Clear the session on successful authentication.

matrix-org · Mar 11, 2020 · 6bcd1fe · 6bcd1fe
1 parent 006b4da
commit 6bcd1fe
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
@@ -347,6 +347,10 @@ def check_auth(
                     creds,
                     list(clientdict),
                 )
+
+                # Blow away the session so it can not be re-used.
+                self._invalidate_session(session["id"])
+
                 return creds, clientdict, session["id"]
 
         ret = self._auth_dict_for_flows(flows, session)
@@ -517,6 +521,17 @@ def _get_session_info(self, session_id: Optional[str]) -> dict:
 
         return self.sessions[session_id]
 
+    def _invalidate_session(self, session_id) -> None:
+        """Invalidate session information for session ID"""
+        session = self.sessions.get(session_id, None)
+        if session and "ui_auth" in session:
+            # Set the items in the ui_auth session to sentinel values that can
+            # never be equaled.
+            session["ui_auth"] = {
+                "action_type": object(),
+                "action_id": object(),
+            }
+
     @defer.inlineCallbacks
     def get_access_token_for_user_id(
         self, user_id: str, device_id: Optional[str], valid_until_ms: Optional[int]

diff --git a/tests/rest/client/v2_alpha/test_auth.py b/tests/rest/client/v2_alpha/test_auth.py
@@ -104,7 +104,7 @@ def test_fallback_captcha(self):
         )
         self.render(request)
 
-        # Now we should have fufilled a complete auth flow, including
+        # Now we should have fulfilled a complete auth flow, including
         # the recaptcha fallback step, we can then send a
         # request to the register API with the session in the authdict.
         request, channel = self.make_request(