Synapse 1.64.0rc2 (2022-07-29)
============================== This RC reintroduces support for `account_threepid_delegates.email`, which was removed in 1.64.0rc1. It remains deprecated and will be removed altogether in a future release. ([\#13406](https://github.com/matrix-org/synapse/issues/13406)) -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEv27Axt/F4vrTL/8QOSor00I9eP8FAmLj4a8ACgkQOSor00I9 eP8biQf/c8yY2mbeRZcBKtp6yoQCRYQvboSMEXyi+dLe1hNqdhSZwRQcAoFuAFwE WdScDvoTaElUxv0v6eCI1x9CoXnZ6xpDShvK39j5Yhzv+1tNsm5Uq9imyG3jK5i6 U/3Gt6CrCsS01VkGslQ3B5I6MFtbC6ZZK9O48yg+GD8Oqw2HH/gllr5swyVbKdbc GGhRBHvgXn+w6d/KnKt8uRxJqIpDt9JMga+WdB8CwFR5WnWbGdw24KsyxmBuOLC3 caQRiluJL/X4jApUpfsJMBBd/jrDod5wWDFO/4P+v0+2d3Ts+hKezZbt5h1VIYSw szZXbzxn5RNDkNiJDpOOOMYQ5DXGmA== =3/nK -----END PGP SIGNATURE----- Merge tag 'v1.64.0rc2' into develop Synapse 1.64.0rc2 (2022-07-29) ============================== This RC reintroduces support for `account_threepid_delegates.email`, which was removed in 1.64.0rc1. It remains deprecated and will be removed altogether in a future release. ([\#13406](https://github.com/matrix-org/synapse/issues/13406))
This commit is contained in:
commit
d548d8f18d
|
@ -1,7 +1,13 @@
|
||||||
|
Synapse 1.64.0rc2 (2022-07-29)
|
||||||
|
==============================
|
||||||
|
|
||||||
|
This RC reintroduces support for `account_threepid_delegates.email`, which was removed in 1.64.0rc1. It remains deprecated and will be removed altogether in a future release. ([\#13406](https://github.com/matrix-org/synapse/issues/13406))
|
||||||
|
|
||||||
|
|
||||||
Synapse 1.64.0rc1 (2022-07-26)
|
Synapse 1.64.0rc1 (2022-07-26)
|
||||||
==============================
|
==============================
|
||||||
|
|
||||||
As of this release, Synapse no longer allows the tasks of verifying email address ownership, and password reset confirmation, to be delegated to an identity server. For more information, see the [upgrade notes](https://matrix-org.github.io/synapse/v1.64/upgrade.html#upgrading-to-v1640).
|
This RC removed the ability to delegate the tasks of verifying email address ownership, and password reset confirmation, to an identity server.
|
||||||
|
|
||||||
We have also stopped building `.deb` packages for Ubuntu 21.10 as it is no longer an active version of Ubuntu.
|
We have also stopped building `.deb` packages for Ubuntu 21.10 as it is no longer an active version of Ubuntu.
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,9 @@
|
||||||
|
matrix-synapse-py3 (1.64.0~rc2) stable; urgency=medium
|
||||||
|
|
||||||
|
* New Synapse release 1.64.0rc2.
|
||||||
|
|
||||||
|
-- Synapse Packaging team <packages@matrix.org> Fri, 29 Jul 2022 12:22:53 +0100
|
||||||
|
|
||||||
matrix-synapse-py3 (1.64.0~rc1) stable; urgency=medium
|
matrix-synapse-py3 (1.64.0~rc1) stable; urgency=medium
|
||||||
|
|
||||||
* New Synapse release 1.64.0rc1.
|
* New Synapse release 1.64.0rc1.
|
||||||
|
|
|
@ -91,19 +91,6 @@ process, for example:
|
||||||
|
|
||||||
# Upgrading to v1.64.0
|
# Upgrading to v1.64.0
|
||||||
|
|
||||||
## Delegation of email validation no longer supported
|
|
||||||
|
|
||||||
As of this version, Synapse no longer allows the tasks of verifying email address
|
|
||||||
ownership, and password reset confirmation, to be delegated to an identity server.
|
|
||||||
|
|
||||||
To continue to allow users to add email addresses to their homeserver accounts,
|
|
||||||
and perform password resets, make sure that Synapse is configured with a
|
|
||||||
working email server in the `email` configuration section (including, at a
|
|
||||||
minimum, a `notif_from` setting.)
|
|
||||||
|
|
||||||
Specifying an `email` setting under `account_threepid_delegates` will now cause
|
|
||||||
an error at startup.
