Add User-Interactive Auth to /account/3pid/add (#6119)

2019-11-29 13:51:14 +00:00 · 2019-11-29 13:51:14 +00:00 · 23ea572125
parent 1c3a61529f
commit 23ea572125
2 changed files with 6 additions and 0 deletions
--- a/changelog.d/6119.feature
+++ b/changelog.d/6119.feature
@ -0,0 +1 @@
+Require User-Interactive Authentication for `/account/3pid/add`, meaning the user's password will be required to add a third-party ID to their account.
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@ -642,6 +642,7 @@ class ThreepidAddRestServlet(RestServlet):
        self.auth = hs.get_auth()
        self.auth_handler = hs.get_auth_handler()

+    @interactive_auth_handler
    @defer.inlineCallbacks
    def on_POST(self, request):
        requester = yield self.auth.get_user_by_req(request)
@ -652,6 +653,10 @@ class ThreepidAddRestServlet(RestServlet):
        client_secret = body["client_secret"]
        sid = body["sid"]

+        yield self.auth_handler.validate_user_via_ui_auth(
+            requester, body, self.hs.get_ip_from_request(request)
+        )
+
        validation_session = yield self.identity_handler.validate_threepid_session(
            client_secret, sid
        )
				`@ -0,0 +1 @@`
				Require User-Interactive Authentication for `/account/3pid/add`, meaning the user's password will be required to add a third-party ID to their account.