Allow re-using a UI auth validation for a period of time (#8970)

2025-05-02 21:04:50 -04:00 · 2020-12-18 07:33:57 -05:00 · 2020-12-18 07:33:57 -05:00 · 5d4c330ed9
commit 5d4c330ed9
parent 4136255d3c
10 changed files with 193 additions and 49 deletions
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@ -226,6 +226,9 @@ class AuthHandler(BaseHandler):
            burst_count=self.hs.config.rc_login_failed_attempts.burst_count,
        )

+        # The number of seconds to keep a UI auth session active.
+        self._ui_auth_session_timeout = hs.config.ui_auth_session_timeout
+
        # Ratelimitier for failed /login attempts
        self._failed_login_attempts_ratelimiter = Ratelimiter(
            clock=hs.get_clock(),
@ -283,7 +286,7 @@ class AuthHandler(BaseHandler):
        request_body: Dict[str, Any],
        clientip: str,
        description: str,
-    ) -> Tuple[dict, str]:
+    ) -> Tuple[dict, Optional[str]]:
        """
        Checks that the user is who they claim to be, via a UI auth.

@ -310,7 +313,8 @@ class AuthHandler(BaseHandler):
                have been given only in a previous call).

                'session_id' is the ID of this session, either passed in by the
-                client or assigned by this call
+                client or assigned by this call. This is None if UI auth was
+                skipped (by re-using a previous validation).

        Raises:
            InteractiveAuthIncompleteError if the client has not yet completed
@ -324,6 +328,16 @@ class AuthHandler(BaseHandler):

        """

+        if self._ui_auth_session_timeout:
+            last_validated = await self.store.get_access_token_last_validated(
+                requester.access_token_id
+            )
+            if self.clock.time_msec() - last_validated < self._ui_auth_session_timeout:
+                # Return the input parameters, minus the auth key, which matches
+                # the logic in check_ui_auth.
+                request_body.pop("auth", None)
+                return request_body, None
+
        user_id = requester.user.to_string()

        # Check if we should be ratelimited due to too many previous failed attempts
@ -359,6 +373,9 @@ class AuthHandler(BaseHandler):
        if user_id != requester.user.to_string():
            raise AuthError(403, "Invalid auth")

+        # Note that the access token has been validated.
+        await self.store.update_access_token_last_validated(requester.access_token_id)
+
        return params, session_id

    async def _get_available_ui_auth_types(self, user: UserID) -> Iterable[str]:
@ -452,13 +469,10 @@ class AuthHandler(BaseHandler):
                all the stages in any of the permitted flows.
        """

-        authdict = None
        sid = None  # type: Optional[str]
-        if clientdict and "auth" in clientdict:
-            authdict = clientdict["auth"]
-            del clientdict["auth"]
-            if "session" in authdict:
-                sid = authdict["session"]
+        authdict = clientdict.pop("auth", {})
+        if "session" in authdict:
+            sid = authdict["session"]

        # Convert the URI and method to strings.
        uri = request.uri.decode("utf-8")
@ -563,6 +577,8 @@ class AuthHandler(BaseHandler):

        creds = await self.store.get_completed_ui_auth_stages(session.session_id)
        for f in flows:
+            # If all the required credentials have been supplied, the user has
+            # successfully completed the UI auth process!
            if len(set(f) - set(creds)) == 0:
                # it's very useful to know what args are stored, but this can
                # include the password in the case of registering, so only log