|
|
||||||
|
|
||||||
## Changes to the event replication streams
|
## Changes to the event replication streams
|
||||||
|
|
||||||
Synapse now includes a flag indicating if an event is an outlier when
|
Synapse now includes a flag indicating if an event is an outlier when
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -54,7 +54,7 @@ skip_gitignore = true
|
||||||
|
|
||||||
[tool.poetry]
|
[tool.poetry]
|
||||||
name = "matrix-synapse"
|
name = "matrix-synapse"
|
||||||
version = "1.64.0rc1"
|
version = "1.64.0rc2"
|
||||||
description = "Homeserver for the Matrix decentralised comms protocol"
|
description = "Homeserver for the Matrix decentralised comms protocol"
|
||||||
authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
|
authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
|
||||||
license = "Apache-2.0"
|
license = "Apache-2.0"
|
||||||
|
|
|
@ -44,6 +44,7 @@ from synapse.app._base import (
|
||||||
register_start,
|
register_start,
|
||||||
)
|
)
|
||||||
from synapse.config._base import ConfigError, format_config_error
|
from synapse.config._base import ConfigError, format_config_error
|
||||||
|
from synapse.config.emailconfig import ThreepidBehaviour
|
||||||
from synapse.config.homeserver import HomeServerConfig
|
from synapse.config.homeserver import HomeServerConfig
|
||||||
from synapse.config.server import ListenerConfig
|
from synapse.config.server import ListenerConfig
|
||||||
from synapse.federation.transport.server import TransportLayerServer
|
from synapse.federation.transport.server import TransportLayerServer
|
||||||
|
@ -201,7 +202,7 @@ class SynapseHomeServer(HomeServer):
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
if self.config.email.can_verify_email:
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.LOCAL:
|
||||||
from synapse.rest.synapse.client.password_reset import (
|
from synapse.rest.synapse.client.password_reset import (
|
||||||
PasswordResetSubmitTokenResource,
|
PasswordResetSubmitTokenResource,
|
||||||
)
|
)
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
import email.utils
|
import email.utils
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
|
from enum import Enum
|
||||||
from typing import Any
|
from typing import Any
|
||||||
|
|
||||||
import attr
|
import attr
|
||||||
|
@ -135,22 +136,40 @@ class EmailConfig(Config):
|
||||||
|
|
||||||
self.email_enable_notifs = email_config.get("enable_notifs", False)
|
self.email_enable_notifs = email_config.get("enable_notifs", False)
|
||||||
|
|
||||||
|
self.threepid_behaviour_email = (
|
||||||
|
# Have Synapse handle the email sending if account_threepid_delegates.email
|
||||||
|
# is not defined
|
||||||
|
# msisdn is currently always remote while Synapse does not support any method of
|
||||||
|
# sending SMS messages
|
||||||
|
ThreepidBehaviour.REMOTE
|
||||||
|
if self.root.registration.account_threepid_delegate_email
|
||||||
|
else ThreepidBehaviour.LOCAL
|
||||||
|
)
|
||||||
|
|
||||||
if config.get("trust_identity_server_for_password_resets"):
|
if config.get("trust_identity_server_for_password_resets"):
|
||||||
raise ConfigError(
|
raise ConfigError(
|
||||||
'The config option "trust_identity_server_for_password_resets" '
|
'The config option "trust_identity_server_for_password_resets" has been removed.'
|
||||||
"is no longer supported. Please remove it from the config file."
|
"Please consult the configuration manual at docs/usage/configuration/config_documentation.md for "
|
||||||
|
"details and update your config file."
|
||||||
)
|
)
