Enable login_via_existing_session by default

2023-06-05 14:42:31 +01:00 · 2023-06-05 14:42:31 +01:00 · 2eb74c6bdb
parent ca8906be2c
commit 2eb74c6bdb
3 changed files with 5 additions and 13 deletions
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@ -2598,14 +2598,11 @@ ui_auth:
 Matrix supports the ability of an existing session to mint a login token for
 another client.

-Synapse disables this by default as it has security ramifications -- a malicious
-client could use the mechanism to spawn more than one session.
-
 The duration of time the generated token is valid for can be configured with the
 `token_timeout` sub-option.

-User-interactive authentication is required when this is enabled unless the
-`require_ui_auth` sub-option is set to `False`.
+To protect against malicious clients abusing this capability, user-interactive authentication
+is required unless the `require_ui_auth` sub-option is set to `False`.

 Example configuration:
 ```yaml
--- a/synapse/config/auth.py
+++ b/synapse/config/auth.py
@ -63,7 +63,7 @@ class AuthConfig(Config):

        # Logging in with an existing session.
        login_via_existing = config.get("login_via_existing_session", {})
-        self.login_via_existing_enabled = login_via_existing.get("enabled", False)
+        self.login_via_existing_enabled = login_via_existing.get("enabled", True)
        self.login_via_existing_require_ui_auth = login_via_existing.get(
            "require_ui_auth", True
        )
--- a/tests/rest/client/test_login_token_request.py
+++ b/tests/rest/client/test_login_token_request.py
@ -46,6 +46,7 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase):
        self.user = "user123"
        self.password = "password"

+    @override_config({"login_via_existing_session": {"enabled": False}})
    def test_disabled(self) -> None:
        channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=None)
        self.assertEqual(channel.code, 404)
@ -56,12 +57,10 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase):
        channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=token)
        self.assertEqual(channel.code, 404)

-    @override_config({"login_via_existing_session": {"enabled": True}})
    def test_require_auth(self) -> None:
        channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=None)
        self.assertEqual(channel.code, 401)

-    @override_config({"login_via_existing_session": {"enabled": True}})
    def test_uia_on(self) -> None:
        user_id = self.register_user(self.user, self.password)
        token = self.login(self.user, self.password)
@ -95,9 +94,7 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase):
        self.assertEqual(channel.code, 200, channel.result)
        self.assertEqual(channel.json_body["user_id"], user_id)

-    @override_config(
-        {"login_via_existing_session": {"enabled": True, "require_ui_auth": False}}
-    )
+    @override_config({"login_via_existing_session": {"require_ui_auth": False}})
    def test_uia_off(self) -> None:
        user_id = self.register_user(self.user, self.password)
        token = self.login(self.user, self.password)
@ -119,7 +116,6 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase):
    @override_config(
        {
            "login_via_existing_session": {
-                "enabled": True,
                "require_ui_auth": False,
                "token_timeout": "15s",
            }
@ -136,7 +132,6 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase):
    @override_config(
        {
            "login_via_existing_session": {
-                "enabled": True,
                "require_ui_auth": False,
                "token_timeout": "15s",
            }