Clean up exception handling for access_tokens #5656

richvdh · 2019-07-10T14:43:24Z

First of all, let's get rid of TOKEN_NOT_FOUND_HTTP_STATUS. It was a hack we did at one point when it was possible to return either a 403 or a 401 if the creds were missing. We always return a 401 in these cases now (thankfully), so it's not needed.

Let's also stop abusing AuthError for these cases. Honestly they have nothing that relates them to the other places that AuthError is used, other than the fact that they are loosely under the 'Auth' banner. It makes no sense for them to share exception classes.

Instead, let's add a couple of new exception classes: InvalidClientTokenError and MissingClientTokenError, for the M_UNKNOWN_TOKEN and M_MISSING_TOKEN cases respectively - and an InvalidClientCredentialsError base class for the two of them.

First of all, let's get rid of `TOKEN_NOT_FOUND_HTTP_STATUS`. It was a hack we did at one point when it was possible to return either a 403 or a 401 if the creds were missing. We always return a 401 in these cases now (thankfully), so it's not needed. Let's also stop abusing `AuthError` for these cases. Honestly they have nothing that relates them to the other places that `AuthError` is used, other than the fact that they are loosely under the 'Auth' banner. It makes no sense for them to share exception classes. Instead, let's add a couple of new exception classes: `InvalidClientTokenError` and `MissingClientTokenError`, for the `M_UNKNOWN_TOKEN` and `M_MISSING_TOKEN` cases respectively - and an `InvalidClientCredentialsError` base class for the two of them.

hawkowl · 2019-07-10T18:08:39Z

Looks fine. My only concern is bits around returning why the token failed, although if the macaroon is already validated, I'm guessing it can't be used for a user ID enumeration attack?

richvdh · 2019-07-11T10:06:15Z

although if the macaroon is already validated, I'm guessing it can't be used for a user ID enumeration attack?

Yes, this. I don't believe this PR is introducing any new information where we weren't before, and as noted, I don't believe you can mount an enumeration attack without being able to forge macaroons, in which case we've already lost.

