Merge branch 'jira/SYN-60' into develop

This commit is contained in:
Paul "LeoNerd" Evans 2014-09-23 16:15:54 +01:00
commit c0673c50e6
2 changed files with 44 additions and 6 deletions

View File

@ -24,6 +24,7 @@ class CaptchaConfig(Config):
self.captcha_ip_origin_is_x_forwarded = ( self.captcha_ip_origin_is_x_forwarded = (
args.captcha_ip_origin_is_x_forwarded args.captcha_ip_origin_is_x_forwarded
) )
self.captcha_bypass_secret = args.captcha_bypass_secret
@classmethod @classmethod
def add_arguments(cls, parser): def add_arguments(cls, parser):
@ -43,4 +44,8 @@ class CaptchaConfig(Config):
"--captcha_ip_origin_is_x_forwarded", type=bool, default=False, "--captcha_ip_origin_is_x_forwarded", type=bool, default=False,
help="When checking captchas, use the X-Forwarded-For (XFF) header" help="When checking captchas, use the X-Forwarded-For (XFF) header"
+ " as the client IP and not the actual client IP." + " as the client IP and not the actual client IP."
) )
group.add_argument(
"--captcha_bypass_secret", type=str,
help="A secret key used to bypass the captcha test entirely."
)

View File

@ -21,6 +21,8 @@ from synapse.api.constants import LoginType
from base import RestServlet, client_path_pattern from base import RestServlet, client_path_pattern
import synapse.util.stringutils as stringutils import synapse.util.stringutils as stringutils
from hashlib import sha1
import hmac
import json import json
import logging import logging
import urllib import urllib
@ -142,6 +144,38 @@ class RegisterRestServlet(RestServlet):
if not self.hs.config.enable_registration_captcha: if not self.hs.config.enable_registration_captcha:
raise SynapseError(400, "Captcha not required.") raise SynapseError(400, "Captcha not required.")
yield self._check_recaptcha(request, register_json, session)
session[LoginType.RECAPTCHA] = True # mark captcha as done
self._save_session(session)
defer.returnValue({
"next": [LoginType.PASSWORD, LoginType.EMAIL_IDENTITY]
})
@defer.inlineCallbacks
def _check_recaptcha(self, request, register_json, session):
if ("captcha_bypass_hmac" in register_json and
self.hs.config.captcha_bypass_secret):
if "user" not in register_json:
raise SynapseError(400, "Captcha bypass needs 'user'")
want = hmac.new(
key=self.hs.config.captcha_bypass_secret,
msg=register_json["user"],
digestmod=sha1,
).hexdigest()
# str() because otherwise hmac complains that 'unicode' does not
# have the buffer interface
got = str(register_json["captcha_bypass_hmac"])
if hmac.compare_digest(want, got):
session["user"] = register_json["user"]
defer.returnValue(None)
else:
raise SynapseError(400, "Captcha bypass HMAC incorrect",
errcode=Codes.CAPTCHA_NEEDED)
challenge = None challenge = None
user_response = None user_response = None
try: try:
@ -166,11 +200,6 @@ class RegisterRestServlet(RestServlet):
challenge, challenge,
user_response user_response
) )
session[LoginType.RECAPTCHA] = True # mark captcha as done
self._save_session(session)
defer.returnValue({
"next": [LoginType.PASSWORD, LoginType.EMAIL_IDENTITY]
})
@defer.inlineCallbacks @defer.inlineCallbacks
def _do_email_identity(self, request, register_json, session): def _do_email_identity(self, request, register_json, session):
@ -195,6 +224,10 @@ class RegisterRestServlet(RestServlet):
# captcha should've been done by this stage! # captcha should've been done by this stage!
raise SynapseError(400, "Captcha is required.") raise SynapseError(400, "Captcha is required.")
if ("user" in session and "user" in register_json and
session["user"] != register_json["user"]):
raise SynapseError(400, "Cannot change user ID during registration")
password = register_json["password"].encode("utf-8") password = register_json["password"].encode("utf-8")
desired_user_id = (register_json["user"].encode("utf-8") if "user" desired_user_id = (register_json["user"].encode("utf-8") if "user"
in register_json else None) in register_json else None)