|
||||||
|
|
||||||
# If we have email config settings, assume that we can verify ownership of
|
self.local_threepid_handling_disabled_due_to_email_config = False
|
||||||
# email addresses.
|
if (
|
||||||
self.can_verify_email = email_config != {}
|
self.threepid_behaviour_email == ThreepidBehaviour.LOCAL
|
||||||
|
and email_config == {}
|
||||||
|
):
|
||||||
|
# We cannot warn the user this has happened here
|
||||||
|
# Instead do so when a user attempts to reset their password
|
||||||
|
self.local_threepid_handling_disabled_due_to_email_config = True
|
||||||
|
|
||||||
|
self.threepid_behaviour_email = ThreepidBehaviour.OFF
|
||||||
|
|
||||||
# Get lifetime of a validation token in milliseconds
|
# Get lifetime of a validation token in milliseconds
|
||||||
self.email_validation_token_lifetime = self.parse_duration(
|
self.email_validation_token_lifetime = self.parse_duration(
|
||||||
email_config.get("validation_token_lifetime", "1h")
|
email_config.get("validation_token_lifetime", "1h")
|
||||||
)
|
)
|
||||||
|
|
||||||
if self.can_verify_email:
|
if self.threepid_behaviour_email == ThreepidBehaviour.LOCAL:
|
||||||
missing = []
|
missing = []
|
||||||
if not self.email_notif_from:
|
if not self.email_notif_from:
|
||||||
missing.append("email.notif_from")
|
missing.append("email.notif_from")
|
||||||
|
@ -341,3 +360,18 @@ class EmailConfig(Config):
|
||||||
"Config option email.invite_client_location must be a http or https URL",
|
"Config option email.invite_client_location must be a http or https URL",
|
||||||
path=("email", "invite_client_location"),
|
path=("email", "invite_client_location"),
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
class ThreepidBehaviour(Enum):
|
||||||
|
"""
|
||||||
|
Enum to define the behaviour of Synapse with regards to when it contacts an identity
|
||||||
|
server for 3pid registration and password resets
|
||||||
|
|
||||||
|
REMOTE = use an external server to send tokens
|
||||||
|
LOCAL = send tokens ourselves
|
||||||
|
OFF = disable registration via 3pid and password resets
|
||||||
|
"""
|
||||||
|
|
||||||
|
REMOTE = "remote"
|
||||||
|
LOCAL = "local"
|
||||||
|
OFF = "off"
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
import argparse
|
import argparse
|
||||||
|
import logging
|
||||||
from typing import Any, Optional
|
from typing import Any, Optional
|
||||||
|
|
||||||
from synapse.api.constants import RoomCreationPreset
|
from synapse.api.constants import RoomCreationPreset
|
||||||
|
@ -20,11 +21,15 @@ from synapse.config._base import Config, ConfigError
|
||||||
from synapse.types import JsonDict, RoomAlias, UserID
|
from synapse.types import JsonDict, RoomAlias, UserID
|
||||||
from synapse.util.stringutils import random_string_with_symbols, strtobool
|
from synapse.util.stringutils import random_string_with_symbols, strtobool
|
||||||
|
|
||||||
NO_EMAIL_DELEGATE_ERROR = """\
|
logger = logging.getLogger(__name__)
|
||||||
Delegation of email verification to an identity server is no longer supported. To
|
|
||||||
|
LEGACY_EMAIL_DELEGATE_WARNING = """\
|
||||||
|
Delegation of email verification to an identity server is now deprecated. To
|
||||||
continue to allow users to add email addresses to their accounts, and use them for
|
continue to allow users to add email addresses to their accounts, and use them for
|
||||||
password resets, configure Synapse with an SMTP server via the `email` setting, and
|
password resets, configure Synapse with an SMTP server via the `email` setting, and
|
||||||
remove `account_threepid_delegates.email`.
|
remove `account_threepid_delegates.email`.
|
||||||
|
|
||||||
|
This will be an error in a future version.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
|
||||||
|
@ -59,8 +64,9 @@ class RegistrationConfig(Config):
|
||||||
|
|
||||||
account_threepid_delegates = config.get("account_threepid_delegates") or {}
|
account_threepid_delegates = config.get("account_threepid_delegates") or {}
|
||||||
if "email" in account_threepid_delegates:
|
if "email" in account_threepid_delegates:
|
||||||
raise ConfigError(NO_EMAIL_DELEGATE_ERROR)
|
logger.warning(LEGACY_EMAIL_DELEGATE_WARNING)
|
||||||
# self.account_threepid_delegate_email = account_threepid_delegates.get("email")
|
|
||||||
|
self.account_threepid_delegate_email = account_threepid_delegates.get("email")
|
||||||
self.account_threepid_delegate_msisdn = account_threepid_delegates.get("msisdn")
|
self.account_threepid_delegate_msisdn = account_threepid_delegates.get("msisdn")
|
||||||
self.default_identity_server = config.get("default_identity_server")
|