@skalarproduktraum

v1.2.0rc1 Features -------- - Add support for opentracing. ([\#5544](#5544), [\#5712](#5712)) - Add ability to pull all locally stored events out of synapse that a particular user can see. ([\#5589](#5589)) - Add a basic admin command app to allow server operators to run Synapse admin commands separately from the main production instance. ([\#5597](#5597)) - Add `sender` and `origin_server_ts` fields to `m.replace`. ([\#5613](#5613)) - Add default push rule to ignore reactions. ([\#5623](#5623)) - Include the original event when asking for its relations. ([\#5626](#5626)) - Implement `session_lifetime` configuration option, after which access tokens will expire. ([\#5660](#5660)) - Return "This account has been deactivated" when a deactivated user tries to login. ([\#5674](#5674)) - Enable aggregations support by default ([\#5714](#5714)) Bugfixes -------- - Fix 'utime went backwards' errors on daemonization. ([\#5609](#5609)) - Various minor fixes to the federation request rate limiter. ([\#5621](#5621)) - Forbid viewing relations on an event once it has been redacted. ([\#5629](#5629)) - Fix requests to the `/store_invite` endpoint of identity servers being sent in the wrong format. ([\#5638](#5638)) - Fix newly-registered users not being able to lookup their own profile without joining a room. ([\#5644](#5644)) - Fix bug in #5626 that prevented the original_event field from actually having the contents of the original event in a call to `/relations`. ([\#5654](#5654)) - Fix 3PID bind requests being sent to identity servers as `application/x-form-www-urlencoded` data, which is deprecated. ([\#5658](#5658)) - Fix some problems with authenticating redactions in recent room versions. ([\#5699](#5699), [\#5700](#5700), [\#5707](#5707)) - Ignore redactions of m.room.create events. ([\#5701](#5701)) Updates to the Docker image --------------------------- - Base Docker image on a newer Alpine Linux version (3.8 -> 3.10). ([\#5619](#5619)) - Add missing space in default logging file format generated by the Docker image. ([\#5620](#5620)) Improved Documentation ---------------------- - Add information about nginx normalisation to reverse_proxy.rst. Contributed by @skalarproduktraum - thanks! ([\#5397](#5397)) - --no-pep517 should be --no-use-pep517 in the documentation to setup the development environment. ([\#5651](#5651)) - Improvements to Postgres setup instructions. Contributed by @Lrizika - thanks! ([\#5661](#5661)) - Minor tweaks to postgres documentation. ([\#5675](#5675)) Deprecations and Removals ------------------------- - Remove support for the `invite_3pid_guest` configuration setting. ([\#5625](#5625)) Internal Changes ---------------- - Move logging code out of `synapse.util` and into `synapse.logging`. ([\#5606](#5606), [\#5617](#5617)) - Add a blacklist file to the repo to blacklist certain sytests from failing CI. ([\#5611](#5611)) - Make runtime errors surrounding password reset emails much clearer. ([\#5616](#5616)) - Remove dead code for persiting outgoing federation transactions. ([\#5622](#5622)) - Add `lint.sh` to the scripts-dev folder which will run all linting steps required by CI. ([\#5627](#5627)) - Move RegistrationHandler.get_or_create_user to test code. ([\#5628](#5628)) - Add some more common python virtual-environment paths to the black exclusion list. ([\#5630](#5630)) - Some counter metrics exposed over Prometheus have been renamed, with the old names preserved for backwards compatibility and deprecated. See `docs/metrics-howto.rst` for details. ([\#5636](#5636)) - Unblacklist some user_directory sytests. ([\#5637](#5637)) - Factor out some redundant code in the login implementation. ([\#5639](#5639)) - Update ModuleApi to avoid register(generate_token=True). ([\#5640](#5640)) - Remove access-token support from `RegistrationHandler.register`, and rename it. ([\#5641](#5641)) - Remove access-token support from `RegistrationStore.register`, and rename it. ([\#5642](#5642)) - Improve logging for auto-join when a new user is created. ([\#5643](#5643)) - Remove unused and unnecessary check for FederationDeniedError in _exception_to_failure. ([\#5645](#5645)) - Fix a small typo in a code comment. ([\#5655](#5655)) - Clean up exception handling around client access tokens. ([\#5656](#5656)) - Add a mechanism for per-test homeserver configuration in the unit tests. ([\#5657](#5657)) - Inline issue_access_token. ([\#5659](#5659)) - Update the sytest BuildKite configuration to checkout Synapse in `/src`. ([\#5664](#5664)) - Add a `docker` type to the towncrier configuration. ([\#5673](#5673)) - Convert `synapse.federation.transport.server` to `async`. Might improve some stack traces. ([\#5689](#5689)) - Documentation for opentracing. ([\#5703](#5703))

richvdh requested a review from a team July 10, 2019 14:43

richvdh force-pushed the rav/soft_logout/token_not_found branch from 370fa8f to cd5a431 Compare July 10, 2019 14:46

richvdh mentioned this pull request Jul 10, 2019

Implement access token expiry #5660

Merged

hawkowl approved these changes Jul 10, 2019

View reviewed changes

richvdh merged commit 0a4001e into develop Jul 11, 2019

richvdh deleted the rav/soft_logout/token_not_found branch July 11, 2019 10:06

anoadragon453 added a commit that referenced this pull request Feb 19, 2020

Clean up exception handling for access_tokens (#5656)

b5844ad

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Clean up exception handling for access_tokens #5656

Clean up exception handling for access_tokens #5656

richvdh commented Jul 10, 2019

hawkowl commented Jul 10, 2019

richvdh commented Jul 11, 2019

Clean up exception handling for access_tokens #5656

Clean up exception handling for access_tokens #5656

Conversation

richvdh commented Jul 10, 2019

hawkowl commented Jul 10, 2019

richvdh commented Jul 11, 2019