Return a different error from Invalid Password when a user is deactivated (#5674)

Return `This account has been deactivated` instead of `Invalid password` when a user is deactivated.
This commit is contained in:
Andrew Morgan 2019-07-15 11:45:29 +01:00 committed by GitHub
parent d86321300a
commit 18c516698e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 26 additions and 0 deletions

1
changelog.d/5674.feature Normal file
View File

@ -0,0 +1 @@
Return "This account has been deactivated" when a deactivated user tries to login.

View File

@ -139,6 +139,22 @@ class ConsentNotGivenError(SynapseError):
return cs_error(self.msg, self.errcode, consent_uri=self._consent_uri) return cs_error(self.msg, self.errcode, consent_uri=self._consent_uri)
class UserDeactivatedError(SynapseError):
"""The error returned to the client when the user attempted to access an
authenticated endpoint, but the account has been deactivated.
"""
def __init__(self, msg):
"""Constructs a UserDeactivatedError
Args:
msg (str): The human-readable error message
"""
super(UserDeactivatedError, self).__init__(
code=http_client.FORBIDDEN, msg=msg, errcode=Codes.UNKNOWN
)
class RegistrationError(SynapseError): class RegistrationError(SynapseError):
"""An error raised when a registration event fails.""" """An error raised when a registration event fails."""

View File

@ -35,6 +35,7 @@ from synapse.api.errors import (
LoginError, LoginError,
StoreError, StoreError,
SynapseError, SynapseError,
UserDeactivatedError,
) )
from synapse.api.ratelimiting import Ratelimiter from synapse.api.ratelimiting import Ratelimiter
from synapse.logging.context import defer_to_thread from synapse.logging.context import defer_to_thread
@ -623,6 +624,7 @@ class AuthHandler(BaseHandler):
Raises: Raises:
LimitExceededError if the ratelimiter's login requests count for this LimitExceededError if the ratelimiter's login requests count for this
user is too high too proceed. user is too high too proceed.
UserDeactivatedError if a user is found but is deactivated.
""" """
self.ratelimit_login_per_account(user_id) self.ratelimit_login_per_account(user_id)
res = yield self._find_user_id_and_pwd_hash(user_id) res = yield self._find_user_id_and_pwd_hash(user_id)
@ -838,6 +840,13 @@ class AuthHandler(BaseHandler):
if not lookupres: if not lookupres:
defer.returnValue(None) defer.returnValue(None)
(user_id, password_hash) = lookupres (user_id, password_hash) = lookupres
# If the password hash is None, the account has likely been deactivated
if not password_hash:
deactivated = yield self.store.get_user_deactivated_status(user_id)
if deactivated:
raise UserDeactivatedError("This account has been deactivated")
result = yield self.validate_hash(password, password_hash) result = yield self.validate_hash(password, password_hash)
if not result: if not result:
logger.warn("Failed password login for user %s", user_id) logger.warn("Failed password login for user %s", user_id)