self.default_identity_server = config.get("default_identity_server")
|
||||||
self.allow_guest_access = config.get("allow_guest_access", False)
|
self.allow_guest_access = config.get("allow_guest_access", False)
|
||||||
|
|
|
@ -26,6 +26,7 @@ from synapse.api.errors import (
|
||||||
SynapseError,
|
SynapseError,
|
||||||
)
|
)
|
||||||
from synapse.api.ratelimiting import Ratelimiter
|
from synapse.api.ratelimiting import Ratelimiter
|
||||||
|
from synapse.config.emailconfig import ThreepidBehaviour
|
||||||
from synapse.http import RequestTimedOutError
|
from synapse.http import RequestTimedOutError
|
||||||
from synapse.http.client import SimpleHttpClient
|
from synapse.http.client import SimpleHttpClient
|
||||||
from synapse.http.site import SynapseRequest
|
from synapse.http.site import SynapseRequest
|
||||||
|
@ -415,6 +416,48 @@ class IdentityHandler:
|
||||||
|
|
||||||
return session_id
|
return session_id
|
||||||
|
|
||||||
|
async def request_email_token(
|
||||||
|
self,
|
||||||
|
id_server: str,
|
||||||
|
email: str,
|
||||||
|
client_secret: str,
|
||||||
|
send_attempt: int,
|
||||||
|
next_link: Optional[str] = None,
|
||||||
|
) -> JsonDict:
|
||||||
|
"""
|
||||||
|
Request an external server send an email on our behalf for the purposes of threepid
|
||||||
|
validation.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
id_server: The identity server to proxy to
|
||||||
|
email: The email to send the message to
|
||||||
|
client_secret: The unique client_secret sends by the user
|
||||||
|
send_attempt: Which attempt this is
|
||||||
|
next_link: A link to redirect the user to once they submit the token
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
The json response body from the server
|
||||||
|
"""
|
||||||
|
params = {
|
||||||
|
"email": email,
|
||||||
|
"client_secret": client_secret,
|
||||||
|
"send_attempt": send_attempt,
|
||||||
|
}
|
||||||
|
if next_link:
|
||||||
|
params["next_link"] = next_link
|
||||||
|
|
||||||
|
try:
|
||||||
|
data = await self.http_client.post_json_get_json(
|
||||||
|
id_server + "/_matrix/identity/api/v1/validate/email/requestToken",
|
||||||
|
params,
|
||||||
|
)
|
||||||
|
return data
|
||||||
|
except HttpResponseException as e:
|
||||||
|
logger.info("Proxied requestToken failed: %r", e)
|
||||||
|
raise e.to_synapse_error()
|
||||||
|
except RequestTimedOutError:
|
||||||
|
raise SynapseError(500, "Timed out contacting identity server")
|
||||||
|
|
||||||
async def requestMsisdnToken(
|
async def requestMsisdnToken(
|
||||||
self,
|
self,
|
||||||
id_server: str,
|
id_server: str,
|
||||||
|
@ -488,7 +531,18 @@ class IdentityHandler:
|
||||||
validation_session = None
|
validation_session = None
|
||||||
|
|
||||||
# Try to validate as email
|
# Try to validate as email
|
||||||
if self.hs.config.email.can_verify_email:
|
if self.hs.config.email.threepid_behaviour_email == ThreepidBehaviour.REMOTE:
|
||||||
|
# Remote emails will only be used if a valid identity server is provided.
|
||||||
|
assert (
|
||||||
|
self.hs.config.registration.account_threepid_delegate_email is not None
|
||||||
|
)
|
||||||
|
|
||||||
|
# Ask our delegated email identity server
|
||||||
|
validation_session = await self.threepid_from_creds(
|
||||||
|
self.hs.config.registration.account_threepid_delegate_email,
|
||||||
|
threepid_creds,
|
||||||
|
)
|
||||||
|
elif self.hs.config.email.threepid_behaviour_email == ThreepidBehaviour.LOCAL:
|
||||||
# Get a validated session matching these details
|
# Get a validated session matching these details
|
||||||
validation_session = await self.store.get_threepid_validation_session(
|
validation_session = await self.store.get_threepid_validation_session(
|
||||||
"email", client_secret, sid=sid, validated=True
|
"email", client_secret, sid=sid, validated=True
|
||||||
|
|
|
@ -19,6 +19,7 @@ from twisted.web.client import PartialDownloadError
|
||||||
|
|
||||||
from synapse.api.constants import LoginType
|
from synapse.api.constants import LoginType
|
||||||
from synapse.api.errors import Codes, LoginError, SynapseError
|
from synapse.api.errors import Codes, LoginError, SynapseError
|
||||||
|
from synapse.config.emailconfig import ThreepidBehaviour
|
||||||
from synapse.util import json_decoder
|
from synapse.util import json_decoder
|
||||||
|
|
||||||
if TYPE_CHECKING:
|
if TYPE_CHECKING:
|
||||||
|
@ -152,7 +153,7 @@ class _BaseThreepidAuthChecker:
|
||||||
|
|
||||||
logger.info("Getting validated threepid. threepidcreds: %r", (threepid_creds,))
|
logger.info("Getting validated threepid. threepidcreds: %r", (threepid_creds,))
|
||||||
|
|
