Review comments

2026-01-16 18:43:10 -06:00 · 2022-11-11 16:07:50 +00:00 · 2022-11-11 16:07:50 +00:00 · 2970bfd8ff
parent 3b76b701e6
commit 2970bfd8ff
3 changed files with 15 additions and 4 deletions
--- a/clientapi/routing/admin.go
+++ b/clientapi/routing/admin.go
@ -102,6 +102,7 @@ func AdminResetPassword(req *http.Request, cfg *config.ClientAPI, device *userap
 	if err != nil {
 		return util.ErrorResponse(err)
 	}
+	serverName := cfg.Matrix.ServerName
 	localpart, ok := vars["localpart"]
 	if !ok {
 		return util.JSONResponse{
@ -109,6 +110,9 @@ func AdminResetPassword(req *http.Request, cfg *config.ClientAPI, device *userap
 			JSON: jsonerror.MissingArgument("Expecting user localpart."),
 		}
 	}
+	if l, s, err := gomatrixserverlib.SplitID('@', localpart); err == nil {
+		localpart, serverName = l, s
+	}
 	request := struct {
 		Password string `json:"password"`
 	}{}
@ -126,6 +130,7 @@ func AdminResetPassword(req *http.Request, cfg *config.ClientAPI, device *userap
 	}
 	updateReq := &userapi.PerformPasswordUpdateRequest{
 		Localpart:     localpart,
+		ServerName:    serverName,
 		Password:      request.Password,
 		LogoutDevices: true,
 	}
--- a/clientapi/routing/routing.go
+++ b/clientapi/routing/routing.go
@ -157,7 +157,7 @@ func Setup(
 		}),
 	).Methods(http.MethodGet, http.MethodOptions)

-	dendriteAdminRouter.Handle("/admin/resetPassword/{localpart}",
+	dendriteAdminRouter.Handle("/admin/resetPassword/{userID}",
 		httputil.MakeAdminAPI("admin_reset_password", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return AdminResetPassword(req, cfg, device, userAPI)
 		}),
--- a/userapi/internal/api.go
+++ b/userapi/internal/api.go
@ -175,6 +175,9 @@ func (a *UserInternalAPI) PerformAccountCreation(ctx context.Context, req *api.P
 	if serverName == "" {
 		serverName = a.Config.Matrix.ServerName
 	}
+	if !a.Config.Matrix.IsLocalServerName(serverName) {
+		return fmt.Errorf("server name %s is not local", serverName)
+	}
 	acc, err := a.DB.CreateAccount(ctx, req.Localpart, serverName, req.Password, req.AppServiceID, req.AccountType)
 	if err != nil {
 		if errors.Is(err, sqlutil.ErrUserExists) { // This account already exists
@ -226,6 +229,9 @@ func (a *UserInternalAPI) PerformAccountCreation(ctx context.Context, req *api.P
 }

 func (a *UserInternalAPI) PerformPasswordUpdate(ctx context.Context, req *api.PerformPasswordUpdateRequest, res *api.PerformPasswordUpdateResponse) error {
+	if !a.Config.Matrix.IsLocalServerName(req.ServerName) {
+		return fmt.Errorf("server name %s is not local", req.ServerName)
+	}
 	if err := a.DB.SetPassword(ctx, req.Localpart, req.ServerName, req.Password); err != nil {
 		return err
 	}
@ -354,6 +360,9 @@ func (a *UserInternalAPI) PerformDeviceUpdate(ctx context.Context, req *api.Perf
 		util.GetLogger(ctx).WithError(err).Error("gomatrixserverlib.SplitID failed")
 		return err
 	}
+	if !a.Config.Matrix.IsLocalServerName(domain) {
+		return fmt.Errorf("server name %s is not local", domain)
+	}
 	dev, err := a.DB.GetDeviceByID(ctx, localpart, domain, req.DeviceID)
 	if err == sql.ErrNoRows {
 		res.DeviceExists = false
@ -362,9 +371,6 @@ func (a *UserInternalAPI) PerformDeviceUpdate(ctx context.Context, req *api.Perf
 		util.GetLogger(ctx).WithError(err).Error("deviceDB.GetDeviceByID failed")
 		return err
 	}
-	if !a.Config.Matrix.IsLocalServerName(domain) {
-		return fmt.Errorf("server name %s is not local", domain)
-	}
 	res.DeviceExists = true

 	if dev.UserID != req.RequestingUserID {