Fix validation problem that occurs when a user tries to deactivate their account or change their password. (#13563)

This commit is contained in:
reivilibre 2022-08-19 11:03:29 +00:00 committed by GitHub
parent 2c42673a9b
commit 3a245f6cfe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 19 additions and 3 deletions

View File

@ -0,0 +1 @@
Improve validation of request bodies for the following client-server API endpoints: [`/account/password`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpassword), [`/account/password/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpasswordemailrequesttoken), [`/account/deactivate`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountdeactivate) and [`/account/3pid/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3account3pidemailrequesttoken).

View File

@ -196,7 +196,7 @@ class PasswordRestServlet(RestServlet):
params, session_id = await self.auth_handler.validate_user_via_ui_auth( params, session_id = await self.auth_handler.validate_user_via_ui_auth(
requester, requester,
request, request,
body.dict(), body.dict(exclude_unset=True),
"modify your account password", "modify your account password",
) )
except InteractiveAuthIncompleteError as e: except InteractiveAuthIncompleteError as e:
@ -219,7 +219,7 @@ class PasswordRestServlet(RestServlet):
result, params, session_id = await self.auth_handler.check_ui_auth( result, params, session_id = await self.auth_handler.check_ui_auth(
[[LoginType.EMAIL_IDENTITY]], [[LoginType.EMAIL_IDENTITY]],
request, request,
body.dict(), body.dict(exclude_unset=True),
"modify your account password", "modify your account password",
) )
except InteractiveAuthIncompleteError as e: except InteractiveAuthIncompleteError as e:
@ -316,7 +316,7 @@ class DeactivateAccountRestServlet(RestServlet):
await self.auth_handler.validate_user_via_ui_auth( await self.auth_handler.validate_user_via_ui_auth(
requester, requester,
request, request,
body.dict(), body.dict(exclude_unset=True),
"deactivate your account", "deactivate your account",
) )
result = await self._deactivate_account_handler.deactivate_account( result = await self._deactivate_account_handler.deactivate_account(

View File

@ -322,3 +322,18 @@ class DeactivateAccountTestCase(HomeserverTestCase):
) )
), ),
) )
def test_deactivate_account_needs_auth(self) -> None:
"""
Tests that making a request to /deactivate with an empty body
succeeds in starting the user-interactive auth flow.
"""
req = self.make_request(
"POST",
"account/deactivate",
{},
access_token=self.token,
)
self.assertEqual(req.code, 401, req)
self.assertEqual(req.json_body["flows"], [{"stages": ["m.login.password"]}])