Stabilise support for MSC2918 refresh tokens as they have now been merged into the Matrix specification. (#11435)
This commit is contained in:
parent
a15a893df8
commit
2f053f3f82
|
@ -0,0 +1 @@
|
||||||
|
Stabilise support for [MSC2918](https://github.com/matrix-org/matrix-doc/blob/main/proposals/2918-refreshtokens.md#msc2918-refresh-tokens) refresh tokens as they have now been merged into the Matrix specification.
|
|
@ -1209,6 +1209,44 @@ oembed:
|
||||||
#
|
#
|
||||||
#session_lifetime: 24h
|
#session_lifetime: 24h
|
||||||
|
|
||||||
|
# Time that an access token remains valid for, if the session is
|
||||||
|
# using refresh tokens.
|
||||||
|
# For more information about refresh tokens, please see the manual.
|
||||||
|
# Note that this only applies to clients which advertise support for
|
||||||
|
# refresh tokens.
|
||||||
|
#
|
||||||
|
# Note also that this is calculated at login time and refresh time:
|
||||||
|
# changes are not applied to existing sessions until they are refreshed.
|
||||||
|
#
|
||||||
|
# By default, this is 5 minutes.
|
||||||
|
#
|
||||||
|
#refreshable_access_token_lifetime: 5m
|
||||||
|
|
||||||
|
# Time that a refresh token remains valid for (provided that it is not
|
||||||
|
# exchanged for another one first).
|
||||||
|
# This option can be used to automatically log-out inactive sessions.
|
||||||
|
# Please see the manual for more information.
|
||||||
|
#
|
||||||
|
# Note also that this is calculated at login time and refresh time:
|
||||||
|
# changes are not applied to existing sessions until they are refreshed.
|
||||||
|
#
|
||||||
|
# By default, this is infinite.
|
||||||
|
#
|
||||||
|
#refresh_token_lifetime: 24h
|
||||||
|
|
||||||
|
# Time that an access token remains valid for, if the session is NOT
|
||||||
|
# using refresh tokens.
|
||||||
|
# Please note that not all clients support refresh tokens, so setting
|
||||||
|
# this to a short value may be inconvenient for some users who will
|
||||||
|
# then be logged out frequently.
|
||||||
|
#
|
||||||
|
# Note also that this is calculated at login time: changes are not applied
|
||||||
|
# retrospectively to existing sessions for users that have already logged in.
|
||||||
|
#
|
||||||
|
# By default, this is infinite.
|
||||||
|
#
|
||||||
|
#nonrefreshable_access_token_lifetime: 24h
|
||||||
|
|
||||||
# The user must provide all of the below types of 3PID when registering.
|
# The user must provide all of the below types of 3PID when registering.
|
||||||
#
|
#
|
||||||
#registrations_require_3pid:
|
#registrations_require_3pid:
|
||||||
|
|
|
@ -220,6 +220,44 @@ class RegistrationConfig(Config):