||||||
# msisdns are currently always verified via the IS
|
# msisdns are currently always ThreepidBehaviour.REMOTE
|
||||||
if medium == "msisdn":
|
if medium == "msisdn":
|
||||||
if not self.hs.config.registration.account_threepid_delegate_msisdn:
|
if not self.hs.config.registration.account_threepid_delegate_msisdn:
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
|
@ -163,7 +164,18 @@ class _BaseThreepidAuthChecker:
|
||||||
threepid_creds,
|
threepid_creds,
|
||||||
)
|
)
|
||||||
elif medium == "email":
|
elif medium == "email":
|
||||||
if self.hs.config.email.can_verify_email:
|
if (
|
||||||
|
self.hs.config.email.threepid_behaviour_email
|
||||||
|
== ThreepidBehaviour.REMOTE
|
||||||
|
):
|
||||||
|
assert self.hs.config.registration.account_threepid_delegate_email
|
||||||
|
threepid = await identity_handler.threepid_from_creds(
|
||||||
|
self.hs.config.registration.account_threepid_delegate_email,
|
||||||
|
threepid_creds,
|
||||||
|
)
|
||||||
|
elif (
|
||||||
|
self.hs.config.email.threepid_behaviour_email == ThreepidBehaviour.LOCAL
|
||||||
|
):
|
||||||
threepid = None
|
threepid = None
|
||||||
row = await self.store.get_threepid_validation_session(
|
row = await self.store.get_threepid_validation_session(
|
||||||
medium,
|
medium,
|
||||||
|
@ -215,7 +227,10 @@ class EmailIdentityAuthChecker(UserInteractiveAuthChecker, _BaseThreepidAuthChec
|
||||||
_BaseThreepidAuthChecker.__init__(self, hs)
|
_BaseThreepidAuthChecker.__init__(self, hs)
|
||||||
|
|
||||||
def is_enabled(self) -> bool:
|
def is_enabled(self) -> bool:
|
||||||
return self.hs.config.email.can_verify_email
|
return self.hs.config.email.threepid_behaviour_email in (
|
||||||
|
ThreepidBehaviour.REMOTE,
|
||||||
|
ThreepidBehaviour.LOCAL,
|
||||||
|
)
|
||||||
|
|
||||||
async def check_auth(self, authdict: dict, clientip: str) -> Any:
|
async def check_auth(self, authdict: dict, clientip: str) -> Any:
|
||||||
return await self._check_threepid("email", authdict)
|
return await self._check_threepid("email", authdict)
|
||||||
|
|
|
@ -28,6 +28,7 @@ from synapse.api.errors import (
|
||||||
SynapseError,
|
SynapseError,
|
||||||
ThreepidValidationError,
|
ThreepidValidationError,
|
||||||
)
|
)
|
||||||
|
from synapse.config.emailconfig import ThreepidBehaviour
|
||||||
from synapse.handlers.ui_auth import UIAuthSessionDataConstants
|
from synapse.handlers.ui_auth import UIAuthSessionDataConstants
|
||||||
from synapse.http.server import HttpServer, finish_request, respond_with_html
|
from synapse.http.server import HttpServer, finish_request, respond_with_html
|
||||||
from synapse.http.servlet import (
|
from synapse.http.servlet import (
|
||||||
|
@ -63,7 +64,7 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
|
||||||
self.config = hs.config
|
self.config = hs.config
|
||||||
self.identity_handler = hs.get_identity_handler()
|
self.identity_handler = hs.get_identity_handler()
|
||||||
|
|
||||||
if self.config.email.can_verify_email:
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.LOCAL:
|
||||||
self.mailer = Mailer(
|
self.mailer = Mailer(
|
||||||
hs=self.hs,
|
hs=self.hs,
|
||||||
app_name=self.config.email.email_app_name,
|
app_name=self.config.email.email_app_name,
|
||||||
|
@ -72,10 +73,11 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
|
||||||
)
|
)
|
||||||
|
|
||||||
async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
|
async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
|
||||||
if not self.config.email.can_verify_email:
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.OFF:
|
||||||
logger.warning(
|
if self.config.email.local_threepid_handling_disabled_due_to_email_config:
|
||||||
"User password resets have been disabled due to lack of email config"
|
logger.warning(
|
||||||
)
|
"User password resets have been disabled due to lack of email config"
|
||||||
|
)
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
400, "Email-based password resets have been disabled on this server"
|
400, "Email-based password resets have been disabled on this server"
|
||||||
)
|
)
|
||||||
|
@ -127,21 +129,35 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
|
||||||
|
|
||||||
raise SynapseError(400, "Email not found", Codes.THREEPID_NOT_FOUND)
|
raise SynapseError(400, "Email not found", Codes.THREEPID_NOT_FOUND)
|
||||||
|
|
||||||
# Send password reset emails from Synapse
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.REMOTE:
|
||||||
sid = await self.identity_handler.send_threepid_validation(
|
assert self.hs.config.registration.account_threepid_delegate_email
|
||||||
email,
|
|
||||||
client_secret,
