synapse.api.auth.Auth cleanup: make permission-related methods use Requester instead of the UserID (#13024)

Part of #13019 This changes all the permission-related methods to rely on the Requester instead of the UserID. This is a first step towards enabling scoped access tokens at some point, since I expect the Requester to have scope-related informations in it. It also changes methods which figure out the user/device/appservice out of the access token to return a Requester instead of something else. This avoids having store-related objects in the methods signatures.
2025-05-03 16:34:47 -04:00 · 2022-08-22 15:17:59 +02:00 · 2022-08-22 15:17:59 +02:00 · 3dd175b628
commit 3dd175b628
parent 94375f7a91
26 changed files with 202 additions and 207 deletions
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@ -280,7 +280,7 @@ class AuthHandler:
        that it isn't stolen by re-authenticating them.

        Args:
-            requester: The user, as given by the access token
+            requester: The user making the request, according to the access token.

            request: The request sent by the client.

@ -1435,20 +1435,25 @@ class AuthHandler:
            access_token: access token to be deleted

        """
-        user_info = await self.auth.get_user_by_access_token(access_token)
+        token = await self.store.get_user_by_access_token(access_token)
+        if not token:
+            # At this point, the token should already have been fetched once by
+            # the caller, so this should not happen, unless of a race condition
+            # between two delete requests
+            raise SynapseError(HTTPStatus.UNAUTHORIZED, "Unrecognised access token")
        await self.store.delete_access_token(access_token)

        # see if any modules want to know about this
        await self.password_auth_provider.on_logged_out(
-            user_id=user_info.user_id,
-            device_id=user_info.device_id,
+            user_id=token.user_id,
+            device_id=token.device_id,
            access_token=access_token,
        )

        # delete pushers associated with this access token
-        if user_info.token_id is not None:
+        if token.token_id is not None:
            await self.hs.get_pusherpool().remove_pushers_by_access_token(
-                user_info.user_id, (user_info.token_id,)
+                token.user_id, (token.token_id,)
            )

    async def delete_access_tokens_for_user(