|
||||||
#
|
#
|
||||||
#session_lifetime: 24h
|
#session_lifetime: 24h
|
||||||
|
|
||||||
|
# Time that an access token remains valid for, if the session is
|
||||||
|
# using refresh tokens.
|
||||||
|
# For more information about refresh tokens, please see the manual.
|
||||||
|
# Note that this only applies to clients which advertise support for
|
||||||
|
# refresh tokens.
|
||||||
|
#
|
||||||
|
# Note also that this is calculated at login time and refresh time:
|
||||||
|
# changes are not applied to existing sessions until they are refreshed.
|
||||||
|
#
|
||||||
|
# By default, this is 5 minutes.
|
||||||
|
#
|
||||||
|
#refreshable_access_token_lifetime: 5m
|
||||||
|
|
||||||
|
# Time that a refresh token remains valid for (provided that it is not
|
||||||
|
# exchanged for another one first).
|
||||||
|
# This option can be used to automatically log-out inactive sessions.
|
||||||
|
# Please see the manual for more information.
|
||||||
|
#
|
||||||
|
# Note also that this is calculated at login time and refresh time:
|
||||||
|
# changes are not applied to existing sessions until they are refreshed.
|
||||||
|
#
|
||||||
|
# By default, this is infinite.
|
||||||
|
#
|
||||||
|
#refresh_token_lifetime: 24h
|
||||||
|
|
||||||
|
# Time that an access token remains valid for, if the session is NOT
|
||||||
|
# using refresh tokens.
|
||||||
|
# Please note that not all clients support refresh tokens, so setting
|
||||||
|
# this to a short value may be inconvenient for some users who will
|
||||||
|
# then be logged out frequently.
|
||||||
|
#
|
||||||
|
# Note also that this is calculated at login time: changes are not applied
|
||||||
|
# retrospectively to existing sessions for users that have already logged in.
|
||||||
|
#
|
||||||
|
# By default, this is infinite.
|
||||||
|
#
|
||||||
|
#nonrefreshable_access_token_lifetime: 24h
|
||||||
|
|
||||||
# The user must provide all of the below types of 3PID when registering.
|
# The user must provide all of the below types of 3PID when registering.
|
||||||
#
|
#
|
||||||
#registrations_require_3pid:
|
#registrations_require_3pid:
|
||||||
|
|
|
@ -72,7 +72,7 @@ class LoginRestServlet(RestServlet):
|
||||||
JWT_TYPE_DEPRECATED = "m.login.jwt"
|
JWT_TYPE_DEPRECATED = "m.login.jwt"
|
||||||
APPSERVICE_TYPE = "m.login.application_service"
|
APPSERVICE_TYPE = "m.login.application_service"
|
||||||
APPSERVICE_TYPE_UNSTABLE = "uk.half-shot.msc2778.login.application_service"
|
APPSERVICE_TYPE_UNSTABLE = "uk.half-shot.msc2778.login.application_service"
|
||||||
REFRESH_TOKEN_PARAM = "org.matrix.msc2918.refresh_token"
|
REFRESH_TOKEN_PARAM = "refresh_token"
|
||||||
|
|
||||||
def __init__(self, hs: "HomeServer"):
|
def __init__(self, hs: "HomeServer"):
|
||||||
super().__init__()
|
super().__init__()
|
||||||
|
@ -90,7 +90,7 @@ class LoginRestServlet(RestServlet):
|
||||||
self.saml2_enabled = hs.config.saml2.saml2_enabled
|
self.saml2_enabled = hs.config.saml2.saml2_enabled
|
||||||
self.cas_enabled = hs.config.cas.cas_enabled
|
self.cas_enabled = hs.config.cas.cas_enabled
|
||||||
self.oidc_enabled = hs.config.oidc.oidc_enabled
|
self.oidc_enabled = hs.config.oidc.oidc_enabled
|
||||||
self._msc2918_enabled = (
|
self._refresh_tokens_enabled = (
|
||||||
hs.config.registration.refreshable_access_token_lifetime is not None
|
hs.config.registration.refreshable_access_token_lifetime is not None
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -163,17 +163,16 @@ class LoginRestServlet(RestServlet):
|
||||||
async def on_POST(self, request: SynapseRequest) -> Tuple[int, LoginResponse]:
|
async def on_POST(self, request: SynapseRequest) -> Tuple[int, LoginResponse]:
|
||||||
login_submission = parse_json_object_from_request(request)
|
login_submission = parse_json_object_from_request(request)
|
||||||
|
|
||||||
if self._msc2918_enabled:
|
# Check to see if the client requested a refresh token.
|
||||||
# Check if this login should also issue a refresh token, as per MSC2918
|
client_requested_refresh_token = login_submission.get(
|
||||||
should_issue_refresh_token = login_submission.get(
|
LoginRestServlet.REFRESH_TOKEN_PARAM, False
|
||||||
"org.matrix.msc2918.refresh_token", False
|
)
|
||||||
)
|
if not isinstance(client_requested_refresh_token, bool):
|
||||||
if not isinstance(should_issue_refresh_token, bool):
|
raise SynapseError(400, "`refresh_token` should be true or false.")
|
||||||
raise SynapseError(
|
|
||||||
400, "`org.matrix.msc2918.refresh_token` should be true or false."
|
should_issue_refresh_token = (
|
||||||
)
|
self._refresh_tokens_enabled and client_requested_refresh_token
|
||||||
else:
|
)
|
||||||
should_issue_refresh_token = False
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
if login_submission["type"] in (
|
if login_submission["type"] in (
|
||||||
|
@ -463,9 +462,7 @@ def _get_auth_flow_dict_for_idp(idp: SsoIdentityProvider) -> JsonDict:
|
||||||
|
|
||||||
|
|
||||||
class RefreshTokenServlet(RestServlet):
|
class RefreshTokenServlet(RestServlet):
|
||||||
PATTERNS = client_patterns(
|
PATTERNS = (re.compile("^/_matrix/client/v1/refresh$"),)
|
||||||
"/org.matrix.msc2918.refresh_token/refresh$", releases=(), unstable=True
|
|
||||||
)
|
|
||||||
|
|
||||||
def __init__(self, hs: "HomeServer"):
|
def __init__(self, hs: "HomeServer"):
|
||||||
self._auth_handler = hs.get_auth_handler()
|
self._auth_handler = hs.get_auth_handler()
|
||||||
|
|
|
@ -419,7 +419,7 @@ class RegisterRestServlet(RestServlet):
|
||||||
self.password_policy_handler = hs.get_password_policy_handler()
|
self.password_policy_handler = hs.get_password_policy_handler()
|
||||||
self.clock = hs.get_clock()
|
self.clock = hs.get_clock()
|
||||||
self._registration_enabled = self.hs.config.registration.enable_registration
|
self._registration_enabled = self.hs.config.registration.enable_registration
|
||||||
self._msc2918_enabled = (
|
self._refresh_tokens_enabled = (
|
||||||
hs.config.registration.refreshable_access_token_lifetime is not None
|
hs.config.registration.refreshable_access_token_lifetime is not None
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -445,18 +445,15 @@ class RegisterRestServlet(RestServlet):
|
||||||
f"Do not understand membership kind: {kind}",
|
f"Do not understand membership kind: {kind}",
|
||||||
)
|
)
|
||||||
|
|
||||||
if self._msc2918_enabled:
