def do_password_login(self, login_submission): if 'medium' in login_submission and 'address' in login_submission: user_id = yield self.hs.get_datastore().get_user_id_by_threepid( login_submission['medium'], login_submission['address'] ) if not user_id: raise LoginError(403, "", errcode=Codes.FORBIDDEN) else: user_id = login_submission['user'] if not user_id.startswith('@'): user_id = UserID.create( user_id, self.hs.hostname ).to_string() auth_handler = self.handlers.auth_handler user_id, access_token, refresh_token = yield auth_handler.login_with_password( user_id=user_id, password=login_submission["password"]) result = { "user_id": user_id, # may have changed "access_token": access_token, "refresh_token": refresh_token, "home_server": self.hs.hostname, } defer.returnValue((200, result))
def handle_cas_response(self, request, cas_response_body, client_redirect_url): user, attributes = self.parse_cas_response(cas_response_body) for required_attribute, required_value in self.cas_required_attributes.items(): # If required attribute was not in CAS Response - Forbidden if required_attribute not in attributes: raise LoginError(401, "Unauthorized", errcode=Codes.UNAUTHORIZED) # Also need to check value if required_value is not None: actual_value = attributes[required_attribute] # If required attribute value does not match expected - Forbidden if required_value != actual_value: raise LoginError(401, "Unauthorized", errcode=Codes.UNAUTHORIZED) user_id = UserID.create(user, self.hs.hostname).to_string() auth_handler = self.handlers.auth_handler user_exists = yield auth_handler.does_user_exist(user_id) if not user_exists: user_id, _ = ( yield self.handlers.registration_handler.register(localpart=user) ) login_token = auth_handler.generate_short_term_login_token(user_id) redirect_url = self.add_login_token_to_redirect_url(client_redirect_url, login_token) request.redirect(redirect_url) request.finish()
def handle_cas_response(self, request, cas_response_body, client_redirect_url): user, attributes = self.parse_cas_response(cas_response_body) for required_attribute, required_value in self.cas_required_attributes.items( ): # If required attribute was not in CAS Response - Forbidden if required_attribute not in attributes: raise LoginError(401, "Unauthorized", errcode=Codes.UNAUTHORIZED) # Also need to check value if required_value is not None: actual_value = attributes[required_attribute] # If required attribute value does not match expected - Forbidden if required_value != actual_value: raise LoginError(401, "Unauthorized", errcode=Codes.UNAUTHORIZED) user_id = UserID.create(user, self.hs.hostname).to_string() auth_handler = self.auth_handler registered_user_id = yield auth_handler.check_user_exists(user_id) if not registered_user_id: registered_user_id, _ = ( yield self.handlers.registration_handler.register(localpart=user)) login_token = auth_handler.generate_short_term_login_token( registered_user_id) redirect_url = self.add_login_token_to_redirect_url( client_redirect_url, login_token) request.redirect(redirect_url) finish_request(request)
def do_password_login(self, login_submission): if 'medium' in login_submission and 'address' in login_submission: user_id = yield self.hs.get_datastore().get_user_id_by_threepid( login_submission['medium'], login_submission['address']) if not user_id: raise LoginError(403, "", errcode=Codes.FORBIDDEN) else: user_id = login_submission['user'] if not user_id.startswith('@'): user_id = UserID.create(user_id, self.hs.hostname).to_string() auth_handler = self.auth_handler user_id = yield auth_handler.validate_password_login( user_id=user_id, password=login_submission["password"], ) device_id = yield self._register_device(user_id, login_submission) access_token, refresh_token = ( yield auth_handler.get_login_tuple_for_user_id( user_id, device_id, login_submission.get("initial_device_display_name"))) result = { "user_id": user_id, # may have changed "access_token": access_token, "refresh_token": refresh_token, "home_server": self.hs.hostname, "device_id": device_id, } defer.returnValue((200, result))
def _check_password_auth(self, authdict, _): if "user" not in authdict or "password" not in authdict: raise LoginError(400, "", Codes.MISSING_PARAM) user_id = authdict["user"] password = authdict["password"] if not user_id.startswith('@'): user_id = UserID.create(user_id, self.hs.hostname).to_string() return self._check_password(user_id, password)
