/login: Respond with a 403 when we get an invalid m.login.token

This commit is contained in:
Richard van der Hoff 2016-08-09 16:29:28 +01:00
parent cd41c6ece2
commit 79ebfbe7c6

View File

@ -719,14 +719,14 @@ class AuthHandler(BaseHandler):
return macaroon.serialize() return macaroon.serialize()
def validate_short_term_login_token_and_get_user_id(self, login_token): def validate_short_term_login_token_and_get_user_id(self, login_token):
try:
auth_api = self.hs.get_auth() auth_api = self.hs.get_auth()
try:
macaroon = pymacaroons.Macaroon.deserialize(login_token) macaroon = pymacaroons.Macaroon.deserialize(login_token)
user_id = auth_api.get_user_id_from_macaroon(macaroon) user_id = auth_api.get_user_id_from_macaroon(macaroon)
auth_api.validate_macaroon(macaroon, "login", True, user_id) auth_api.validate_macaroon(macaroon, "login", True, user_id)
return user_id return user_id
except (pymacaroons.exceptions.MacaroonException, TypeError, ValueError): except Exception:
raise AuthError(401, "Invalid token", errcode=Codes.UNKNOWN_TOKEN) raise AuthError(403, "Invalid token", errcode=Codes.FORBIDDEN)
def _generate_base_macaroon(self, user_id): def _generate_base_macaroon(self, user_id):
macaroon = pymacaroons.Macaroon( macaroon = pymacaroons.Macaroon(