mirror of
https://github.com/matrix-org/dendrite.git
synced 2024-11-30 10:11:56 -06:00
d19518fca5
Verify consent on desired endpoints Store consent on POST requests
120 lines
3.5 KiB
Go
120 lines
3.5 KiB
Go
package routing
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"net/http"
|
|
|
|
"github.com/matrix-org/dendrite/clientapi/jsonerror"
|
|
"github.com/matrix-org/dendrite/setup/config"
|
|
userapi "github.com/matrix-org/dendrite/userapi/api"
|
|
"github.com/matrix-org/gomatrixserverlib"
|
|
"github.com/matrix-org/util"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// The data used to populate the /consent request
|
|
type constentTemplateData struct {
|
|
User string
|
|
Version string
|
|
UserHMAC string
|
|
HasConsented bool
|
|
PublicVersion bool
|
|
}
|
|
|
|
func consent(writer http.ResponseWriter, req *http.Request, userAPI userapi.UserInternalAPI, cfg *config.ClientAPI) *util.JSONResponse {
|
|
consentCfg := cfg.Matrix.UserConsentOptions
|
|
internalError := jsonerror.InternalServerError()
|
|
|
|
// The data used to populate the /consent request
|
|
data := constentTemplateData{
|
|
User: req.FormValue("u"),
|
|
Version: req.FormValue("v"),
|
|
UserHMAC: req.FormValue("h"),
|
|
}
|
|
switch req.Method {
|
|
case http.MethodGet:
|
|
// display the privacy policy without a form
|
|
data.PublicVersion = data.User == "" || data.UserHMAC == "" || data.Version == ""
|
|
|
|
// let's see if the user already consented to the current version
|
|
if !data.PublicVersion {
|
|
res := &userapi.QueryPolicyVersionResponse{}
|
|
localPart, _, err := gomatrixserverlib.SplitID('@', data.User)
|
|
if err != nil {
|
|
logrus.WithError(err).Error("unable to print consent template")
|
|
return &internalError
|
|
}
|
|
if err = userAPI.QueryPolicyVersion(req.Context(), &userapi.QueryPolicyVersionRequest{
|
|
LocalPart: localPart,
|
|
}, res); err != nil {
|
|
logrus.WithError(err).Error("unable to print consent template")
|
|
return &internalError
|
|
}
|
|
data.HasConsented = res.PolicyVersion == consentCfg.Version
|
|
}
|
|
|
|
err := consentCfg.Templates.ExecuteTemplate(writer, consentCfg.Version+".gohtml", data)
|
|
if err != nil {
|
|
logrus.WithError(err).Error("unable to print consent template")
|
|
return nil
|
|
}
|
|
return nil
|
|
case http.MethodPost:
|
|
localPart, _, err := gomatrixserverlib.SplitID('@', data.User)
|
|
if err != nil {
|
|
logrus.WithError(err).Error("unable to split username")
|
|
return &internalError
|
|
}
|
|
|
|
ok, err := validHMAC(data.User, data.UserHMAC, consentCfg.FormSecret)
|
|
if err != nil || !ok {
|
|
_, err = writer.Write([]byte("invalid HMAC provided"))
|
|
if err != nil {
|
|
return &internalError
|
|
}
|
|
return &internalError
|
|
}
|
|
if err := userAPI.PerformUpdatePolicyVersion(
|
|
req.Context(),
|
|
&userapi.UpdatePolicyVersionRequest{
|
|
PolicyVersion: data.Version,
|
|
LocalPart: localPart,
|
|
},
|
|
&userapi.UpdatePolicyVersionResponse{},
|
|
); err != nil {
|
|
_, err = writer.Write([]byte("unable to update database"))
|
|
if err != nil {
|
|
logrus.WithError(err).Error("unable to write to database")
|
|
}
|
|
return &internalError
|
|
}
|
|
// display the privacy policy without a form
|
|
data.PublicVersion = false
|
|
data.HasConsented = true
|
|
|
|
err = consentCfg.Templates.ExecuteTemplate(writer, consentCfg.Version+".gohtml", data)
|
|
if err != nil {
|
|
logrus.WithError(err).Error("unable to print consent template")
|
|
return &internalError
|
|
}
|
|
return nil
|
|
}
|
|
return &util.JSONResponse{Code: http.StatusOK}
|
|
}
|
|
|
|
func validHMAC(username, userHMAC, secret string) (bool, error) {
|
|
mac := hmac.New(sha256.New, []byte(secret))
|
|
_, err := mac.Write([]byte(username))
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
expectedMAC := mac.Sum(nil)
|
|
decoded, err := hex.DecodeString(userHMAC)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return hmac.Equal(decoded, expectedMAC), nil
|
|
}
|