Validate that the session is not modified during UI-Auth (#7068)

2025-11-13 14:50:53 -05:00 · 2020-03-26 07:39:34 -04:00 · 2020-03-26 07:39:34 -04:00 · 1c1242acba
commit 1c1242acba
parent 6ca5e56fd1
8 changed files with 117 additions and 14 deletions
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@ -234,13 +234,16 @@ class PasswordRestServlet(RestServlet):
        if self.auth.has_access_token(request):
            requester = await self.auth.get_user_by_req(request)
            params = await self.auth_handler.validate_user_via_ui_auth(
-                requester, body, self.hs.get_ip_from_request(request)
+                requester, request, body, self.hs.get_ip_from_request(request),
            )
            user_id = requester.user.to_string()
        else:
            requester = None
            result, params, _ = await self.auth_handler.check_auth(
-                [[LoginType.EMAIL_IDENTITY]], body, self.hs.get_ip_from_request(request)
+                [[LoginType.EMAIL_IDENTITY]],
+                request,
+                body,
+                self.hs.get_ip_from_request(request),
            )

            if LoginType.EMAIL_IDENTITY in result:
@ -308,7 +311,7 @@ class DeactivateAccountRestServlet(RestServlet):
            return 200, {}

        await self.auth_handler.validate_user_via_ui_auth(
-            requester, body, self.hs.get_ip_from_request(request)
+            requester, request, body, self.hs.get_ip_from_request(request),
        )
        result = await self._deactivate_account_handler.deactivate_account(
            requester.user.to_string(), erase, id_server=body.get("id_server")
@ -656,7 +659,7 @@ class ThreepidAddRestServlet(RestServlet):
        assert_valid_client_secret(client_secret)

        await self.auth_handler.validate_user_via_ui_auth(
-            requester, body, self.hs.get_ip_from_request(request)
+            requester, request, body, self.hs.get_ip_from_request(request),
        )

        validation_session = await self.identity_handler.validate_threepid_session(
--- a/synapse/rest/client/v2_alpha/devices.py
+++ b/synapse/rest/client/v2_alpha/devices.py
@ -81,7 +81,7 @@ class DeleteDevicesRestServlet(RestServlet):
        assert_params_in_dict(body, ["devices"])

        await self.auth_handler.validate_user_via_ui_auth(
-            requester, body, self.hs.get_ip_from_request(request)
+            requester, request, body, self.hs.get_ip_from_request(request),
        )

        await self.device_handler.delete_devices(
@ -127,7 +127,7 @@ class DeviceRestServlet(RestServlet):
                raise

        await self.auth_handler.validate_user_via_ui_auth(
-            requester, body, self.hs.get_ip_from_request(request)
+            requester, request, body, self.hs.get_ip_from_request(request),
        )

        await self.device_handler.delete_device(requester.user.to_string(), device_id)
--- a/synapse/rest/client/v2_alpha/keys.py
+++ b/synapse/rest/client/v2_alpha/keys.py
@ -263,7 +263,7 @@ class SigningKeyUploadServlet(RestServlet):
        body = parse_json_object_from_request(request)

        await self.auth_handler.validate_user_via_ui_auth(
-            requester, body, self.hs.get_ip_from_request(request)
+            requester, request, body, self.hs.get_ip_from_request(request),
        )

        result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@ -499,7 +499,10 @@ class RegisterRestServlet(RestServlet):
            )

        auth_result, params, session_id = await self.auth_handler.check_auth(
-            self._registration_flows, body, self.hs.get_ip_from_request(request)
+            self._registration_flows,
+            request,
+            body,
+            self.hs.get_ip_from_request(request),
        )

        # Check that we're not trying to register a denied 3pid.