Pass SSO IdP information to spam checker's registration function (#9626)

Fixes https://github.com/matrix-org/synapse/issues/9572 When a SSO user logs in for the first time, we create a local Matrix user for them. This goes through the register_user flow, which ends up triggering the spam checker. Spam checker modules don't currently have any way to differentiate between a user trying to sign up initially, versus an SSO user (whom has presumably already been approved elsewhere) trying to log in for the first time. This PR passes `auth_provider_id` as an argument to the `check_registration_for_spam` function. This argument will contain an ID of an SSO provider (`"saml"`, `"cas"`, etc.) if one was used, else `None`.
2025-11-15 00:40:38 -05:00 · 2021-03-16 12:41:41 +00:00 · 2021-03-16 12:41:41 +00:00 · 847ecdd8fa
commit 847ecdd8fa
parent ccf1dc51d7
5 changed files with 67 additions and 6 deletions
--- a/synapse/events/spamcheck.py
+++ b/synapse/events/spamcheck.py
@ -15,6 +15,7 @@
 # limitations under the License.

 import inspect
+import logging
 from typing import TYPE_CHECKING, Any, Dict, List, Optional, Tuple, Union

 from synapse.rest.media.v1._base import FileInfo
@ -27,6 +28,8 @@ if TYPE_CHECKING:
    import synapse.events
    import synapse.server

+logger = logging.getLogger(__name__)
+

 class SpamChecker:
    def __init__(self, hs: "synapse.server.HomeServer"):
@ -190,6 +193,7 @@ class SpamChecker:
        email_threepid: Optional[dict],
        username: Optional[str],
        request_info: Collection[Tuple[str, str]],
+        auth_provider_id: Optional[str] = None,
    ) -> RegistrationBehaviour:
        """Checks if we should allow the given registration request.

@ -198,6 +202,9 @@ class SpamChecker:
            username: The request user name, if any
            request_info: List of tuples of user agent and IP that
                were used during the registration process.
+            auth_provider_id: The SSO IdP the user used, e.g "oidc", "saml",
+                "cas". If any. Note this does not include users registered
+                via a password provider.

        Returns:
            Enum for how the request should be handled
@ -208,9 +215,25 @@ class SpamChecker:
            # spam checker
            checker = getattr(spam_checker, "check_registration_for_spam", None)
            if checker:
-                behaviour = await maybe_awaitable(
-                    checker(email_threepid, username, request_info)
-                )
+                # Provide auth_provider_id if the function supports it
+                checker_args = inspect.signature(checker)
+                if len(checker_args.parameters) == 4:
+                    d = checker(
+                        email_threepid,
+                        username,
+                        request_info,
+                        auth_provider_id,
+                    )
+                elif len(checker_args.parameters) == 3:
+                    d = checker(email_threepid, username, request_info)
+                else:
+                    logger.error(
+                        "Invalid signature for %s.check_registration_for_spam. Denying registration",
+                        spam_checker.__module__,
+                    )
+                    return RegistrationBehaviour.DENY
+
+                behaviour = await maybe_awaitable(d)
                assert isinstance(behaviour, RegistrationBehaviour)
                if behaviour != RegistrationBehaviour.ALLOW:
                    return behaviour