Fix validation problem that occurs when a user tries to deactivate th…

…eir account or change their password. (#13563)
matrix-org · Aug 19, 2022 · 3a245f6 · 3a245f6
1 parent 2c42673
commit 3a245f6
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/changelog.d/13563.feature b/changelog.d/13563.feature
@@ -0,0 +1 @@
+Improve validation of request bodies for the following client-server API endpoints: [`/account/password`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpassword), [`/account/password/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpasswordemailrequesttoken), [`/account/deactivate`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountdeactivate) and [`/account/3pid/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3account3pidemailrequesttoken).
diff --git a/synapse/rest/client/account.py b/synapse/rest/client/account.py
@@ -196,7 +196,7 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
                 params, session_id = await self.auth_handler.validate_user_via_ui_auth(
                     requester,
                     request,
-                    body.dict(),
+                    body.dict(exclude_unset=True),
                     "modify your account password",
                 )
             except InteractiveAuthIncompleteError as e:
@@ -219,7 +219,7 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
                 result, params, session_id = await self.auth_handler.check_ui_auth(
                     [[LoginType.EMAIL_IDENTITY]],
                     request,
-                    body.dict(),
+                    body.dict(exclude_unset=True),
                     "modify your account password",
                 )
             except InteractiveAuthIncompleteError as e:
@@ -316,7 +316,7 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
         await self.auth_handler.validate_user_via_ui_auth(
             requester,
             request,
-            body.dict(),
+            body.dict(exclude_unset=True),
             "deactivate your account",
         )
         result = await self._deactivate_account_handler.deactivate_account(

diff --git a/tests/handlers/test_deactivate_account.py b/tests/handlers/test_deactivate_account.py
@@ -322,3 +322,18 @@ def test_account_data_preserved_by_background_update_if_not_deactivated(
                 )
             ),
         )
+
+    def test_deactivate_account_needs_auth(self) -> None:
+        """
+        Tests that making a request to /deactivate with an empty body
+        succeeds in starting the user-interactive auth flow.
+        """
+        req = self.make_request(
+            "POST",
+            "account/deactivate",
+            {},
+            access_token=self.token,
+        )
+
+        self.assertEqual(req.code, 401, req)
+        self.assertEqual(req.json_body["flows"], [{"stages": ["m.login.password"]}])