Revert "Revert "Merge pull request #7315 from matrix-org/babolivier/request_token""

This reverts commit 1adf6a5587.
2025-05-02 17:34:50 -04:00 · 2020-04-23 11:23:53 +02:00 · 2020-04-23 11:23:53 +02:00 · 2e3b9a0fcb
commit 2e3b9a0fcb
parent fb825759e3
7 changed files with 121 additions and 3 deletions
--- a/tests/rest/client/v2_alpha/test_account.py
+++ b/tests/rest/client/v2_alpha/test_account.py
@ -179,6 +179,22 @@ class PasswordResetTestCase(unittest.HomeserverTestCase):
        # Assert we can't log in with the new password
        self.attempt_wrong_password_login("kermit", new_password)

+    @unittest.override_config({"request_token_inhibit_3pid_errors": True})
+    def test_password_reset_bad_email_inhibit_error(self):
+        """Test that triggering a password reset with an email address that isn't bound
+        to an account doesn't leak the lack of binding for that address if configured
+        that way.
+        """
+        self.register_user("kermit", "monkey")
+        self.login("kermit", "monkey")
+
+        email = "test@example.com"
+
+        client_secret = "foobar"
+        session_id = self._request_token(email, client_secret)
+
+        self.assertIsNotNone(session_id)
+
    def _request_token(self, email, client_secret):
        request, channel = self.make_request(
            "POST",
--- a/tests/rest/client/v2_alpha/test_register.py
+++ b/tests/rest/client/v2_alpha/test_register.py
@ -33,7 +33,11 @@ from tests import unittest

 class RegisterRestServletTestCase(unittest.HomeserverTestCase):

-    servlets = [register.register_servlets]
+    servlets = [
+        login.register_servlets,
+        register.register_servlets,
+        synapse.rest.admin.register_servlets,
+    ]
    url = b"/_matrix/client/r0/register"

    def default_config(self):
@ -260,6 +264,47 @@ class RegisterRestServletTestCase(unittest.HomeserverTestCase):
            [["m.login.email.identity"]], (f["stages"] for f in flows)
        )

+    @unittest.override_config(
+        {
+            "request_token_inhibit_3pid_errors": True,
+            "public_baseurl": "https://test_server",
+            "email": {
+                "smtp_host": "mail_server",
+                "smtp_port": 2525,
+                "notif_from": "sender@host",
+            },
+        }
+    )
+    def test_request_token_existing_email_inhibit_error(self):
+        """Test that requesting a token via this endpoint doesn't leak existing
+        associations if configured that way.
+        """
+        user_id = self.register_user("kermit", "monkey")
+        self.login("kermit", "monkey")
+
+        email = "test@example.com"
+
+        # Add a threepid
+        self.get_success(
+            self.hs.get_datastore().user_add_threepid(
+                user_id=user_id,
+                medium="email",
+                address=email,
+                validated_at=0,
+                added_at=0,
+            )
+        )
+
+        request, channel = self.make_request(
+            "POST",
+            b"register/email/requestToken",
+            {"client_secret": "foobar", "email": email, "send_attempt": 1},
+        )
+        self.render(request)
+        self.assertEquals(200, channel.code, channel.result)
+
+        self.assertIsNotNone(channel.json_body.get("sid"))
+

 class AccountValidityTestCase(unittest.HomeserverTestCase):