Add ability for access tokens to belong to one user but grant access to another user. (#8616)

We do it this way round so that only the "owner" can delete the access token (i.e. `/logout/all` by the "owner" also deletes that token, but `/logout/all` by the "target user" doesn't). A future PR will add an API for creating such a token. When the target user and authenticated entity are different the `Processed request` log line will be logged with a: `{@admin:server as @bob:server} ...`. I'm not convinced by that format (especially since it adds spaces in there, making it harder to use `cut -d ' '` to chop off the start of log lines). Suggestions welcome.
2025-05-02 10:06:05 -04:00 · 2020-10-29 15:58:44 +00:00 · 2020-10-29 15:58:44 +00:00 · f21e24ffc2
commit f21e24ffc2
parent 22eeb6bc54
22 changed files with 197 additions and 138 deletions
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@ -991,17 +991,17 @@ class AuthHandler(BaseHandler):
                # This might return an awaitable, if it does block the log out
                # until it completes.
                result = provider.on_logged_out(
-                    user_id=str(user_info["user"]),
-                    device_id=user_info["device_id"],
+                    user_id=user_info.user_id,
+                    device_id=user_info.device_id,
                    access_token=access_token,
                )
                if inspect.isawaitable(result):
                    await result

        # delete pushers associated with this access token
-        if user_info["token_id"] is not None:
+        if user_info.token_id is not None:
            await self.hs.get_pusherpool().remove_pushers_by_access_token(
-                str(user_info["user"]), (user_info["token_id"],)
+                user_info.user_id, (user_info.token_id,)
            )

    async def delete_access_tokens_for_user(