From edbeeb4e8594e81c84f4d9c84b8a07e4df4a475a Mon Sep 17 00:00:00 2001
From: Travis Ralston <travpc@gmail.com>
Date: Sat, 8 Sep 2018 12:50:45 -0600
Subject: [PATCH] Security: Ensure the OpenID subject matches the homeserver

---
 src/api/scalar/ScalarService.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/api/scalar/ScalarService.ts b/src/api/scalar/ScalarService.ts
index 2bfc524..5774626 100644
--- a/src/api/scalar/ScalarService.ts
+++ b/src/api/scalar/ScalarService.ts
@@ -53,6 +53,11 @@ export class ScalarService {
         const mxClient = new MatrixOpenIdClient(<OpenId>request);
         const mxUserId = await mxClient.getUserId();
 
+        if (!mxUserId.endsWith(":" + request.matrix_server_name)) {
+            LogService.warn("ScalarService", `OpenID subject '${mxUserId}' does not belong to the homeserver '${request.matrix_server_name}'`);
+            throw new ApiError(401, "Invalid token");
+        }
+
         const user = await User.findByPrimary(mxUserId);
         if (!user) {
             // There's a small chance we'll get a validation error because of: