Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

Implement MSC3231: Token authenticated registration #10142

Merged
anoadragon453 merged 54 commits into from
Aug 21, 2021
Merged

Implement MSC3231: Token authenticated registration #10142

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
5856f81
Hard-coded token authenticated registration
govynnus Jun 3, 2021
5f21580
Create registration_tokens table
govynnus Jun 10, 2021
2b8726c
Check in database to validate registration token
govynnus Jun 11, 2021
5b1ec0b
Increment `completed` when registration token used
govynnus Jun 14, 2021
15e5769
Rename total_uses to uses_allowed
govynnus Jun 14, 2021
9c502b0
Improve unit tests
govynnus Jun 14, 2021
e7754a9
Increment pending while registration in progress
govynnus Jun 14, 2021
ef05a6d
Add unit test for registration token expiry
govynnus Jun 16, 2021
53f0e05
Fix config file related bits
govynnus Jun 16, 2021
7883191
Run connected database ops in same transaction
govynnus Jun 16, 2021
1debc22
Fix some formatting problems
govynnus Jun 17, 2021
6ac376d
Test `completed` is empty when auth should fail
govynnus Jun 17, 2021
dfa8fec
Override type of simple_select_one_txn
govynnus Jun 17, 2021
c89d786
Raise error if token changes during UIA
govynnus Jun 17, 2021
e7bd00a
Add validity checking endpoint
govynnus Jun 18, 2021
d6704fd
Use AuthHandler methods for accessing UIA session
govynnus Jun 20, 2021
003e67d
Rate limit validity checking endpoint
govynnus Jun 29, 2021
3c51680
Use LoginError rather than SynapseError in checker
govynnus Jun 29, 2021
af90be7
Add fallback
govynnus Jun 30, 2021
1552b70
Docs for currently non-existent admin API
govynnus Jul 6, 2021
4df4a6e
Implement admin API
govynnus Jul 10, 2021
6901eee
Move admin api docs to correct location
govynnus Jul 19, 2021
93f752d
Include general API shape in docstrings
govynnus Jul 20, 2021
b2bf3ac
More input validation when creating and updating
govynnus Jul 20, 2021
5d5bdef
Add space to SQL query
govynnus Jul 20, 2021
b61c7f6
Fix SQL query for invalid tokens
govynnus Jul 20, 2021
e7495e6
Decrease pending when UIA session expires
govynnus Jul 22, 2021
39d24d2
Add type to test argument
govynnus Jul 23, 2021
70cc9d2
Add test for session expiry with deleted token
govynnus Jul 23, 2021
09f6572
Use f-strings rather than str.format()
govynnus Jul 27, 2021
36adec4
Update docs/usage/administration/admin_api/registration_tokens.md
govynnus Jul 27, 2021
7e539f5
Use more descriptive name
govynnus Jul 27, 2021
1cf29c9
Return 200 when nothing to update
govynnus Jul 27, 2021
7f9efcd
Remove unneeded else and add missing f
govynnus Jul 27, 2021
e9435f8
Run linter
govynnus Jul 27, 2021
f6e4831
Add uses_allowed to updating example in docstring
govynnus Aug 12, 2021
7208760
Add return values to docstring
govynnus Aug 12, 2021
47b8837
Add docstring to validity checking endpoint
govynnus Aug 12, 2021
b76099e
Move functions into RegistrationWorkerStore
govynnus Aug 12, 2021
86bbc24
Merge branch 'develop' into token-registration
govynnus Aug 19, 2021
c6cb80b
Add link to admin API docs in config file
govynnus Aug 19, 2021
ba22ffd
Move table creation SQL to latest delta
govynnus Aug 19, 2021
c775dce
Add changelog entry
govynnus Aug 19, 2021
f327b29
Regenerate sample config
govynnus Aug 19, 2021
c6bcae2
Move table creation sql to actual newest delta
govynnus Aug 20, 2021
01a74da
Avoid integrity error when creating tokens
govynnus Aug 20, 2021
5bfc707
Fix docs, comments and variable names
govynnus Aug 20, 2021
b5608c3
Try again if generated token already exists
govynnus Aug 20, 2021
bf28876
Let validity checking endpoint be used by workers
govynnus Aug 20, 2021
2e59dda
Document usage of `null` when updating tokens
govynnus Aug 20, 2021
df0077d
Merge remote-tracking branch 'upstream/develop' into token-registration
govynnus Aug 20, 2021
54867ef
Simplify retrying of token generation
govynnus Aug 21, 2021
20b566c
Small additions to admin api documentation
govynnus Aug 21, 2021
04b237a
Update synapse/storage/databases/main/registration.py
anoadragon453 Aug 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions docs/sample_config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1202,6 +1202,14 @@ url_preview_accept_language:
#
#enable_3pid_lookup: true

# Require users to submit a token during registration.
# Tokens can be generated with the admin API (once it exists).
# Note that `enable_registration` must be set to `true`.
# Disabling this option will not delete any tokens previously generated.
# Defaults to false. Uncomment the following to require tokens:
#
#registration_requires_token: true

# If set, allows registration of standard or admin accounts by anyone who
# has the shared secret, even if registration is otherwise disabled.
#
Expand Down
1 change: 1 addition & 0 deletions synapse/api/constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ class LoginType:
TERMS = "m.login.terms"
SSO = "m.login.sso"
DUMMY = "m.login.dummy"
REGISTRATION_TOKEN = "org.matrix.msc3231.login.registration_token"


# This is used in the `type` parameter for /register when called by
Expand Down
11 changes: 11 additions & 0 deletions synapse/config/registration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ def read_config(self, config, **kwargs):
self.registrations_require_3pid = config.get("registrations_require_3pid", [])
self.allowed_local_3pids = config.get("allowed_local_3pids", [])
self.enable_3pid_lookup = config.get("enable_3pid_lookup", True)
self.registration_requires_token = config.get(
"registration_requires_token", False
)
self.registration_shared_secret = config.get("registration_shared_secret")

self.bcrypt_rounds = config.get("bcrypt_rounds", 12)
Expand Down Expand Up @@ -178,6 +181,14 @@ def generate_config_section(self, generate_secrets=False, **kwargs):
#
#enable_3pid_lookup: true

# Require users to submit a token during registration.
# Tokens can be generated with the admin API (once it exists).
# Note that `enable_registration` must be set to `true`.
# Disabling this option will not delete any tokens previously generated.
# Defaults to false. Uncomment the following to require tokens:
#
#registration_requires_token: true

# If set, allows registration of standard or admin accounts by anyone who
# has the shared secret, even if registration is otherwise disabled.
#
Expand Down
56 changes: 55 additions & 1 deletion synapse/handlers/ui_auth/checkers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
from twisted.web.client import PartialDownloadError

from synapse.api.constants import LoginType
from synapse.api.errors import Codes, LoginError, SynapseError
from synapse.api.errors import Codes, LoginError, StoreError, SynapseError
from synapse.config.emailconfig import ThreepidBehaviour
from synapse.util import json_decoder

Expand Down Expand Up @@ -237,11 +237,65 @@ async def check_auth(self, authdict: dict, clientip: str) -> Any:
return await self._check_threepid("msisdn", authdict)


class RegistrationTokenAuthChecker(UserInteractiveAuthChecker):
AUTH_TYPE = LoginType.REGISTRATION_TOKEN

def __init__(self, hs: "HomeServer"):
super().__init__(hs)
self._enabled = bool(hs.config.registration_requires_token)
self.store = hs.get_datastore()

def is_enabled(self) -> bool:
return self._enabled

async def check_auth(self, authdict: dict, clientip: str) -> Any:
if "token" not in authdict:
raise LoginError(400, "Missing token", Codes.MISSING_PARAM)
if not isinstance(authdict["token"], str):
raise LoginError(400, "Token must be a string", Codes.INVALID_PARAM)
if "session" not in authdict:
raise SynapseError(400, "Missing UIA session", Codes.MISSING_PARAM)
session = authdict["session"]

# If the LoginType.REGISTRATION_TOKEN stage has already been completed,
# return early to avoid incrementing `pending` again.
# TODO: check stored token matches provided token?
try:
stored_token = await self.store.get_ui_auth_session_data(
session,
"registration_token",
None,
)
except StoreError:
raise SynapseError(400, "Unknown session ID: {}".format(session))
if stored_token:
return True

token = authdict["token"]
if await self.store.registration_token_is_valid(token):
# Increment pending counter, so that if token has limited uses it
# can't be used up by someone else in the meantime.
await self.store.set_registration_token_pending(token)
# Store the token in the UIA session, so that once registration
# is complete `completed` can be incremented.
await self.store.set_ui_auth_session_data(
session,
"registration_token",
token,
)
return True
else:
raise LoginError(
401, "Invalid registration token", errcode=Codes.UNAUTHORIZED
)


