Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Improve comments and error messages around access tokens. #12577

Merged
merged 5 commits into from
May 5, 2022
Merged

Improve comments and error messages around access tokens. #12577

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b911ac3
Improve commentary and error messages around access tokens
reivilibre Apr 28, 2022
61047f8
Newsfile
reivilibre Apr 28, 2022
4ad27d0
Update synapse/api/auth.py
reivilibre Apr 28, 2022
564f5c8
Remove confusing part of comment
reivilibre Apr 28, 2022
08cde57
Update synapse/api/auth.py
reivilibre Apr 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/12577.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Improve comments and error messages around access tokens.
19 changes: 11 additions & 8 deletions synapse/api/auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -417,7 +417,8 @@ async def get_user_by_access_token(
"""

if rights == "access":
# first look in the database
# First look in the database to see if the access token is present
# as an opaque token.
r = await self.store.get_user_by_access_token(token)
if r:
valid_until_ms = r.valid_until_ms
Expand All @@ -434,7 +435,8 @@ async def get_user_by_access_token(

return r

# otherwise it needs to be a valid macaroon
# If the token isn't found in the database, then it could still be a
# macaroon, so we check that here.
try:
user_id, guest = self._parse_and_validate_macaroon(token, rights)

Expand Down Expand Up @@ -482,8 +484,12 @@ async def get_user_by_access_token(
TypeError,
ValueError,
) as e:
logger.warning("Invalid macaroon in auth: %s %s", type(e), e)
raise InvalidClientTokenError("Invalid macaroon passed.")
logger.warning(
"Invalid access token in auth: %s %s.",
type(e),
e,
)
raise InvalidClientTokenError("Invalid access token passed.")

def _parse_and_validate_macaroon(
self, token: str, rights: str = "access"
Expand All @@ -504,10 +510,7 @@ def _parse_and_validate_macaroon(
try:
macaroon = pymacaroons.Macaroon.deserialize(token)
except Exception: # deserialize can throw more-or-less anything
# doesn't look like a macaroon: treat it as an opaque token which
# must be in the database.
# TODO: it would be nice to get rid of this, but apparently some
# people use access tokens which aren't macaroons
# The access token doesn't look like a macaroon.
raise _InvalidMacaroonException()

try:
Expand Down