`picture_https_url`.
|
||||
"""
|
||||
if self._media_repo is None:
|
||||
logger.info(
|
||||
"failed to set user avatar because out-of-process media repositories "
|
||||
"are not supported yet "
|
||||
)
|
||||
return False
|
||||
|
||||
try:
|
||||
uid = UserID.from_string(user_id)
|
||||
|
||||
def is_allowed_mime_type(content_type: str) -> bool:
|
||||
if (
|
||||
self._profile_handler.allowed_avatar_mimetypes
|
||||
and content_type
|
||||
not in self._profile_handler.allowed_avatar_mimetypes
|
||||
):
|
||||
return False
|
||||
return True
|
||||
|
||||
# download picture, enforcing size limit & mime type check
|
||||
picture = io.BytesIO()
|
||||
|
||||
content_length, headers, uri, code = await self._http_client.get_file(
|
||||
url=picture_https_url,
|
||||
output_stream=picture,
|
||||
max_size=self._profile_handler.max_avatar_size,
|
||||
is_allowed_content_type=is_allowed_mime_type,
|
||||
)
|
||||
|
||||
if code != 200:
|
||||
raise Exception(
|
||||
"GET request to download sso avatar image returned {}".format(code)
|
||||
)
|
||||
|
||||
# upload name includes hash of the image file's content so that we can
|
||||
# easily check if it requires an update or not, the next time user logs in
|
||||
upload_name = "sso_avatar_" + hashlib.sha256(picture.read()).hexdigest()
|
||||
|
||||
# bail if user already has the same avatar
|
||||
profile = await self._profile_handler.get_profile(user_id)
|
||||
if profile["avatar_url"] is not None:
|
||||
server_name = profile["avatar_url"].split("/")[-2]
|
||||
media_id = profile["avatar_url"].split("/")[-1]
|
||||
if server_name == self._server_name:
|
||||
media = await self._media_repo.store.get_local_media(media_id)
|
||||
if media is not None and upload_name == media["upload_name"]:
|
||||
logger.info("skipping saving the user avatar")
|
||||
return True
|
||||
|
||||
# store it in media repository
|
||||
avatar_mxc_url = await self._media_repo.create_content(
|
||||
media_type=headers[b"Content-Type"][0].decode("utf-8"),
|
||||
upload_name=upload_name,
|
||||
content=picture,
|
||||
content_length=content_length,
|
||||
auth_user=uid,
|
||||
)
|
||||
|
||||
# save it as user avatar
|
||||
await self._profile_handler.set_avatar_url(
|
||||
uid,
|
||||
create_requester(uid),
|
||||
str(avatar_mxc_url),
|
||||
)
|
||||
|
||||
logger.info("successfully saved the user avatar")
|
||||
return True
|
||||
except Exception:
|
||||
logger.warning("failed to save the user avatar")
|
||||
return False
|
||||
|
||||
async def complete_sso_ui_auth_request(
|
||||
self,
|
||||
auth_provider_id: str,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue