Takwaiw/fix concurrent registration bug (#12)

* fix concurrent registration bug. Rename decentralizedid * remove unused module * add regressed test to blacklist Co-authored-by: Tak Wai Wong <takwaiw@gmail.com>
2026-01-07 06:03:09 -06:00 · 2022-07-01 13:13:06 -04:00 · 2022-07-01 13:13:06 -04:00 · 092188d384
parent 844439853b
commit 092188d384
5 changed files with 43 additions and 20 deletions
--- a/clientapi/auth/authtypes/stages.go
+++ b/clientapi/auth/authtypes/stages.go
@ -0,0 +1,19 @@
+// Copyright 2021 The Matrix.org Foundation C.I.C.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authtypes
+
+const (
+	LoginStagePublicKeyNewRegistration = "m.login.publickey.newregistration"
+)
--- a/clientapi/auth/login_publickey_ethereum.go
+++ b/clientapi/auth/login_publickey_ethereum.go
@ -135,7 +135,7 @@ func (pk LoginPublicKeyEthereum) ValidateLoginResponse() (bool, *jsonerror.Matri

 func (pk LoginPublicKeyEthereum) CreateLogin() *Login {
 	identifier := LoginIdentifier{
-		Type: "m.id.publickey",
+		Type: "m.id.decentralizedid",
 		User: pk.UserId,
 	}
 	login := Login{
--- a/clientapi/auth/user_interactive.go
+++ b/clientapi/auth/user_interactive.go
@ -75,7 +75,7 @@ type Login struct {

 // Username returns the user localpart/user_id in this request, if it exists.
 func (r *Login) Username() string {
-	if r.Identifier.Type == "m.id.user" || r.Identifier.Type == "m.id.publickey" {
+	if r.Identifier.Type == "m.id.user" || r.Identifier.Type == "m.id.decentralizedid" {
 		return r.Identifier.User
 	}
 	// deprecated but without it Element iOS won't log in
--- a/clientapi/routing/register.go
+++ b/clientapi/routing/register.go
@ -764,19 +764,17 @@ func handleRegistrationFlow(
 	case authtypes.LoginTypeDummy:
 		// there is nothing to do
 		// Add Dummy to the list of completed registration stages
-		sessions.addCompletedSessionStage(sessionID, authtypes.LoginTypeDummy)
+		if !cfg.PasswordAuthenticationDisabled {
+			sessions.addCompletedSessionStage(sessionID, authtypes.LoginTypeDummy)
+		}

 	case authtypes.LoginTypePublicKey:
-		isCompleted, authType, err := handlePublicKeyRegistration(cfg, reqBody, &r, userAPI)
+		_, authType, err := handlePublicKeyRegistration(cfg, reqBody, &r, userAPI)
 		if err != nil {
 			return *err
 		}

-		if isCompleted {
-			sessions.addCompletedSessionStage(sessionID, authType)
-		} else {
-			newPublicKeyAuthSession(&r, sessions, sessionID)
-		}
+		sessions.addCompletedSessionStage(sessionID, authType)

 	case "":
 		// An empty auth type means that we want to fetch the available
--- a/clientapi/routing/register_publickey.go
+++ b/clientapi/routing/register_publickey.go
@ -26,14 +26,6 @@ import (
 	"github.com/tidwall/gjson"
 )

-func newPublicKeyAuthSession(request *registerRequest, sessions *sessionsDict, sessionID string) {
-	sessions.sessions[sessionID] = append(sessions.sessions[sessionID], authtypes.LoginTypePublicKey)
-	// Public key auth does not use password. But the registration flow
-	// requires setting a password in order to create the account.
-	// Create a random password to satisfy the requirement.
-	request.Password = util.RandomString(sessionIDLength)
-}
-
 func handlePublicKeyRegistration(
 	cfg *config.ClientAPI,
 	reqBytes []byte,
@ -67,7 +59,7 @@ func handlePublicKeyRegistration(
 		authHandler = pkEthHandler
 	default:
 		// No response. Client is asking for a new registration session
-		return false, "", nil
+		return false, authtypes.LoginStagePublicKeyNewRegistration, nil
 	}

 	if _, ok := sessions.sessions[authHandler.GetSession()]; !ok {
@ -85,7 +77,7 @@ func handlePublicKeyRegistration(
 		}
 	}

-	isCompleted, jerr := authHandler.ValidateLoginResponse()
+	isValidated, jerr := authHandler.ValidateLoginResponse()
 	if jerr != nil {
 		return false, "", &util.JSONResponse{
 			Code: http.StatusUnauthorized,
@ -93,5 +85,19 @@ func handlePublicKeyRegistration(
 		}
 	}

-	return isCompleted, authtypes.LoginType(authHandler.GetType()), nil
+	// Registration flow requires a password to
+	// create a user account. Create a random one
+	// to satisfy the requirement. This is not used
+	// for public key cryptography.
+	createPassword(r)
+
+	return isValidated, authtypes.LoginType(authHandler.GetType()), nil
+}
+
+func createPassword(request *registerRequest) {
+	// Public key auth does not use password.
+	// Create a random one that is never used.
+	// Login validation will be done using public / private
+	// key cryptography.
+	request.Password = util.RandomString(sessionIDLength)
 }