From bc8a5c033097f719d6b2971660ad833ab8cb3838 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Wed, 1 Nov 2017 15:42:38 +0000
Subject: [PATCH] Notify auth providers on logout

Provide a hook by which auth providers can be notified of logouts.
---
 docs/password_auth_providers.rst | 10 ++++++++++
 synapse/handlers/auth.py         | 26 ++++++++++++++++++++++++--
 synapse/storage/registration.py  | 13 ++++++++-----
 3 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/docs/password_auth_providers.rst b/docs/password_auth_providers.rst
index 2dbebcd72..98019cea0 100644
--- a/docs/password_auth_providers.rst
+++ b/docs/password_auth_providers.rst
@@ -82,3 +82,13 @@ Password auth provider classes may optionally provide the following methods.
 
     The method should return a Twisted ``Deferred`` object, which resolves to
     ``True`` if authentication is successful, and ``False`` if not.
+
+``someprovider.on_logged_out``\(*user_id*, *device_id*, *access_token*)
+
+    This method, if implemented, is called when a user logs out. It is passed
+    the qualified user ID, the ID of the deactivated device (if any: access
+    tokens are occasionally created without an associated device ID), and the
+    (now deactivated) access token.
+
+    It may return a Twisted ``Deferred`` object; the logout request will wait
+    for the deferred to complete but the result is ignored.
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 9799461d2..cc667b6d8 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -682,6 +682,7 @@ class AuthHandler(BaseHandler):
         yield self.store.user_delete_threepids(user_id)
         yield self.store.user_set_password_hash(user_id, None)
 
+    @defer.inlineCallbacks
     def delete_access_token(self, access_token):
         """Invalidate a single access token
 
@@ -691,8 +692,19 @@ class AuthHandler(BaseHandler):
         Returns:
             Deferred
         """
-        return self.store.delete_access_token(access_token)
+        user_info = yield self.auth.get_user_by_access_token(access_token)
+        yield self.store.delete_access_token(access_token)
 
+        # see if any of our auth providers want to know about this
+        for provider in self.password_providers:
+            if hasattr(provider, "on_logged_out"):
+                yield provider.on_logged_out(
+                    user_id=str(user_info["user"]),
+                    device_id=user_info["device_id"],
+                    access_token=access_token,
+                )
+
+    @defer.inlineCallbacks
     def delete_access_tokens_for_user(self, user_id, except_token_id=None,
                                       device_id=None):
         """Invalidate access tokens belonging to a user
@@ -707,10 +719,20 @@ class AuthHandler(BaseHandler):
         Returns:
             Deferred
         """
-        return self.store.user_delete_access_tokens(
+        tokens_and_devices = yield self.store.user_delete_access_tokens(
             user_id, except_token_id=except_token_id, device_id=device_id,
         )
 
+        # see if any of our auth providers want to know about this
+        for provider in self.password_providers:
+            if hasattr(provider, "on_logged_out"):
+                for token, device_id in tokens_and_devices:
+                    yield provider.on_logged_out(
+                        user_id=user_id,
+                        device_id=device_id,
+                        access_token=token,
+                    )
+
     @defer.inlineCallbacks
     def add_threepid(self, user_id, medium, address, validated_at):
         # 'Canonicalise' email addresses down to lower case.
diff --git a/synapse/storage/registration.py b/synapse/storage/registration.py
index 65ddefda9..9c4f61da7 100644
--- a/synapse/storage/registration.py
+++ b/synapse/storage/registration.py
@@ -255,7 +255,8 @@ class RegistrationStore(background_updates.BackgroundUpdateStore):
                 If None, tokens associated with any device (or no device) will
                 be deleted
         Returns:
-            defer.Deferred:
+            defer.Deferred[list[str, str|None]]: a list of the deleted tokens
+                and device IDs
         """
         def f(txn):
             keyvalues = {
@@ -272,14 +273,14 @@ class RegistrationStore(background_updates.BackgroundUpdateStore):
                 values.append(except_token_id)
 
             txn.execute(
-                "SELECT token FROM access_tokens WHERE %s" % where_clause,
+                "SELECT token, device_id FROM access_tokens WHERE %s" % where_clause,
                 values
             )
-            rows = self.cursor_to_dict(txn)
+            tokens_and_devices = [(r[0], r[1]) for r in txn]
 
-            for row in rows:
+            for token, _ in tokens_and_devices:
                 self._invalidate_cache_and_stream(
-                    txn, self.get_user_by_access_token, (row["token"],)
+                    txn, self.get_user_by_access_token, (token,)
                 )
 
             txn.execute(
@@ -287,6 +288,8 @@ class RegistrationStore(background_updates.BackgroundUpdateStore):
                 values
             )
 
+            return tokens_and_devices
+
         yield self.runInteraction(
             "user_delete_access_tokens", f,
         )