Remove non-functional 'expire_access_token' setting

changelog.d/5782.removal

@@ -0,0 +1 @@
+Remove non-functional 'expire_access_token' setting.

docs/sample_config.yaml

@@ -925,10 +925,6 @@ uploads_path: "DATADIR/uploads"
 #
 # macaroon_secret_key: <PRIVATE STRING>
 
-# Used to enable access token expiration.
-#
-#expire_access_token: False
-
 # a secret which is used to calculate HMACs for form values, to stop
 # falsification of values. Must be specified for the User Consent
 # forms to work.

synapse/api/auth.py

@@ -410,21 +410,16 @@ def _parse_and_validate_macaroon(self, token, rights="access"):
  try:
  user_id = self.get_user_id_from_macaroon(macaroon)
 
- has_expiry = False
  guest = False
  for caveat in macaroon.caveats:
- if caveat.caveat_id.startswith("time "):
- has_expiry = True
- elif caveat.caveat_id == "guest = true":
+ if caveat.caveat_id == "guest = true":
  guest = True
 
- self.validate_macaroon(
- macaroon, rights, self.hs.config.expire_access_token, user_id=user_id
- )
+ self.validate_macaroon(macaroon, rights, user_id=user_id)
  except (pymacaroons.exceptions.MacaroonException, TypeError, ValueError):
  raise InvalidClientTokenError("Invalid macaroon passed.")
 
- if not has_expiry and rights == "access":
+ if rights == "access":
  self.token_cache[token] = (user_id, guest)
 
  return user_id, guest
@@ -450,15 +445,14 @@ def get_user_id_from_macaroon(self, macaroon):
  return caveat.caveat_id[len(user_prefix) :]
  raise InvalidClientTokenError("No user caveat in macaroon")
 
- def validate_macaroon(self, macaroon, type_string, verify_expiry, user_id):
+ def validate_macaroon(self, macaroon, type_string, user_id):
  """
  validate that a Macaroon is understood by and was signed by this server.
 
  Args:
  macaroon(pymacaroons.Macaroon): The macaroon to validate
  type_string(str): The kind of token required (e.g. "access",
  "delete_pusher")
- verify_expiry(bool): Whether to verify whether the macaroon has expired.
  user_id (str): The user_id required
  """
  v = pymacaroons.Verifier()
@@ -471,19 +465,7 @@ def validate_macaroon(self, macaroon, type_string, verify_expiry, user_id):
  v.satisfy_exact("type = " + type_string)
  v.satisfy_exact("user_id = %s" % user_id)
  v.satisfy_exact("guest = true")
-
- # verify_expiry should really always be True, but there exist access
- # tokens in the wild which expire when they should not, so we can't
- # enforce expiry yet (so we have to allow any caveat starting with
- # 'time < ' in access tokens).
- #
- # On the other hand, short-term login tokens (as used by CAS login, for
- # example) have an expiry time which we do want to enforce.
-
- if verify_expiry:
- v.satisfy_general(self._verify_expiry)
- else:
- v.satisfy_general(lambda c: c.startswith("time < "))
+ v.satisfy_general(self._verify_expiry)
 
  # access_tokens include a nonce for uniqueness: any value is acceptable
  v.satisfy_general(lambda c: c.startswith("nonce = "))

synapse/config/key.py

@@ -116,8 +116,6 @@ def read_config(self, config, config_dir_path, **kwargs):
  seed = bytes(self.signing_key[0])
  self.macaroon_secret_key = hashlib.sha256(seed).digest()
 
- self.expire_access_token = config.get("expire_access_token", False)
-
  # a secret which is used to calculate HMACs for form values, to stop
  # falsification of values
  self.form_secret = config.get("form_secret", None)
@@ -144,10 +142,6 @@ def generate_config_section(
  #
  %(macaroon_secret_key)s
 
- # Used to enable access token expiration.
- #
- #expire_access_token: False
-
  # a secret which is used to calculate HMACs for form values, to stop
  # falsification of values. Must be specified for the User Consent
  # forms to work.

synapse/handlers/auth.py

@@ -860,7 +860,7 @@ def validate_short_term_login_token_and_get_user_id(self, login_token):
  try:
  macaroon = pymacaroons.Macaroon.deserialize(login_token)
  user_id = auth_api.get_user_id_from_macaroon(macaroon)
- auth_api.validate_macaroon(macaroon, "login", True, user_id)
+ auth_api.validate_macaroon(macaroon, "login", user_id)
  except Exception:
  raise AuthError(403, "Invalid token", errcode=Codes.FORBIDDEN)
  self.ratelimit_login_per_account(user_id)

tests/handlers/test_register.py

@@ -44,7 +44,7 @@ def make_homeserver(self, reactor, clock):
  hs_config["max_mau_value"] = 50
  hs_config["limit_usage_by_mau"] = True
 
- hs = self.setup_test_homeserver(config=hs_config, expire_access_token=True)
+ hs = self.setup_test_homeserver(config=hs_config)
  return hs
 
  def prepare(self, reactor, clock, hs):

tests/server_notices/test_resource_limits_server_notices.py

@@ -36,7 +36,7 @@ def make_homeserver(self, reactor, clock):
  "room_name": "Server Notices",
  }
 
- hs = self.setup_test_homeserver(config=hs_config, expire_access_token=True)
+ hs = self.setup_test_homeserver(config=hs_config)
  return hs
 
  def prepare(self, reactor, clock, hs):

tests/utils.py

@@ -126,7 +126,6 @@ def default_config(name, parse=False):
  "enable_registration": True,
  "enable_registration_captcha": False,
  "macaroon_secret_key": "not even a little secret",
- "expire_access_token": False,
  "trusted_third_party_id_servers": [],
  "room_invite_state_types": [],
  "password_providers": [],