|
# Have the configured identity server handle the request
|
||||||
send_attempt,
|
ret = await self.identity_handler.request_email_token(
|
||||||
self.mailer.send_password_reset_mail,
|
self.hs.config.registration.account_threepid_delegate_email,
|
||||||
next_link,
|
email,
|
||||||
)
|
client_secret,
|
||||||
|
send_attempt,
|
||||||
|
next_link,
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
# Send password reset emails from Synapse
|
||||||
|
sid = await self.identity_handler.send_threepid_validation(
|
||||||
|
email,
|
||||||
|
client_secret,
|
||||||
|
send_attempt,
|
||||||
|
self.mailer.send_password_reset_mail,
|
||||||
|
next_link,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Wrap the session id in a JSON object
|
||||||
|
ret = {"sid": sid}
|
||||||
|
|
||||||
threepid_send_requests.labels(type="email", reason="password_reset").observe(
|
threepid_send_requests.labels(type="email", reason="password_reset").observe(
|
||||||
send_attempt
|
send_attempt
|
||||||
)
|
)
|
||||||
|
|
||||||
# Wrap the session id in a JSON object
|
return 200, ret
|
||||||
return 200, {"sid": sid}
|
|
||||||
|
|
||||||
|
|
||||||
class PasswordRestServlet(RestServlet):
|
class PasswordRestServlet(RestServlet):
|
||||||
|
@ -333,7 +349,7 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
|
||||||
self.identity_handler = hs.get_identity_handler()
|
self.identity_handler = hs.get_identity_handler()
|
||||||
self.store = self.hs.get_datastores().main
|
self.store = self.hs.get_datastores().main
|
||||||
|
|
||||||
if self.config.email.can_verify_email:
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.LOCAL:
|
||||||
self.mailer = Mailer(
|
self.mailer = Mailer(
|
||||||
hs=self.hs,
|
hs=self.hs,
|
||||||
app_name=self.config.email.email_app_name,
|
app_name=self.config.email.email_app_name,
|
||||||
|
@ -342,10 +358,11 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
|
||||||
)
|
)
|
||||||
|
|
||||||
async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
|
async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
|
||||||
if not self.config.email.can_verify_email:
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.OFF:
|
||||||
logger.warning(
|
if self.config.email.local_threepid_handling_disabled_due_to_email_config:
|
||||||
"Adding emails have been disabled due to lack of an email config"
|
logger.warning(
|
||||||
)
|
"Adding emails have been disabled due to lack of an email config"
|
||||||
|
)
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
400, "Adding an email to your account is disabled on this server"
|
400, "Adding an email to your account is disabled on this server"
|
||||||
)
|
)
|
||||||
|
@ -396,20 +413,35 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
|
||||||
|
|
||||||
raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE)
|
raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE)
|
||||||
|
|
||||||
sid = await self.identity_handler.send_threepid_validation(
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.REMOTE:
|
||||||
email,
|
assert self.hs.config.registration.account_threepid_delegate_email
|
||||||
client_secret,
|
|
||||||
send_attempt,
|
# Have the configured identity server handle the request
|
||||||
self.mailer.send_add_threepid_mail,
|
ret = await self.identity_handler.request_email_token(
|
||||||
next_link,
|
self.hs.config.registration.account_threepid_delegate_email,
|
||||||
)
|
email,
|
||||||
|
client_secret,
|
||||||
|
send_attempt,
|
||||||
|
next_link,
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
# Send threepid validation emails from Synapse
|
||||||
|
sid = await self.identity_handler.send_threepid_validation(
|
||||||
|
email,
|
||||||
|
client_secret,
|
||||||
|
send_attempt,
|
||||||
|
self.mailer.send_add_threepid_mail,
|
||||||
|
next_link,
|
||||||
|
)
|
||||||
|
|
||||||
|
# Wrap the session id in a JSON object
|
||||||
|
ret = {"sid": sid}
|
||||||
|
|
||||||
threepid_send_requests.labels(type="email", reason="add_threepid").observe(
|
threepid_send_requests.labels(type="email", reason="add_threepid").observe(
|
||||||
send_attempt
|
send_attempt
|
||||||
)
|
)
|
||||||
|
|
||||||
# Wrap the session id in a JSON object
|
return 200, ret
|
||||||
return 200, {"sid": sid}
|
|
||||||
|
|
||||||
|
|
||||||
class MsisdnThreepidRequestTokenRestServlet(RestServlet):
|
class MsisdnThreepidRequestTokenRestServlet(RestServlet):
|
||||||
|
@ -502,19 +534,25 @@ class AddThreepidEmailSubmitTokenServlet(RestServlet):
|
||||||
self.config = hs.config
|
self.config = hs.config
|
||||||
self.clock = hs.get_clock()
|
self.clock = hs.get_clock()
