Make registration idempotent #649
Conversation
…t give you an access token for the user that was registered on previous uses of that session. Tweak the UI auth layer to not delete sessions when their auth has completed and hence expire themn so they don't hang around until server restart. Allow server-side data to be associated with UI auth sessions.
| @@ -455,11 +485,17 @@ def add_threepid(self, user_id, medium, address, validated_at): | |||
| def _save_session(self, session): | |||
| # TODO: Persistent storage | |||
| logger.debug("Saving session %s", session) | |||
| session["last_used"] = time.time() | |||
There was a problem hiding this comment.
Why not use hs.get_clock()?
We generally try and consistently use milliseconds internally, rather than seconds.
|
To what extend do we care if session information gets dropped on the floor over restarts? |
|
We probably do care that session information gets dropped over restarts, but no more so now than before, so I think that would be a separate fix. |
| @@ -263,7 +293,7 @@ def _get_session_info(self, session_id): | |||
| if not session_id: | |||
| # create a new session | |||
| while session_id is None or session_id in self.sessions: | |||
| session_id = stringutils.random_string(24) | |||
| session_id = stringutils.random_string_with_symbols(24) | |||
There was a problem hiding this comment.
Do the session ids get sent to the client? Or they purely internal?
There was a problem hiding this comment.
They get sent to the client
There was a problem hiding this comment.
Its probably fine, but random_string_with_symbols will return a lot of silly symbols, so I've tended to avoid using them in public APIs (especially for anything that is used as query string params)
There was a problem hiding this comment.
Yeah, maybe - this one only goes into json so it should be fine, but possibly the extra token space isn't worth it.
Fair enough |
| last_used = 0 | ||
| if 'last_used' in sess: | ||
| last_used = sess['last_used'] | ||
| if last_used < self.hs.get_clock().time() - AuthHandler.SESSION_EXPIRE_MS: |
|
LGTM |
…d continue with the registration process if/when it succeeds. Fixes element-hq/element-web#1027 Requires matrix-org/synapse#650 and matrix-org/synapse#649
If you specify the same session, make it give you an access token for the user that was registered on previous uses of that session. Tweak the UI auth layer to not delete sessions when their auth has completed and hence expire them so they don't hang around until server restart. Allow server-side data to be associated with UI auth sessions.
sytest: matrix-org/sytest#213
Fixes element-hq/element-web#957