INTERACTIVE_AUTH_CHECKERS = [
DummyAuthChecker,
TermsAuthChecker,
RecaptchaAuthChecker,
EmailIdentityAuthChecker,
MsisdnAuthChecker,
RegistrationTokenAuthChecker,
]
"""A list of UserInteractiveAuthChecker classes"""
14 changes: 14 additions & 0 deletions synapse/rest/client/v2_alpha/register.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -669,6 +669,15 @@ async def on_POST(self, request):
)

if registered:
# Check if a token was used to authenticate registration
registration_token = await self.auth_handler.get_session_data(
session_id,
"registration_token",
)
if registration_token:
# Increment the `completed` counter for the token
await self.store.use_registration_token(registration_token)

await self.registration_handler.post_registration_actions(
user_id=registered_user_id,
auth_result=auth_result,
Expand Down Expand Up @@ -816,6 +825,11 @@ def _calculate_registration_flows(
for flow in flows:
flow.insert(0, LoginType.RECAPTCHA)

# Prepend registration token to all flows if we're requiring a token
if config.registration_requires_token:
for flow in flows:
flow.insert(0, LoginType.REGISTRATION_TOKEN)

return flows


Expand Down
90 changes: 90 additions & 0 deletions synapse/storage/databases/main/registration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1760,6 +1760,96 @@ def start_or_continue_validation_session_txn(txn):
start_or_continue_validation_session_txn,
)

async def registration_token_is_valid(self, token: str) -> bool:
"""Checks if a token can be used to authenticate a registration.

Args:
token: The registration token to be checked
"""
res = await self.db_pool.simple_select_one(
"registration_tokens",
keyvalues={"token": token},
retcols=["uses_allowed", "pending", "completed", "expiry_time"],
allow_none=True,
)

# Check if the token exists
if res is None:
return False

# Check if the token has expired
now = self._clock.time_msec()
if res["expiry_time"] and res["expiry_time"] < now:
return False

# Check if the token has been used up
if (
res["uses_allowed"]
and res["pending"] + res["completed"] >= res["uses_allowed"]
):
return False

# Otherwise, the token is valid
return True

async def set_registration_token_pending(self, token: str) -> None:
"""Increment the pending registrations counter for a token.

Args:
token: The registration token pending use
"""

def _set_registration_token_pending_txn(txn):
pending = self.db_pool.simple_select_one_onecol_txn(
txn,
"registration_tokens",
keyvalues={"token": token},
retcol="pending",
)
self.db_pool.simple_update_one_txn(
txn,
"registration_tokens",
keyvalues={"token": token},
updatevalues={"pending": pending + 1},
)

return await self.db_pool.runInteraction(
"set_registration_token_pending", _set_registration_token_pending_txn
)

async def use_registration_token(self, token: str) -> None:
"""Complete a use of the given registration token.

The `pending` counter will be decremented, and the `completed`
counter will be incremented.

Args:
token: The registration token to be 'used'
"""

def _use_registration_token_txn(txn):
res = self.db_pool.simple_select_one_txn(
txn,
"registration_tokens",
keyvalues={"token": token},
retcols=["pending", "completed"],
)

# Decrement pending and increment completed
self.db_pool.simple_update_one_txn(
txn,
"registration_tokens",
keyvalues={"token": token},
updatevalues={
"completed": res["completed"] + 1,
"pending": res["pending"] - 1,
},
)

return await self.db_pool.runInteraction(
"use_registration_token", _use_registration_token_txn
)


def find_max_generated_user_id_localpart(cur: Cursor) -> int:
"""
Expand Down
23 changes: 23 additions & 0 deletions synapse/storage/schema/main/delta/59/999create_registration_tokens.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
/* Copyright 2021 Callum Brown
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

CREATE TABLE IF NOT EXISTS registration_tokens(
token TEXT NOT NULL, -- The token that can be used for authentication.
uses_allowed INT, -- The total number of times this token can be used. NULL if no limit.
pending INT NOT NULL, -- The number of in progress registrations using this token.
completed INT NOT NULL, -- The number of times this token has been used to complete a registration.
expiry_time BIGINT, -- The latest time this token will be valid (epoch time in milliseconds). NULL if token doesn't expire.
UNIQUE (token)
);
Loading