Added possibilty to disable local password authentication (#5092)

Signed-off-by: Daniel Hoffend <dh@dotlan.net>
2025-01-04 21:40:47 -05:00 · 2019-06-27 19:37:29 +02:00 · 2019-06-27 19:37:29 +02:00 · 9646a593ac
commit 9646a593ac
parent 457b8e4c4d
5 changed files with 18 additions and 1 deletions
--- a/changelog.d/5092.feature
+++ b/changelog.d/5092.feature
@ -0,0 +1 @@
+Added possibilty to disable local password authentication. Contributed by Daniel Hoffend.
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@ -1046,6 +1046,12 @@ password_config:
   #
   #enabled: false

+   # Uncomment to disable authentication against the local password
+   # database. This is ignored if `enabled` is false, and is only useful
+   # if you have other password_providers.
+   #
+   #localdb_enabled: false
+
   # Uncomment and change to a secret random string for extra security.
   # DO NOT CHANGE THIS AFTER INITIAL SETUP!
   #
--- a/synapse/config/password.py
+++ b/synapse/config/password.py
@ -26,6 +26,7 @@ class PasswordConfig(Config):
            password_config = {}

        self.password_enabled = password_config.get("enabled", True)
+        self.password_localdb_enabled = password_config.get("localdb_enabled", True)
        self.password_pepper = password_config.get("pepper", "")

    def generate_config_section(self, config_dir_path, server_name, **kwargs):
@ -35,6 +36,12 @@ class PasswordConfig(Config):
           #
           #enabled: false

+           # Uncomment to disable authentication against the local password
+           # database. This is ignored if `enabled` is false, and is only useful
+           # if you have other password_providers.
+           #
+           #localdb_enabled: false
+
           # Uncomment and change to a secret random string for extra security.
           # DO NOT CHANGE THIS AFTER INITIAL SETUP!
           #
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@ -743,7 +743,7 @@ class AuthHandler(BaseHandler):
                    result = (result, None)
                defer.returnValue(result)

-        if login_type == LoginType.PASSWORD:
+        if login_type == LoginType.PASSWORD and self.hs.config.password_localdb_enabled:
            known_login_type = True

            canonical_user_id = yield self._check_local_password(
--- a/synapse/handlers/set_password.py
+++ b/synapse/handlers/set_password.py
@ -33,6 +33,9 @@ class SetPasswordHandler(BaseHandler):

    @defer.inlineCallbacks
    def set_password(self, user_id, newpassword, requester=None):
+        if not self.hs.config.password_localdb_enabled:
+            raise SynapseError(403, "Password change disabled", errcode=Codes.FORBIDDEN)
+
        password_hash = yield self._auth_handler.hash(newpassword)

        except_device_id = requester.device_id if requester else None
				`@ -0,0 +1 @@`
				`Added possibilty to disable local password authentication. Contributed by Daniel Hoffend.`