Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Send password reset from HS: database stuff #5308

Merged
merged 12 commits into from
Jun 5, 2019
Merged

Send password reset from HS: database stuff #5308

merged 12 commits into from
Jun 5, 2019

Conversation

anoadragon453
Copy link
Member

Database component of new behaviour of sending password reset emails from Synapse instead of Sydent.

Allows one to store threepid validation sessions along with password reset token attempts and retrieve them again.

Relevant spec bits:

https://matrix.org/docs/spec/client_server/unstable.html#post-matrix-client-r0-account-password-email-requesttoken
https://matrix.org/docs/spec/identity_service/r0.1.0.html#post-matrix-identity-api-v1-validate-email-submittoken

Essentially the flow is:

  • A request to /requestToken is made with an email address, a client secret and a send_attempt to the homeserver
  • We create a new session if one doesn't already exist, but if it does check that the send_attempt is higher than the last one in the session. If it is, overwrite it.
  • We send out an email. In that email is a link containing the client secret, session id and a newly generated token
  • The user then clicks that link which leads to /submitToken on the homeserver, and we check if those three vars match up with a session and a validation request
  • If so, the user's threepid session is marked as valid and is shown a happy validation page

@codecov
Copy link

codecov bot commented May 31, 2019
edited
Loading

Codecov Report

Merging #5308 into anoa/feature_hs_password_resets will decrease coverage by 0.28%.
The diff coverage is 21.66%.

@@                         Coverage Diff                         @@
##           anoa/feature_hs_password_resets    #5308      +/-   ##
===================================================================
- Coverage                            63.04%   62.76%   -0.29%     
===================================================================
  Files                                  341      341              
  Lines                                35637    35536     -101     
  Branches                              5835     5816      -19     
===================================================================
- Hits                                 22468    22304     -164     
- Misses                               11598    11662      +64     
+ Partials                              1571     1570       -1

@anoadragon453 anoadragon453 requested a review from a team June 3, 2019 15:02
@erikjohnston
Copy link
Member

New schema change should go in 55/

erikjohnston
erikjohnston suggested changes Jun 4, 2019
View reviewed changes
synapse/storage/registration.py Outdated Show resolved Hide resolved
synapse/storage/registration.py Outdated Show resolved Hide resolved
synapse/storage/registration.py Show resolved Hide resolved
synapse/storage/registration.py Outdated
"""Remove threepid validation tokens with expiry dates that have passed"""
def cull_expired_threepid_validation_tokens_txn(txn, ts):
sql = ("DELETE FROM threepid_validation_token WHERE "
"expires < ?")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use multiline strings please, it makes it easier to change/c+p etc

synapse/storage/registration.py Show resolved Hide resolved
synapse/storage/schema/delta/54/track_threepid_validations.sql Outdated
expires BIGINT NOT NULL
);

CREATE INDEX threepid_validations_session_id ON threepid_validation_session(session_id);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will create a duplicate index I believe, since PRIMARY KEY will create a unique index.

synapse/storage/schema/delta/54/track_threepid_validations.sql Outdated

CREATE INDEX threepid_validations_session_id ON threepid_validation_session(session_id);

CREATE INDEX threepid_validation_token_session_id ON threepid_validation_token(session_id);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto

@anoadragon453 anoadragon453 changed the base branch from develop to anoa/feature_hs_password_resets June 4, 2019 17:33
@anoadragon453 anoadragon453 mentioned this pull request Jun 4, 2019
Merged
erikjohnston
erikjohnston approved these changes Jun 5, 2019
View reviewed changes
Copy link
Member

@erikjohnston erikjohnston left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just fix up the sql a bit and then merge into your base branch

synapse/storage/registration.py Outdated
Args:
medium (str): The medium of the 3PID
address (str): The address of the 3PID
sid (str): The ID of the validation session
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does it mean if these are None?

synapse/storage/registration.py Outdated

if sid:
keyvalues["session_id"] = sid
elif address:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

elif? If we expect that only one is set, then let's assert that

synapse/storage/registration.py Outdated
"client_secret", "last_send_attempt", "validated_at",
]

sql = "SELECT %s FROM threepid_validation_session" % ", ".join(cols_to_return)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just stick these in the path rather than string concatenating them, see below

synapse/storage/registration.py Outdated
# Convert the resulting row to a dictionary
ret = {}
for i in range(len(cols_to_return)):
ret[cols_to_return[i]] = row[i]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have helper function that uses the returned data structure to do this for us. Instead of txn.fetchone():

rows = self.cursor_to_dict(txn)
if not rows:
    return None

return rows[0]

synapse/storage/registration.py Outdated
if not row:
raise ThreepidValidationError(
400, "Validation token not found or has expired",
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're are conditionally doing stuff we should do this in a txn.

@anoadragon453 anoadragon453 force-pushed the anoa/hs_password_reset_database branch from 1505cd6 to 8f9daa4 Compare June 5, 2019 11:16
@anoadragon453 anoadragon453 merged commit 24f31df into anoa/feature_hs_password_resets Jun 5, 2019
@anoadragon453 anoadragon453 deleted the anoa/hs_password_reset_database branch June 5, 2019 12:29
@anoadragon453 anoadragon453 mentioned this pull request Jun 6, 2019
Merged
anoadragon453 added a commit that referenced this pull request Jun 6, 2019
@anoadragon453
Add ability to perform password reset via email without trusting the …
3719680 
…identity server (#5377)

Sends password reset emails from the homeserver instead of proxying to the identity server. This is now the default behaviour for security reasons. If you wish to continue proxying password reset requests to the identity server you must now enable the email.trust_identity_server_for_password_resets option.

This PR is a culmination of 3 smaller PRs which have each been separately reviewed:

* #5308
* #5345
* #5368
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@erikjohnston erikjohnston erikjohnston approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@anoadragon453 @erikjohnston