Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Improve comments and error messages around access tokens. #12577

Merged
merged 5 commits into from
May 5, 2022
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/12577.misc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Improve comments and error messages around access tokens.
21 changes: 13 additions & 8 deletions synapse/api/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -417,7 +417,8 @@ async def get_user_by_access_token(
"""

if rights == "access":
# first look in the database
# First look in the database to see if the access token is present
# as an opaque token.
r = await self.store.get_user_by_access_token(token)
if r:
valid_until_ms = r.valid_until_ms
Expand All @@ -434,7 +435,8 @@ async def get_user_by_access_token(

return r

# otherwise it needs to be a valid macaroon
# If the token isn't found in the database, then it could still be a
# macaroon, so we check that here.
try:
user_id, guest = self._parse_and_validate_macaroon(token, rights)

Expand Down Expand Up @@ -482,8 +484,14 @@ async def get_user_by_access_token(
TypeError,
ValueError,
) as e:
logger.warning("Invalid macaroon in auth: %s %s", type(e), e)
raise InvalidClientTokenError("Invalid macaroon passed.")
logger.warning(
"Invalid access token in auth: %s %s.",
type(e),
e,
)
raise InvalidClientTokenError(
"Invalid access token passed. (Neither a known token nor a valid macaroon.)"
)
reivilibre marked this conversation as resolved.
Show resolved Hide resolved

def _parse_and_validate_macaroon(
self, token: str, rights: str = "access"
Expand All @@ -504,10 +512,7 @@ def _parse_and_validate_macaroon(
try:
macaroon = pymacaroons.Macaroon.deserialize(token)
except Exception: # deserialize can throw more-or-less anything
# doesn't look like a macaroon: treat it as an opaque token which
# must be in the database.
# TODO: it would be nice to get rid of this, but apparently some
# people use access tokens which aren't macaroons
# The access token doesn't look like a macaroon.
raise _InvalidMacaroonException()

try:
Expand Down