|
||||||
self.store = hs.get_datastores().main
|
self.store = hs.get_datastores().main
|
||||||
if self.config.email.can_verify_email:
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.LOCAL:
|
||||||
self._failure_email_template = (
|
self._failure_email_template = (
|
||||||
self.config.email.email_add_threepid_template_failure_html
|
self.config.email.email_add_threepid_template_failure_html
|
||||||
)
|
)
|
||||||
|
|
||||||
async def on_GET(self, request: Request) -> None:
|
async def on_GET(self, request: Request) -> None:
|
||||||
if not self.config.email.can_verify_email:
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.OFF:
|
||||||
logger.warning(
|
if self.config.email.local_threepid_handling_disabled_due_to_email_config:
|
||||||
"Adding emails have been disabled due to lack of an email config"
|
logger.warning(
|
||||||
)
|
"Adding emails have been disabled due to lack of an email config"
|
||||||
|
)
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
400, "Adding an email to your account is disabled on this server"
|
400, "Adding an email to your account is disabled on this server"
|
||||||
)
|
)
|
||||||
|
elif self.config.email.threepid_behaviour_email == ThreepidBehaviour.REMOTE:
|
||||||
|
raise SynapseError(
|
||||||
|
400,
|
||||||
|
"This homeserver is not validating threepids.",
|
||||||
|
)
|
||||||
|
|
||||||
sid = parse_string(request, "sid", required=True)
|
sid = parse_string(request, "sid", required=True)
|
||||||
token = parse_string(request, "token", required=True)
|
token = parse_string(request, "token", required=True)
|
||||||
|
|
|
@ -31,6 +31,7 @@ from synapse.api.errors import (
|
||||||
)
|
)
|
||||||
from synapse.api.ratelimiting import Ratelimiter
|
from synapse.api.ratelimiting import Ratelimiter
|
||||||
from synapse.config import ConfigError
|
from synapse.config import ConfigError
|
||||||
|
from synapse.config.emailconfig import ThreepidBehaviour
|
||||||
from synapse.config.homeserver import HomeServerConfig
|
from synapse.config.homeserver import HomeServerConfig
|
||||||
from synapse.config.ratelimiting import FederationRateLimitConfig
|
from synapse.config.ratelimiting import FederationRateLimitConfig
|
||||||
from synapse.config.server import is_threepid_reserved
|
from synapse.config.server import is_threepid_reserved
|
||||||
|
@ -73,7 +74,7 @@ class EmailRegisterRequestTokenRestServlet(RestServlet):
|
||||||
self.identity_handler = hs.get_identity_handler()
|
self.identity_handler = hs.get_identity_handler()
|
||||||
self.config = hs.config
|
self.config = hs.config
|
||||||
|
|
||||||
if self.hs.config.email.can_verify_email:
|
if self.hs.config.email.threepid_behaviour_email == ThreepidBehaviour.LOCAL:
|
||||||
self.mailer = Mailer(
|
self.mailer = Mailer(
|
||||||
hs=self.hs,
|
hs=self.hs,
|
||||||
app_name=self.config.email.email_app_name,
|
app_name=self.config.email.email_app_name,
|
||||||
|
@ -82,10 +83,13 @@ class EmailRegisterRequestTokenRestServlet(RestServlet):
|
||||||
)
|
)
|
||||||
|
|
||||||
async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
|
async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
|
||||||
if not self.hs.config.email.can_verify_email:
|
if self.hs.config.email.threepid_behaviour_email == ThreepidBehaviour.OFF:
|
||||||
logger.warning(
|
if (
|
||||||
"Email registration has been disabled due to lack of email config"
|
self.hs.config.email.local_threepid_handling_disabled_due_to_email_config
|
||||||
)
|
):
|
||||||
|
logger.warning(
|
||||||
|
"Email registration has been disabled due to lack of email config"
|
||||||
|
)
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
400, "Email-based registration has been disabled on this server"
|
400, "Email-based registration has been disabled on this server"
|
||||||
)
|
)
|
||||||
|
@ -134,21 +138,35 @@ class EmailRegisterRequestTokenRestServlet(RestServlet):
|
||||||
|
|
||||||
raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE)
|
raise SynapseError(400, "Email is already in use", Codes.THREEPID_IN_USE)
|
||||||
|
|
||||||
# Send registration emails from Synapse
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.REMOTE:
|
||||||
sid = await self.identity_handler.send_threepid_validation(
|
assert self.hs.config.registration.account_threepid_delegate_email
|
||||||
email,
|
|
||||||
client_secret,
|
# Have the configured identity server handle the request
|
||||||
send_attempt,
|
ret = await self.identity_handler.request_email_token(
|
||||||
self.mailer.send_registration_mail,
|
self.hs.config.registration.account_threepid_delegate_email,
|
||||||
next_link,
|
email,
|
||||||
)
