Hash passwords earlier in the password reset process (#7538)

This now matches the logic of the registration process as modified in 56db0b1365 / #7523.
2025-05-02 10:46:06 -04:00 · 2020-05-20 09:48:03 -04:00 · 2020-05-20 09:48:03 -04:00 · 9dc6f3075a
commit 9dc6f3075a
parent 4fa74c7606
5 changed files with 33 additions and 11 deletions
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@ -220,12 +220,27 @@ class PasswordRestServlet(RestServlet):
        self.auth = hs.get_auth()
        self.auth_handler = hs.get_auth_handler()
        self.datastore = self.hs.get_datastore()
+        self.password_policy_handler = hs.get_password_policy_handler()
        self._set_password_handler = hs.get_set_password_handler()

    @interactive_auth_handler
    async def on_POST(self, request):
        body = parse_json_object_from_request(request)

+        # we do basic sanity checks here because the auth layer will store these
+        # in sessions. Pull out the new password provided to us.
+        if "new_password" in body:
+            new_password = body.pop("new_password")
+            if not isinstance(new_password, str) or len(new_password) > 512:
+                raise SynapseError(400, "Invalid password")
+            self.password_policy_handler.validate_password(new_password)
+
+            # If the password is valid, hash it and store it back on the body.
+            # This ensures that only the hashed password is handled everywhere.
+            if "new_password_hash" in body:
+                raise SynapseError(400, "Unexpected property: new_password_hash")
+            body["new_password_hash"] = await self.auth_handler.hash(new_password)
+
        # there are two possibilities here. Either the user does not have an
        # access token, and needs to do a password reset; or they have one and
        # need to validate their identity.
@ -276,12 +291,12 @@ class PasswordRestServlet(RestServlet):
                logger.error("Auth succeeded but no known type! %r", result.keys())
                raise SynapseError(500, "", Codes.UNKNOWN)

-        assert_params_in_dict(params, ["new_password"])
-        new_password = params["new_password"]
+        assert_params_in_dict(params, ["new_password_hash"])
+        new_password_hash = params["new_password_hash"]
        logout_devices = params.get("logout_devices", True)

        await self._set_password_handler.set_password(
-            user_id, new_password, logout_devices, requester
+            user_id, new_password_hash, logout_devices, requester
        )

        return 200, {}