Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Only clear the session once the final request comes through without a…
Browse files Browse the repository at this point in the history
…n auth flow.
  • Loading branch information
clokep committed Mar 20, 2020
1 parent afe0a36 commit 90c2b6c
Showing 1 changed file with 8 additions and 9 deletions.
17 changes: 8 additions & 9 deletions synapse/handlers/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -343,8 +343,11 @@ def check_auth(
list(clientdict),
)

# Blow away the session so it can not be re-used.
self._invalidate_session(session["id"])
# If the authentication flow is complete and this is the
# subsequent request, mark this session as invalid, so it cannot
# be re-used.
if "type" not in authdict:
self._remove_session(session["id"])

return creds, clientdict, session["id"]

Expand Down Expand Up @@ -518,13 +521,9 @@ def _get_session_info(self, session_id: Optional[str]) -> dict:

return self.sessions[session_id]

def _invalidate_session(self, session_id) -> None:
"""Invalidate session information for session ID"""
session = self.sessions.get(session_id, None)
if session and "ui_auth" in session:
# Set the items in the ui_auth session to sentinel values that can
# never be equaled.
session["ui_auth"] = object()
def _remove_session(self, session_id) -> None:
"""Remove a session (if it exists)."""
self.sessions.pop(session_id, None)

@defer.inlineCallbacks
def get_access_token_for_user_id(
Expand Down

0 comments on commit 90c2b6c

Please sign in to comment.