Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Improve comments and error messages around access tokens. #12577

Merged
merged 5 commits into from
May 5, 2022
Merged

Improve comments and error messages around access tokens. #12577

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b911ac3
Improve commentary and error messages around access tokens
reivilibre Apr 28, 2022
61047f8
Newsfile
reivilibre Apr 28, 2022
4ad27d0
Update synapse/api/auth.py
reivilibre Apr 28, 2022
564f5c8
Remove confusing part of comment
reivilibre Apr 28, 2022
08cde57
Update synapse/api/auth.py
reivilibre Apr 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/12577.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Improve comments and error messages around access tokens.
23 changes: 15 additions & 8 deletions synapse/api/auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -417,7 +417,8 @@ async def get_user_by_access_token(
"""

if rights == "access":
# first look in the database
# First look in the database to see if the access token is present
# as an opaque token.
r = await self.store.get_user_by_access_token(token)
if r:
valid_until_ms = r.valid_until_ms
Expand All @@ -434,7 +435,8 @@ async def get_user_by_access_token(

return r

# otherwise it needs to be a valid macaroon
# If the token isn't found in the database, then it could still be a
# macaroon, so we check that here.
try:
user_id, guest = self._parse_and_validate_macaroon(token, rights)

Expand Down Expand Up @@ -482,8 +484,14 @@ async def get_user_by_access_token(
TypeError,
ValueError,
) as e:
logger.warning("Invalid macaroon in auth: %s %s", type(e), e)
raise InvalidClientTokenError("Invalid macaroon passed.")
logger.warning(
"Invalid access token in auth: %s %s. (Neither a known token nor a valid macaroon.)",
reivilibre marked this conversation as resolved.
Show resolved Hide resolved
type(e),
e,
)
raise InvalidClientTokenError(
"Invalid access token passed. (Neither a known token nor a valid macaroon.)"
)
reivilibre marked this conversation as resolved.
Show resolved Hide resolved

def _parse_and_validate_macaroon(
self, token: str, rights: str = "access"
Expand All @@ -504,10 +512,9 @@ def _parse_and_validate_macaroon(
try:
macaroon = pymacaroons.Macaroon.deserialize(token)
except Exception: # deserialize can throw more-or-less anything
# doesn't look like a macaroon: treat it as an opaque token which
# must be in the database.
# TODO: it would be nice to get rid of this, but apparently some
# people use access tokens which aren't macaroons
# The access token doesn't look like a macaroon.
# In that case, we assume it's an opaque token which must be in the
# database.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this gets called after we checked if it was in the database, so I'm not sure this is quite correct?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to write something and then wound up writing something which is easier to read in a different way. I'll try and rephrase.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe just say "The access token doesn't look like a macaroon. Raise an exception to let the caller know." or something?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it's easier just to cut that sentence out.

raise _InvalidMacaroonException()

try:
Expand Down