def do_jwt_login(self, login_submission): token = login_submission.get("token", None) if token is None: raise LoginError( 401, "Token field for JWT is missing", errcode=Codes.UNAUTHORIZED ) import jwt from jwt.exceptions import InvalidTokenError try: payload = jwt.decode(token, self.jwt_secret, algorithms=[self.jwt_algorithm]) except jwt.ExpiredSignatureError: raise LoginError(401, "JWT expired", errcode=Codes.UNAUTHORIZED) except InvalidTokenError: raise LoginError(401, "Invalid JWT", errcode=Codes.UNAUTHORIZED) user = payload.get("sub", None) if user is None: raise LoginError(401, "Invalid JWT", errcode=Codes.UNAUTHORIZED) user_id = UserID.create(user, self.hs.hostname).to_string() auth_handler = self.auth_handler registered_user_id = yield auth_handler.check_user_exists(user_id) if registered_user_id: device_id = yield self._register_device( registered_user_id, login_submission ) access_token, refresh_token = ( yield auth_handler.get_login_tuple_for_user_id( registered_user_id, device_id, login_submission.get("initial_device_display_name") ) ) result = { "user_id": registered_user_id, "access_token": access_token, "refresh_token": refresh_token, "home_server": self.hs.hostname, } else: # TODO: we should probably check that the register isn't going # to fonx/change our user_id before registering the device device_id = yield self._register_device(user_id, login_submission) user_id, access_token = ( yield self.handlers.registration_handler.register(localpart=user) ) result = { "user_id": user_id, # may have changed "access_token": access_token, "home_server": self.hs.hostname, } defer.returnValue((200, result))
def _check_password_auth(self, authdict, _): if "user" not in authdict or "password" not in authdict: raise LoginError(400, "", Codes.MISSING_PARAM) user_id = authdict["user"] password = authdict["password"] if not user_id.startswith('@'): user_id = UserID.create(user_id, self.hs.hostname).to_string() user_id, password_hash = yield self._find_user_id_and_pwd_hash(user_id) self._check_password(user_id, password, password_hash) defer.returnValue(user_id)
def _check_password_auth(self, authdict, _): if "user" not in authdict or "password" not in authdict: raise LoginError(400, "", Codes.MISSING_PARAM) user_id = authdict["user"] password = authdict["password"] if not user_id.startswith('@'): user_id = UserID.create(user_id, self.hs.hostname).to_string() if not (yield self._check_password(user_id, password)): logger.warn("Failed password login for user %s", user_id) raise LoginError(403, "", errcode=Codes.FORBIDDEN) defer.returnValue(user_id)
def do_password_login(self, login_submission): if not login_submission["user"].startswith('@'): login_submission["user"] = UserID.create( login_submission["user"], self.hs.hostname).to_string() handler = self.handlers.login_handler token = yield handler.login(user=login_submission["user"], password=login_submission["password"]) result = { "user_id": login_submission["user"], # may have changed "access_token": token, "home_server": self.hs.hostname, } defer.returnValue((200, result))
def do_jwt_login(self, login_submission): token = login_submission.get("token", None) if token is None: raise LoginError(401, "Token field for JWT is missing", errcode=Codes.UNAUTHORIZED) import jwt from jwt.exceptions import InvalidTokenError try: payload = jwt.decode(token, self.jwt_secret, algorithms=[self.jwt_algorithm]) except jwt.ExpiredSignatureError: raise LoginError(401, "JWT expired", errcode=Codes.UNAUTHORIZED) except InvalidTokenError: raise LoginError(401, "Invalid JWT", errcode=Codes.UNAUTHORIZED) user = payload.get("sub", None) if user is None: raise LoginError(401, "Invalid JWT", errcode=Codes.UNAUTHORIZED) user_id = UserID.create(user, self.hs.hostname).to_string() auth_handler = self.auth_handler user_exists = yield auth_handler.does_user_exist(user_id) if user_exists: user_id, access_token, refresh_token = ( yield auth_handler.get_login_tuple_for_user_id(user_id)) result = { "user_id": user_id, # may have changed "access_token": access_token, "refresh_token": refresh_token, "home_server": self.hs.hostname, } else: user_id, access_token = ( yield self.handlers.registration_handler.register(localpart=user)) result = { "user_id": user_id, # may have changed "access_token": access_token, "home_server": self.hs.hostname, } defer.returnValue((200, result))
def do_password_login(self, login_submission): if not login_submission["user"].startswith('@'): login_submission["user"] = UserID.create( login_submission["user"], self.hs.hostname).to_string() handler = self.handlers.login_handler token = yield handler.login( user=login_submission["user"], password=login_submission["password"]) result = { "user_id": login_submission["user"], # may have changed "access_token": token, "home_server": self.hs.hostname, } defer.returnValue((200, result))
def do_jwt_login(self, login_submission): token = login_submission.get("token", None) if token is None: raise LoginError( 401, "Token field for JWT is missing", errcode=Codes.UNAUTHORIZED ) import jwt from jwt.exceptions import InvalidTokenError try: payload = jwt.decode(token, self.jwt_secret, algorithms=[self.jwt_algorithm]) except jwt.ExpiredSignatureError: raise LoginError(401, "JWT expired", errcode=Codes.UNAUTHORIZED) except InvalidTokenError: raise LoginError(401, "Invalid JWT", errcode=Codes.UNAUTHORIZED) user = payload.get("sub", None) if user is None: raise LoginError(401, "Invalid JWT", errcode=Codes.UNAUTHORIZED) user_id = UserID.create(user, self.hs.hostname).to_string() auth_handler = self.auth_handler user_exists = yield auth_handler.does_user_exist(user_id) if user_exists: user_id, access_token, refresh_token = ( yield auth_handler.get_login_tuple_for_user_id(user_id) ) result = { "user_id": user_id, # may have changed "access_token": access_token, "refresh_token": refresh_token, "home_server": self.hs.hostname, } else: user_id, access_token = ( yield self.handlers.registration_handler.register(localpart=user) ) result = { "user_id": user_id, # may have changed "access_token": access_token, "home_server": self.hs.hostname, } defer.returnValue((200, result))
def do_cas_login(self, cas_response_body): user, attributes = self.parse_cas_response(cas_response_body) for required_attribute, required_value in self.cas_required_attributes.items( ): # If required attribute was not in CAS Response - Forbidden if required_attribute not in attributes: raise LoginError(401, "Unauthorized", errcode=Codes.UNAUTHORIZED) # Also need to check value if required_value is not None: actual_value = attributes[required_attribute] # If required attribute value does not match expected - Forbidden if required_value != actual_value: raise LoginError(401, "Unauthorized", errcode=Codes.UNAUTHORIZED) user_id = UserID.create(user, self.hs.hostname).to_string() auth_handler = self.handlers.auth_handler user_exists = yield auth_handler.does_user_exist(user_id) if user_exists: user_id, access_token, refresh_token = ( yield auth_handler.get_login_tuple_for_user_id(user_id)) result = { "user_id": user_id, # may have changed "access_token": access_token, "refresh_token": refresh_token, "home_server": self.hs.hostname, } else: user_id, access_token = ( yield self.handlers.registration_handler.register(localpart=user)) result = { "user_id": user_id, # may have changed "access_token": access_token, "home_server": self.hs.hostname, } defer.returnValue((200, result))
def do_cas_login(self, cas_response_body): user, attributes = self.parse_cas_response(cas_response_body) for required_attribute, required_value in self.cas_required_attributes.items(): # If required attribute was not in CAS Response - Forbidden if required_attribute not in attributes: raise LoginError(401, "Unauthorized", errcode=Codes.UNAUTHORIZED) # Also need to check value if required_value is not None: actual_value = attributes[required_attribute] # If required attribute value does not match expected - Forbidden if required_value != actual_value: raise LoginError(401, "Unauthorized", errcode=Codes.UNAUTHORIZED) user_id = UserID.create(user, self.hs.hostname).to_string() auth_handler = self.auth_handler registered_user_id = yield auth_handler.check_user_exists(user_id) if registered_user_id: access_token, refresh_token = ( yield auth_handler.get_login_tuple_for_user_id( registered_user_id ) ) result = { "user_id": registered_user_id, # may have changed "access_token": access_token, "refresh_token": refresh_token, "home_server": self.hs.hostname, } else: user_id, access_token = ( yield self.handlers.registration_handler.register(localpart=user) ) result = { "user_id": user_id, # may have changed "access_token": access_token, "home_server": self.hs.hostname, } defer.returnValue((200, result))
def _check_password_auth(self, authdict, _): if "user" not in authdict or "password" not in authdict: raise LoginError(400, "", Codes.MISSING_PARAM) user = authdict["user"] password = authdict["password"] if not user.startswith('@'): user = UserID.create(user, self.hs.hostname).to_string() user_info = yield self.store.get_user_by_id(user_id=user) if not user_info: logger.warn("Attempted to login as %s but they do not exist", user) raise LoginError(401, "", errcode=Codes.UNAUTHORIZED) stored_hash = user_info["password_hash"] if bcrypt.checkpw(password, stored_hash): defer.returnValue(user) else: logger.warn("Failed password login for user %s", user) raise LoginError(401, "", errcode=Codes.UNAUTHORIZED)
def do_password_login(self, login_submission): if 'medium' in login_submission and 'address' in login_submission: address = login_submission['address'] if login_submission['medium'] == 'email': # For emails, transform the address to lowercase. # We store all email addreses as lowercase in the DB. # (See add_threepid in synapse/handlers/auth.py) address = address.lower() user_id = yield self.hs.get_datastore().get_user_id_by_threepid( login_submission['medium'], address) if not user_id: raise LoginError(403, "", errcode=Codes.FORBIDDEN) else: user_id = login_submission['user'] if not user_id.startswith('@'): user_id = UserID.create(user_id, self.hs.hostname).to_string() auth_handler = self.auth_handler user_id = yield auth_handler.validate_password_login( user_id=user_id, password=login_submission["password"], ) device_id = yield self._register_device(user_id, login_submission) access_token = yield auth_handler.get_access_token_for_user_id( user_id, device_id, login_submission.get("initial_device_display_name"), ) result = { "user_id": user_id, # may have changed "access_token": access_token, "home_server": self.hs.hostname, "device_id": device_id, } defer.returnValue((200, result))
def do_password_login(self, login_submission): if 'medium' in login_submission and 'address' in login_submission: user_id = yield self.hs.get_datastore().get_user_id_by_threepid( login_submission['medium'], login_submission['address'] ) if not user_id: raise LoginError(403, "", errcode=Codes.FORBIDDEN) else: user_id = login_submission['user'] if not user_id.startswith('@'): user_id = UserID.create( user_id, self.hs.hostname ).to_string() auth_handler = self.auth_handler user_id = yield auth_handler.validate_password_login( user_id=user_id, password=login_submission["password"], ) device_id = yield self._register_device(user_id, login_submission) access_token, refresh_token = ( yield auth_handler.get_login_tuple_for_user_id( user_id, device_id, login_submission.get("initial_device_display_name") ) ) result = { "user_id": user_id, # may have changed "access_token": access_token, "refresh_token": refresh_token, "home_server": self.hs.hostname, "device_id": device_id, } defer.returnValue((200, result))
def do_password_login(self, login_submission): if "password" not in login_submission: raise SynapseError(400, "Missing parameter: password") login_submission_legacy_convert(login_submission) if "identifier" not in login_submission: raise SynapseError(400, "Missing param: identifier") identifier = login_submission["identifier"] if "type" not in identifier: raise SynapseError(400, "Login identifier has no type") # convert phone type identifiers to generic threepids if identifier["type"] == "m.id.phone": identifier = login_id_thirdparty_from_phone(identifier) # convert threepid identifiers to user IDs if identifier["type"] == "m.id.thirdparty": if 'medium' not in identifier or 'address' not in identifier: raise SynapseError(400, "Invalid thirdparty identifier") address = identifier['address'] if identifier['medium'] == 'email': # For emails, transform the address to lowercase. # We store all email addreses as lowercase in the DB. # (See add_threepid in synapse/handlers/auth.py) address = address.lower() user_id = yield self.hs.get_datastore().get_user_id_by_threepid( identifier['medium'], address) if not user_id: raise LoginError(403, "", errcode=Codes.FORBIDDEN) identifier = { "type": "m.id.user", "user": user_id, } # by this point, the identifier should be an m.id.user: if it's anything # else, we haven't understood it. if identifier["type"] != "m.id.user": raise SynapseError(400, "Unknown login identifier type") if "user" not in identifier: raise SynapseError(400, "User identifier is missing 'user' key") user_id = identifier["user"] if not user_id.startswith('@'): user_id = UserID.create(user_id, self.hs.hostname).to_string() auth_handler = self.auth_handler user_id = yield auth_handler.validate_password_login( user_id=user_id, password=login_submission["password"], ) device_id = yield self._register_device(user_id, login_submission) access_token = yield auth_handler.get_access_token_for_user_id( user_id, device_id, login_submission.get("initial_device_display_name"), ) result = { "user_id": user_id, # may have changed "access_token": access_token, "home_server": self.hs.hostname, "device_id": device_id, } defer.returnValue((200, result))