Security: Ensure the OpenID subject matches the homeserver

This commit is contained in:
Travis Ralston 2018-09-08 12:50:45 -06:00
parent 2eaa78c1c7
commit edbeeb4e85

View File

@ -53,6 +53,11 @@ export class ScalarService {
const mxClient = new MatrixOpenIdClient(<OpenId>request); const mxClient = new MatrixOpenIdClient(<OpenId>request);
const mxUserId = await mxClient.getUserId(); const mxUserId = await mxClient.getUserId();
if (!mxUserId.endsWith(":" + request.matrix_server_name)) {
LogService.warn("ScalarService", `OpenID subject '${mxUserId}' does not belong to the homeserver '${request.matrix_server_name}'`);
throw new ApiError(401, "Invalid token");
}
const user = await User.findByPrimary(mxUserId); const user = await User.findByPrimary(mxUserId);
if (!user) { if (!user) {
// There's a small chance we'll get a validation error because of: // There's a small chance we'll get a validation error because of: