Merge remote-tracking branch 'upstream/release-v1.59'

2025-07-26 11:15:24 -04:00 · 2022-05-10 14:51:50 +03:00 · 2022-05-10 14:51:50 +03:00 · 67a9abc368
commit 67a9abc368
parent 681895790e efcd899f69
180 changed files with 3955 additions and 1330 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -187,7 +187,7 @@ class Auth:
        Once get_user_by_req has set up the opentracing span, this does the actual work.
        """
        try:
-            ip_addr = request.getClientIP()
+            ip_addr = request.getClientAddress().host
            user_agent = get_request_user_agent(request)

            access_token = self.get_access_token_from_request(request)
@ -357,7 +357,7 @@ class Auth:
            return None, None, None

        if app_service.ip_range_whitelist:
-            ip_address = IPAddress(request.getClientIP())
+            ip_address = IPAddress(request.getClientAddress().host)
            if ip_address not in app_service.ip_range_whitelist:
                return None, None, None

@ -418,7 +418,8 @@ class Auth:
        """

        if rights == "access":
-            # first look in the database
+            # First look in the database to see if the access token is present
+            # as an opaque token.
            r = await self.store.get_user_by_access_token(token)
            if r:
                valid_until_ms = r.valid_until_ms
@ -435,7 +436,8 @@ class Auth:

                return r

-        # otherwise it needs to be a valid macaroon
+        # If the token isn't found in the database, then it could still be a
+        # macaroon, so we check that here.
        try:
            user_id, guest = self._parse_and_validate_macaroon(token, rights)

@ -483,8 +485,12 @@ class Auth:
            TypeError,
            ValueError,
        ) as e:
-            logger.warning("Invalid macaroon in auth: %s %s", type(e), e)
-            raise InvalidClientTokenError("Invalid macaroon passed.")
+            logger.warning(
+                "Invalid access token in auth: %s %s.",
+                type(e),
+                e,
+            )
+            raise InvalidClientTokenError("Invalid access token passed.")

    def _parse_and_validate_macaroon(
        self, token: str, rights: str = "access"
@ -505,10 +511,7 @@ class Auth:
        try:
            macaroon = pymacaroons.Macaroon.deserialize(token)
        except Exception:  # deserialize can throw more-or-less anything
-            # doesn't look like a macaroon: treat it as an opaque token which
-            # must be in the database.
-            # TODO: it would be nice to get rid of this, but apparently some
-            # people use access tokens which aren't macaroons
+            # The access token doesn't look like a macaroon.
            raise _InvalidMacaroonException()

        try: