Only assert valid next_link params when provided (#8417)

Broken in https://github.com/matrix-org/synapse/pull/8275 and has yet to be put in a release. Fixes https://github.com/matrix-org/synapse/issues/8418. `next_link` is an optional parameter. However, we were checking whether the `next_link` param was valid, even if it wasn't provided. In that case, `next_link` was `None`, which would clearly not be a valid URL. This would prevent password reset and other operations if `next_link` was not provided, and the `next_link_domain_whitelist` config option was set.
2020-09-29 12:36:44 +01:00 · 2020-09-29 12:36:44 +01:00 · 1c6b8752b8
parent 866c84da8d
commit 1c6b8752b8
3 changed files with 16 additions and 6 deletions
--- a/changelog.d/8417.feature
+++ b/changelog.d/8417.feature
@ -0,0 +1 @@
+Add a config option to specify a whitelist of domains that a user can be redirected to after validating their email or phone number.
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@ -103,8 +103,9 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
                Codes.THREEPID_DENIED,
            )

-        # Raise if the provided next_link value isn't valid
-        assert_valid_next_link(self.hs, next_link)
+        if next_link:
+            # Raise if the provided next_link value isn't valid
+            assert_valid_next_link(self.hs, next_link)

        # The email will be sent to the stored address.
        # This avoids a potential account hijack by requesting a password reset to
@ -379,8 +380,9 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
                Codes.THREEPID_DENIED,
            )

-        # Raise if the provided next_link value isn't valid
-        assert_valid_next_link(self.hs, next_link)
+        if next_link:
+            # Raise if the provided next_link value isn't valid
+            assert_valid_next_link(self.hs, next_link)

        existing_user_id = await self.store.get_user_id_by_threepid("email", email)

@ -453,8 +455,9 @@ class MsisdnThreepidRequestTokenRestServlet(RestServlet):
                Codes.THREEPID_DENIED,
            )

-        # Raise if the provided next_link value isn't valid
-        assert_valid_next_link(self.hs, next_link)
+        if next_link:
+            # Raise if the provided next_link value isn't valid
+            assert_valid_next_link(self.hs, next_link)

        existing_user_id = await self.store.get_user_id_by_threepid("msisdn", msisdn)

--- a/tests/rest/client/v2_alpha/test_account.py
+++ b/tests/rest/client/v2_alpha/test_account.py
@ -732,6 +732,12 @@ class ThreepidEmailRestTestCase(unittest.HomeserverTestCase):
    @override_config({"next_link_domain_whitelist": ["example.com", "example.org"]})
    def test_next_link_domain_whitelist(self):
        """Tests next_link parameters must fit the whitelist if provided"""
+
+        # Ensure not providing a next_link parameter still works
+        self._request_token(
+            "something@example.com", "some_secret", next_link=None, expect_code=200,
+        )
+
        self._request_token(
            "something@example.com",
            "some_secret",
				`@ -0,0 +1 @@`
				`Add a config option to specify a whitelist of domains that a user can be redirected to after validating their email or phone number.`