mirrors/dendrite
1
0
Fork 0
mirror of https://github.com/matrix-org/dendrite.git synced 2026-01-08 14:43:09 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix race condition when creating new registration session

Browse source
This commit is contained in:
Tak Wai Wong 2022-06-24 18:22:17 -07:00
parent 3115998616
commit cebc4ec489
3 changed files with 43 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
clientapi/auth/authtypes/stages.go Normal file
View file

@ -0,0 +1,19 @@
// Copyright 2021 The Matrix.org Foundation C.I.C.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package authtypes
const (
LoginStagePublicKeyNewSession = "m.login.publickey.newsession"
)

18
clientapi/routing/register.go
View file

@ -750,8 +750,8 @@ func handleRegistrationFlow(
} }
} }
switch r.Auth.Type { switch true {
case authtypes.LoginTypeRecaptcha: case r.Auth.Type == authtypes.LoginTypeRecaptcha:
// Check given captcha response // Check given captcha response
resErr := validateRecaptcha(cfg, r.Auth.Response, req.RemoteAddr) resErr := validateRecaptcha(cfg, r.Auth.Response, req.RemoteAddr)
if resErr != nil { if resErr != nil {
@ -761,24 +761,20 @@ func handleRegistrationFlow(
// Add Recaptcha to the list of completed registration stages // Add Recaptcha to the list of completed registration stages
sessions.addCompletedSessionStage(sessionID, authtypes.LoginTypeRecaptcha) sessions.addCompletedSessionStage(sessionID, authtypes.LoginTypeRecaptcha)
case authtypes.LoginTypeDummy: case r.Auth.Type == authtypes.LoginTypeDummy && !cfg.PasswordAuthenticationDisabled:
// there is nothing to do // there is nothing to do
// Add Dummy to the list of completed registration stages // Add Dummy to the list of completed registration stages
sessions.addCompletedSessionStage(sessionID, authtypes.LoginTypeDummy) sessions.addCompletedSessionStage(sessionID, authtypes.LoginTypeDummy)
case authtypes.LoginTypePublicKey: case r.Auth.Type == authtypes.LoginTypePublicKey:
isCompleted, authType, err := handlePublicKeyRegistration(cfg, reqBody, &r, userAPI) _, authType, err := handlePublicKeyRegistration(cfg, reqBody, &r, userAPI)
if err != nil { if err != nil {
return *err return *err
} }
if isCompleted { sessions.addCompletedSessionStage(sessionID, authType)
sessions.addCompletedSessionStage(sessionID, authType)
} else {
newPublicKeyAuthSession(&r, sessions, sessionID)
}
case "": case r.Auth.Type == "":
// An empty auth type means that we want to fetch the available // An empty auth type means that we want to fetch the available
// flows. It can also mean that we want to register as an appservice // flows. It can also mean that we want to register as an appservice
// but that is handed above. // but that is handed above.

28
clientapi/routing/register_publickey.go
View file

@ -26,14 +26,6 @@ import (
"github.com/tidwall/gjson" "github.com/tidwall/gjson"
) )
func newPublicKeyAuthSession(request *registerRequest, sessions *sessionsDict, sessionID string) {
sessions.sessions[sessionID] = append(sessions.sessions[sessionID], authtypes.LoginTypePublicKey)
// Public key auth does not use password. But the registration flow
// requires setting a password in order to create the account.
// Create a random password to satisfy the requirement.
request.Password = util.RandomString(sessionIDLength)
}
func handlePublicKeyRegistration( func handlePublicKeyRegistration(
cfg *config.ClientAPI, cfg *config.ClientAPI,
reqBytes []byte, reqBytes []byte,
@ -67,7 +59,7 @@ func handlePublicKeyRegistration(
authHandler = pkEthHandler authHandler = pkEthHandler
default: default:
// No response. Client is asking for a new registration session // No response. Client is asking for a new registration session
return false, "", nil return false, authtypes.LoginStagePublicKeyNewSession, nil
} }
if _, ok := sessions.sessions[authHandler.GetSession()]; !ok { if _, ok := sessions.sessions[authHandler.GetSession()]; !ok {
@ -85,7 +77,7 @@ func handlePublicKeyRegistration(
} }
} }
isCompleted, jerr := authHandler.ValidateLoginResponse() isValidated, jerr := authHandler.ValidateLoginResponse()
if jerr != nil { if jerr != nil {
return false, "", &util.JSONResponse{ return false, "", &util.JSONResponse{
Code: http.StatusUnauthorized, Code: http.StatusUnauthorized,
@ -93,5 +85,19 @@ func handlePublicKeyRegistration(
} }
} }
return isCompleted, authtypes.LoginType(authHandler.GetType()), nil // Registration flow requires a password to
// create a user account. Create a random one
// to satisfy the requirement. This is not used
// for public key cryptography.
createPassword(r)
return isValidated, authtypes.LoginType(authHandler.GetType()), nil
}
func createPassword(request *registerRequest) {
// Public key auth does not use password.
// Create a random one that is never used.
// Login validation will be done using public / private
// key cryptography.
request.Password = util.RandomString(sessionIDLength)
} }