Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Fix validation problem that occurs when a user tries to deactivate their account or change their password. #13563

Merged
merged 5 commits into from
Aug 19, 2022
Merged

Fix validation problem that occurs when a user tries to deactivate their account or change their password. #13563

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5b66ce2
Add a failing test to demonstrate the problem
reivilibre Aug 19, 2022
fc8e2b0
Fix the problem for /deactivate
reivilibre Aug 19, 2022
a6e822c
Fix for password change
reivilibre Aug 19, 2022
3ab535d
Newsfile
reivilibre Aug 19, 2022
4919878
Add flag to missed .dict()
reivilibre Aug 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/13563.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Improve validation of request bodies for the following client-server API endpoints: [`/account/password`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpassword), [`/account/password/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpasswordemailrequesttoken), [`/account/deactivate`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountdeactivate) and [`/account/3pid/email/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3account3pidemailrequesttoken).
6 changes: 3 additions & 3 deletions synapse/rest/client/account.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
params, session_id = await self.auth_handler.validate_user_via_ui_auth(
requester,
request,
body.dict(),
body.dict(exclude_unset=True),
"modify your account password",
)
except InteractiveAuthIncompleteError as e:
Expand All @@ -219,7 +219,7 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
result, params, session_id = await self.auth_handler.check_ui_auth(
[[LoginType.EMAIL_IDENTITY]],
request,
body.dict(),
body.dict(exclude_unset=True),
"modify your account password",
)
except InteractiveAuthIncompleteError as e:
Expand Down Expand Up @@ -316,7 +316,7 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
await self.auth_handler.validate_user_via_ui_auth(
requester,
request,
body.dict(),
body.dict(exclude_unset=True),
"deactivate your account",
)
result = await self._deactivate_account_handler.deactivate_account(
Expand Down
15 changes: 15 additions & 0 deletions tests/handlers/test_deactivate_account.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,3 +322,18 @@ def test_account_data_preserved_by_background_update_if_not_deactivated(
)
),
)

def test_deactivate_account_needs_auth(self) -> None:
"""
Tests that making a request to /deactivate with an empty body
succeeds in starting the user-interactive auth flow.
"""
req = self.make_request(
"POST",
"account/deactivate",
{},
access_token=self.token,
)

self.assertEqual(req.code, 401, req)
self.assertEqual(req.json_body["flows"], [{"stages": ["m.login.password"]}])