|
client_secret,
|
||||||
|
send_attempt,
|
||||||
|
next_link,
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
# Send registration emails from Synapse,
|
||||||
|
# wrapping the session id in a JSON object.
|
||||||
|
ret = {
|
||||||
|
"sid": await self.identity_handler.send_threepid_validation(
|
||||||
|
email,
|
||||||
|
client_secret,
|
||||||
|
send_attempt,
|
||||||
|
self.mailer.send_registration_mail,
|
||||||
|
next_link,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
threepid_send_requests.labels(type="email", reason="register").observe(
|
threepid_send_requests.labels(type="email", reason="register").observe(
|
||||||
send_attempt
|
send_attempt
|
||||||
)
|
)
|
||||||
|
|
||||||
# Wrap the session id in a JSON object
|
return 200, ret
|
||||||
return 200, {"sid": sid}
|
|
||||||
|
|
||||||
|
|
||||||
class MsisdnRegisterRequestTokenRestServlet(RestServlet):
|
class MsisdnRegisterRequestTokenRestServlet(RestServlet):
|
||||||
|
@ -242,7 +260,7 @@ class RegistrationSubmitTokenServlet(RestServlet):
|
||||||
self.clock = hs.get_clock()
|
self.clock = hs.get_clock()
|
||||||
self.store = hs.get_datastores().main
|
self.store = hs.get_datastores().main
|
||||||
|
|
||||||
if self.config.email.can_verify_email:
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.LOCAL:
|
||||||
self._failure_email_template = (
|
self._failure_email_template = (
|
||||||
self.config.email.email_registration_template_failure_html
|
self.config.email.email_registration_template_failure_html
|
||||||
)
|
)
|
||||||
|
@ -252,10 +270,11 @@ class RegistrationSubmitTokenServlet(RestServlet):
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
400, "This medium is currently not supported for registration"
|
400, "This medium is currently not supported for registration"
|
||||||
)
|
)
|
||||||
if not self.config.email.can_verify_email:
|
if self.config.email.threepid_behaviour_email == ThreepidBehaviour.OFF:
|
||||||
logger.warning(
|
if self.config.email.local_threepid_handling_disabled_due_to_email_config:
|
||||||
"User registration via email has been disabled due to lack of email config"
|
logger.warning(
|
||||||
)
|
"User registration via email has been disabled due to lack of email config"
|
||||||
|
)
|
||||||
raise SynapseError(
|
raise SynapseError(
|
||||||
400, "Email-based registration is disabled on this server"
|
400, "Email-based registration is disabled on this server"
|
||||||
)
|
)
|
||||||
|
|
|
@ -17,6 +17,7 @@ from typing import TYPE_CHECKING, Tuple
|
||||||
from twisted.web.server import Request
|
from twisted.web.server import Request
|
||||||
|
|
||||||
from synapse.api.errors import ThreepidValidationError
|
from synapse.api.errors import ThreepidValidationError
|
||||||
|
from synapse.config.emailconfig import ThreepidBehaviour
|
||||||
from synapse.http.server import DirectServeHtmlResource
|
from synapse.http.server import DirectServeHtmlResource
|
||||||
from synapse.http.servlet import parse_string
|
from synapse.http.servlet import parse_string
|
||||||
from synapse.util.stringutils import assert_valid_client_secret
|
from synapse.util.stringutils import assert_valid_client_secret
|
||||||
|
@ -45,6 +46,9 @@ class PasswordResetSubmitTokenResource(DirectServeHtmlResource):
|
||||||
self.clock = hs.get_clock()
|
self.clock = hs.get_clock()
|
||||||
self.store = hs.get_datastores().main
|
self.store = hs.get_datastores().main
|
||||||
|
|
||||||
|
self._local_threepid_handling_disabled_due_to_email_config = (
|
||||||
|
hs.config.email.local_threepid_handling_disabled_due_to_email_config
|
||||||
|
)
|
||||||
self._confirmation_email_template = (
|
self._confirmation_email_template = (
|
||||||
hs.config.email.email_password_reset_template_confirmation_html
|
hs.config.email.email_password_reset_template_confirmation_html
|
||||||
)
|
)
|
||||||
|
@ -55,8 +59,8 @@ class PasswordResetSubmitTokenResource(DirectServeHtmlResource):
|
||||||
hs.config.email.email_password_reset_template_failure_html
|
hs.config.email.email_password_reset_template_failure_html
|
||||||
)
|
)
|
||||||
|
|
||||||
# This resource should only be mounted if email validation is enabled
|
# This resource should not be mounted if threepid behaviour is not LOCAL
|
||||||
assert hs.config.email.can_verify_email
|
assert hs.config.email.threepid_behaviour_email == ThreepidBehaviour.LOCAL
|
||||||
|
|
||||||
async def _async_render_GET(self, request: Request) -> Tuple[int, bytes]:
|
async def _async_render_GET(self, request: Request) -> Tuple[int, bytes]:
|
||||||
sid = parse_string(request, "sid", required=True)
|
sid = parse_string(request, "sid", required=True)
|
||||||
|
|
|
@ -586,9 +586,9 @@ class RegisterRestServletTestCase(unittest.HomeserverTestCase):
|
||||||
"require_at_registration": True,
|
"require_at_registration": True,
|
||||||
},
|
},
|
||||||
"account_threepid_delegates": {
|
"account_threepid_delegates": {
|
||||||
|
"email": "https://id_server",
|
||||||
"msisdn": "https://id_server",
|
"msisdn": "https://id_server",
|
||||||
},
|
},
|
||||||
"email": {"notif_from": "Synapse <synapse@example.com>"},
|
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
def test_advertised_flows_captcha_and_terms_and_3pids(self) -> None:
|
def test_advertised_flows_captcha_and_terms_and_3pids(self) -> None:
|
||||||
|
|
Loading…
Reference in New Issue