Fix the 'Login as a user' Admin API not checking if the user exists before issuing an access token. (#18518)

Fixes: #18503

---------

Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
Co-authored-by: Quentin Gliech <quenting@element.io>

Author: reivilibre

changelog.d/18518.bugfix

@@ -0,0 +1 @@
+Fix the 'Login as a user' Admin API not checking if the user exists before issuing an access token.

synapse/rest/admin/users.py

@@ -1144,6 +1144,7 @@ def __init__(self, hs: "HomeServer"):
         self.store = hs.get_datastores().main
         self.auth = hs.get_auth()
         self.auth_handler = hs.get_auth_handler()
+        self.admin_handler = hs.get_admin_handler()
         self.is_mine_id = hs.is_mine_id
 
     async def on_POST(
@@ -1158,6 +1159,12 @@ async def on_POST(
                 HTTPStatus.BAD_REQUEST, "Only local users can be logged in as"
             )
 
+        # Validate user_id
+        UserID.from_string(user_id)
+        _user_info_dict = await self.store.get_user_by_id(user_id)
+        if not _user_info_dict:
+            raise NotFoundError("User not found")
+
         body = parse_json_object_from_request(request, allow_empty_body=True)
 
         valid_until_ms = body.get("valid_until_ms")

tests/rest/admin/test_user.py

@@ -4288,6 +4288,17 @@ def test_not_admin(self) -> None:
 
         self.assertEqual(403, channel.code, msg=channel.json_body)
 
+    def test_no_user(self) -> None:
+        """Try to log in as a user that doesn't exist."""
+        channel = self.make_request(
+            "POST",
+            "/_synapse/admin/v1/users/%s/login" % urllib.parse.quote("@ghost:test"),
+            b"{}",
+            access_token=self.admin_user_tok,
+        )
+        self.assertEqual(404, channel.code, msg=channel.json_body)
+        self.assertEqual(Codes.NOT_FOUND, channel.json_body["errcode"])
+
     def test_send_event(self) -> None:
         """Test that sending event as a user works."""
         # Create a room.