|
# Check if the clients wishes for this registration to issue a refresh
|
||||||
# Check if this registration should also issue a refresh token, as
|
# token.
|
||||||
# per MSC2918
|
client_requested_refresh_tokens = body.get("refresh_token", False)
|
||||||
should_issue_refresh_token = body.get(
|
if not isinstance(client_requested_refresh_tokens, bool):
|
||||||
"org.matrix.msc2918.refresh_token", False
|
raise SynapseError(400, "`refresh_token` should be true or false.")
|
||||||
)
|
|
||||||
if not isinstance(should_issue_refresh_token, bool):
|
should_issue_refresh_token = (
|
||||||
raise SynapseError(
|
self._refresh_tokens_enabled and client_requested_refresh_tokens
|
||||||
400, "`org.matrix.msc2918.refresh_token` should be true or false."
|
)
|
||||||
)
|
|
||||||
else:
|
|
||||||
should_issue_refresh_token = False
|
|
||||||
|
|
||||||
# Pull out the provided username and do basic sanity checks early since
|
# Pull out the provided username and do basic sanity checks early since
|
||||||
# the auth layer will store these in sessions.
|
# the auth layer will store these in sessions.
|
||||||
|
|
|
@ -520,7 +520,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
"""
|
"""
|
||||||
return self.make_request(
|
return self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
"/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
|
"/_matrix/client/v1/refresh",
|
||||||
{"refresh_token": refresh_token},
|
{"refresh_token": refresh_token},
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -557,7 +557,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
login_with_refresh = self.make_request(
|
login_with_refresh = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
"/_matrix/client/r0/login",
|
"/_matrix/client/r0/login",
|
||||||
{"org.matrix.msc2918.refresh_token": True, **body},
|
{"refresh_token": True, **body},
|
||||||
)
|
)
|
||||||
self.assertEqual(login_with_refresh.code, 200, login_with_refresh.result)
|
self.assertEqual(login_with_refresh.code, 200, login_with_refresh.result)
|
||||||
self.assertIn("refresh_token", login_with_refresh.json_body)
|
self.assertIn("refresh_token", login_with_refresh.json_body)
|
||||||
|
@ -588,7 +588,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
"username": "test3",
|
"username": "test3",
|
||||||
"password": self.user_pass,
|
"password": self.user_pass,
|
||||||
"auth": {"type": LoginType.DUMMY},
|
"auth": {"type": LoginType.DUMMY},
|
||||||
"org.matrix.msc2918.refresh_token": True,
|
"refresh_token": True,
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
self.assertEqual(register_with_refresh.code, 200, register_with_refresh.result)
|
self.assertEqual(register_with_refresh.code, 200, register_with_refresh.result)
|
||||||
|
@ -603,7 +603,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
"type": "m.login.password",
|
"type": "m.login.password",
|
||||||
"user": "test",
|
"user": "test",
|
||||||
"password": self.user_pass,
|
"password": self.user_pass,
|
||||||
"org.matrix.msc2918.refresh_token": True,
|
"refresh_token": True,
|
||||||
}
|
}
|
||||||
login_response = self.make_request(
|
login_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
|
@ -614,7 +614,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
|
|
||||||
refresh_response = self.make_request(
|
refresh_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
"/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
|
"/_matrix/client/v1/refresh",
|
||||||
{"refresh_token": login_response.json_body["refresh_token"]},
|
{"refresh_token": login_response.json_body["refresh_token"]},
|
||||||
)
|
)
|
||||||
self.assertEqual(refresh_response.code, 200, refresh_response.result)
|
self.assertEqual(refresh_response.code, 200, refresh_response.result)
|
||||||
|
@ -641,7 +641,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
"type": "m.login.password",
|
"type": "m.login.password",
|
||||||
"user": "test",
|
"user": "test",
|
||||||
"password": self.user_pass,
|
"password": self.user_pass,
|
||||||
"org.matrix.msc2918.refresh_token": True,
|
"refresh_token": True,
|
||||||
}
|
}
|
||||||
login_response = self.make_request(
|
login_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
|
@ -655,7 +655,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
|
|
||||||
refresh_response = self.make_request(
|
refresh_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
"/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
|
"/_matrix/client/v1/refresh",
|
||||||
{"refresh_token": login_response.json_body["refresh_token"]},
|
{"refresh_token": login_response.json_body["refresh_token"]},
|
||||||
)
|
)
|
||||||
self.assertEqual(refresh_response.code, 200, refresh_response.result)
