Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Added possibilty to disable local password authentication #3485

Closed
wants to merge 4 commits into from
Closed

Added possibilty to disable local password authentication #3485

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8645998
Added possibilty to disable local password authentication
smhaller Jul 5, 2018
250b2cc
pep 8
smhaller Jul 5, 2018
0b6c987
pep 8
smhaller Jul 5, 2018
a9be2b3
pep 8
smhaller Jul 5, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions synapse/config/password.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,17 @@ class PasswordConfig(Config):
def read_config(self, config):
password_config = config.get("password_config", {})
self.password_enabled = password_config.get("enabled", True)
self.password_localdb = password_config.get("localdb", True)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we call this password_localdb_enabled or something slightly more intuitive?

self.password_pepper = password_config.get("pepper", "")

def default_config(self, config_dir_path, server_name, **kwargs):
return """
# Enable password for login.
password_config:
enabled: true
# set to false if you do not want to authenticate
# against the local db
localdb: true
# Uncomment and change to a secret random string for extra security.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
#pepper: ""
Expand Down
15 changes: 9 additions & 6 deletions synapse/handlers/auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -680,13 +680,16 @@ def validate_login(self, username, login_submission):

if login_type == LoginType.PASSWORD:
known_login_type = True
if not self.hs.config.password_localdb:
raise LoginError(403, "Local DB Authentication Disabled",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd let this fall through to the "unknown login type"/"Invalid password" code below. I don't think "Local DB Authentication Disabled" is a helpful message for users.

In other words, just change line 681 to be:

if login_type == LoginType.PASSWORD and self.hs.config.password_localdb:

errcode=Codes.FORBIDDEN)
else:
canonical_user_id = yield self._check_local_password(
qualified_user_id, password,
)

canonical_user_id = yield self._check_local_password(
qualified_user_id, password,
)

if canonical_user_id:
defer.returnValue((canonical_user_id, None))
if canonical_user_id:
defer.returnValue((canonical_user_id, None))

if not known_login_type:
raise SynapseError(400, "Unknown login type %s" % login_type)
Expand Down
4 changes: 4 additions & 0 deletions synapse/handlers/set_password.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ def __init__(self, hs):

@defer.inlineCallbacks
def set_password(self, user_id, newpassword, requester=None):
if not self.hs.config.password_localdb:
raise SynapseError(403, "Local DB Authentication Disabled",
errcode=Codes.FORBIDDEN)

password_hash = yield self._auth_handler.hash(newpassword)

except_device_id = requester.device_id if requester else None
Expand Down