Matrix-Mirrors/matrix-dimension
1
0
Fork 0
mirror of https://github.com/turt2live/matrix-dimension.git synced 2024-10-01 01:05:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

Security: Ensure the OpenID subject matches the homeserver

Browse Source
This commit is contained in:
Travis Ralston 2018-09-08 12:50:45 -06:00
parent 2eaa78c1c7
commit edbeeb4e85
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/api/scalar/ScalarService.ts
View File

@ -53,6 +53,11 @@ export class ScalarService {
const mxClient = new MatrixOpenIdClient(<OpenId>request); const mxClient = new MatrixOpenIdClient(<OpenId>request);
const mxUserId = await mxClient.getUserId(); const mxUserId = await mxClient.getUserId();
if (!mxUserId.endsWith(":" + request.matrix_server_name)) {
LogService.warn("ScalarService", `OpenID subject '${mxUserId}' does not belong to the homeserver '${request.matrix_server_name}'`);
throw new ApiError(401, "Invalid token");
}
const user = await User.findByPrimary(mxUserId); const user = await User.findByPrimary(mxUserId);
if (!user) { if (!user) {
// There's a small chance we'll get a validation error because of: // There's a small chance we'll get a validation error because of: