def get_username_mapping_session_cookie_from_request(request: IRequest) -> str: """Extract the session ID from the cookie Raises a SynapseError if the cookie isn't found """ session_id = request.getCookie(USERNAME_MAPPING_SESSION_COOKIE_NAME) if not session_id: raise SynapseError(code=400, msg="missing session_id") return session_id.decode("ascii", errors="replace")
def procureSession(self, request: IRequest, forceInsecure: bool = False) -> Any: alreadyProcured = request.getComponent(ISession) if alreadyProcured is not None: if not forceInsecure or not request.isSecure(): returnValue(alreadyProcured) if request.isSecure(): if forceInsecure: tokenHeader = self._insecureTokenHeader cookieName: Union[str, bytes] = self._insecureCookie sentSecurely = False else: tokenHeader = self._secureTokenHeader cookieName = self._secureCookie sentSecurely = True else: # Have we inadvertently disclosed a secure token over an insecure # transport, for example, due to a buggy client? allPossibleSentTokens: Sequence[str] = sum( [ request.requestHeaders.getRawHeaders(header, []) for header in [ self._secureTokenHeader, self._insecureTokenHeader, ] ], [], ) + [ it for it in [ request.getCookie(cookie) for cookie in [self._secureCookie, self._insecureCookie] ] if it ] # Does it seem like this check is expensive? It sure is! Don't want # to do it? Turn on your dang HTTPS! yield self._store.sentInsecurely(allPossibleSentTokens) tokenHeader = self._insecureTokenHeader cookieName = self._insecureCookie sentSecurely = False # Fun future feature: honeypot that does this over HTTPS, but sets # isSecure() to return false because it serves up a cert for the # wrong hostname or an invalid cert, to keep API clients honest # about chain validation. sentHeader = (request.getHeader(tokenHeader) or b"").decode("utf-8") sentCookie = (request.getCookie(cookieName) or b"").decode("utf-8") if sentHeader: mechanism = SessionMechanism.Header else: mechanism = SessionMechanism.Cookie if not (sentHeader or sentCookie): session = None else: try: session = yield self._store.loadSession( sentHeader or sentCookie, sentSecurely, mechanism) except NoSuchSession: if mechanism == SessionMechanism.Header: raise session = None if mechanism == SessionMechanism.Cookie and ( session is None or session.identifier != sentCookie): if session is None: if request.startedWriting: # At this point, if the mechanism is Header, we either have # a valid session or we bailed after NoSuchSession above. raise TooLateForCookies( "You tried initializing a cookie-based session too" " late in the request pipeline; the headers" " were already sent.") if request.method != b"GET": # Sessions should only ever be auto-created by GET # requests; there's no way that any meaningful data # manipulation could succeed (no CSRF token check could # ever succeed, for example). raise NoSuchSession( "Can't initialize a session on a " "{method} request.".format( method=request.method.decode("ascii"))) if not self._setCookieOnGET: # We don't have a session ID at all, and we're not allowed # by policy to set a cookie on the client. raise NoSuchSession( "Cannot auto-initialize a session for this request.") session = yield self._store.newSession(sentSecurely, mechanism) identifierInCookie = session.identifier if not isinstance(identifierInCookie, str): identifierInCookie = identifierInCookie.encode("ascii") if not isinstance(cookieName, str): cookieName = cookieName.decode("ascii") request.addCookie( cookieName, identifierInCookie, max_age=str(self._maxAge), domain=self._cookieDomain, path=self._cookiePath, secure=sentSecurely, httpOnly=True, ) if sentSecurely or not request.isSecure(): # Do not cache the insecure session on the secure request, thanks. request.setComponent(ISession, session) returnValue(session)