|
self.assertEqual(refresh_response.code, 200, refresh_response.result)
|
||||||
|
@ -761,7 +761,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
"type": "m.login.password",
|
"type": "m.login.password",
|
||||||
"user": "test",
|
"user": "test",
|
||||||
"password": self.user_pass,
|
"password": self.user_pass,
|
||||||
"org.matrix.msc2918.refresh_token": True,
|
"refresh_token": True,
|
||||||
}
|
}
|
||||||
login_response = self.make_request(
|
login_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
|
@ -811,7 +811,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
"type": "m.login.password",
|
"type": "m.login.password",
|
||||||
"user": "test",
|
"user": "test",
|
||||||
"password": self.user_pass,
|
"password": self.user_pass,
|
||||||
"org.matrix.msc2918.refresh_token": True,
|
"refresh_token": True,
|
||||||
}
|
}
|
||||||
login_response = self.make_request(
|
login_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
|
@ -868,7 +868,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
"type": "m.login.password",
|
"type": "m.login.password",
|
||||||
"user": "test",
|
"user": "test",
|
||||||
"password": self.user_pass,
|
"password": self.user_pass,
|
||||||
"org.matrix.msc2918.refresh_token": True,
|
"refresh_token": True,
|
||||||
}
|
}
|
||||||
login_response = self.make_request(
|
login_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
|
@ -880,7 +880,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
# This first refresh should work properly
|
# This first refresh should work properly
|
||||||
first_refresh_response = self.make_request(
|
first_refresh_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
"/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
|
"/_matrix/client/v1/refresh",
|
||||||
{"refresh_token": login_response.json_body["refresh_token"]},
|
{"refresh_token": login_response.json_body["refresh_token"]},
|
||||||
)
|
)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
|
@ -890,7 +890,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
# This one as well, since the token in the first one was never used
|
# This one as well, since the token in the first one was never used
|
||||||
second_refresh_response = self.make_request(
|
second_refresh_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
"/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
|
"/_matrix/client/v1/refresh",
|
||||||
{"refresh_token": login_response.json_body["refresh_token"]},
|
{"refresh_token": login_response.json_body["refresh_token"]},
|
||||||
)
|
)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
|
@ -900,7 +900,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
# This one should not, since the token from the first refresh is not valid anymore
|
# This one should not, since the token from the first refresh is not valid anymore
|
||||||
third_refresh_response = self.make_request(
|
third_refresh_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
"/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
|
"/_matrix/client/v1/refresh",
|
||||||
{"refresh_token": first_refresh_response.json_body["refresh_token"]},
|
{"refresh_token": first_refresh_response.json_body["refresh_token"]},
|
||||||
)
|
)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
|
@ -928,7 +928,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
# Now that the access token from the last valid refresh was used once, refreshing with the N-1 token should fail
|
# Now that the access token from the last valid refresh was used once, refreshing with the N-1 token should fail
|
||||||
fourth_refresh_response = self.make_request(
|
fourth_refresh_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
"/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
|
"/_matrix/client/v1/refresh",
|
||||||
{"refresh_token": login_response.json_body["refresh_token"]},
|
{"refresh_token": login_response.json_body["refresh_token"]},
|
||||||
)
|
)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
|
@ -938,7 +938,7 @@ class RefreshAuthTests(unittest.HomeserverTestCase):
|
||||||
# But refreshing from the last valid refresh token still works
|
# But refreshing from the last valid refresh token still works
|
||||||
fifth_refresh_response = self.make_request(
|
fifth_refresh_response = self.make_request(
|
||||||
"POST",
|
"POST",
|
||||||
"/_matrix/client/unstable/org.matrix.msc2918.refresh_token/refresh",
|
"/_matrix/client/v1/refresh",
|
||||||
{"refresh_token": second_refresh_response.json_body["refresh_token"]},
|
{"refresh_token": second_refresh_response.json_body["refresh_token"]},
|
||||||
)
|
)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
|
|
Loading…
Reference in New Issue