Implement registering with shared secret.

2025-05-20 17:20:22 -04:00 · 2015-03-13 15:23:37 +00:00 · 2015-03-13 15:23:37 +00:00 · 69135f59aa
commit 69135f59aa
parent 58367a9da2
4 changed files with 83 additions and 5 deletions
--- a/synapse/rest/client/v1/register.py
+++ b/synapse/rest/client/v1/register.py
@ -110,14 +110,22 @@ class RegisterRestServlet(ClientV1RestServlet):
            login_type = register_json["type"]

            is_application_server = login_type == LoginType.APPLICATION_SERVICE
-            if self.disable_registration and not is_application_server:
+            is_using_shared_secret = login_type == LoginType.SHARED_SECRET
+
+            can_register = (
+                not self.disable_registration
+                or is_application_server
+                or is_using_shared_secret
+            )
+            if not can_register:
                raise SynapseError(403, "Registration has been disabled")

            stages = {
                LoginType.RECAPTCHA: self._do_recaptcha,
                LoginType.PASSWORD: self._do_password,
                LoginType.EMAIL_IDENTITY: self._do_email_identity,
-                LoginType.APPLICATION_SERVICE: self._do_app_service
+                LoginType.APPLICATION_SERVICE: self._do_app_service,
+                LoginType.SHARED_SECRET: self._do_shared_secret,
            }

            session_info = self._get_session_info(request, session)
@ -304,6 +312,51 @@ class RegisterRestServlet(ClientV1RestServlet):
            "home_server": self.hs.hostname,
        })

+    @defer.inlineCallbacks
+    def _do_shared_secret(self, request, register_json, session):
+        yield run_on_reactor()
+
+        if "mac" not in register_json:
+            raise SynapseError(400, "Expected mac.")
+        if "user" not in register_json:
+            raise SynapseError(400, "Expected 'user' key.")
+        if "password" not in register_json:
+            raise SynapseError(400, "Expected 'password' key.")
+
+        if not self.hs.config.registration_shared_secret:
+            raise SynapseError(400, "Shared secret registration is not enabled")
+
+        user = register_json["user"].encode("utf-8")
+
+        # str() because otherwise hmac complains that 'unicode' does not
+        # have the buffer interface
+        got_mac = str(register_json["mac"])
+
+        want_mac = hmac.new(
+            key=self.hs.config.registration_shared_secret,
+            msg=user,
+            digestmod=sha1,
+        ).hexdigest()
+
+        password = register_json["password"].encode("utf-8")
+
+        if compare_digest(want_mac, got_mac):
+            handler = self.handlers.registration_handler
+            user_id, token = yield handler.register(
+                localpart=user,
+                password=password,
+            )
+            self._remove_session(session)
+            defer.returnValue({
+                "user_id": user_id,
+                "access_token": token,
+                "home_server": self.hs.hostname,
+            })
+        else:
+            raise SynapseError(
+                400, "HMAC incorrect",
+            )
+

 def _parse_json(request):
    try: