aboutsummaryrefslogtreecommitdiff
path: root/userapi/internal
diff options
context:
space:
mode:
authorJason Robinson <jasonr@matrix.org>2021-01-04 12:43:23 +0200
committerGitHub <noreply@github.com>2021-01-04 10:43:23 +0000
commit597350a67f6fc803e1a81e4d651be3efbd0d5907 (patch)
tree6381f965ebe9e6ac80a09990647707d934a4220a /userapi/internal
parente7f2d770df5bef435f8cb04e1ca4885e80902644 (diff)
Ensure appservices can auth as users in their namespaces (#1672)
* Ensure appservices can auth as users in their namespaces Currently in Dendrite appservices can only auth as a user if the user was created by said appservice. This does not align with the appservices spec which specifically says: > The application service may specify the virtual user to act as through use of a user_id query string parameter on the request. The user specified in the query string must be covered by one of the application service’s user namespaces. https://matrix.org/docs/spec/application_service/r0.1.2#identity-assertion In the case that a user has been created for example via manual registration but belongs to an appservice namespace, the current functionality does not allow appservices to auth as them. This PR fixes that by replacing the appservice ID check with a check against the appservice namespace. This also matches Synapse functionality, which I confirmed to allow appservices to auth as a user in their namespace, irregardless of how the user was registered. * Also allow appservice itself to auth with user_id Appservice user_id + access token check needs to work both when user_id is the appservice and when appservice has the user in their user namespace. Signed-off-by: Jason Robinson <mail@jasonrobinson.me>
Diffstat (limited to 'userapi/internal')
-rw-r--r--userapi/internal/api.go5
1 files changed, 3 insertions, 2 deletions
diff --git a/userapi/internal/api.go b/userapi/internal/api.go
index c1b9bcab..cf588a40 100644
--- a/userapi/internal/api.go
+++ b/userapi/internal/api.go
@@ -390,8 +390,9 @@ func (a *UserInternalAPI) queryAppServiceToken(ctx context.Context, token, appSe
if localpart != "" { // AS is masquerading as another user
// Verify that the user is registered
account, err := a.AccountDB.GetAccountByLocalpart(ctx, localpart)
- // Verify that account exists & appServiceID matches
- if err == nil && account.AppServiceID == appService.ID {
+ // Verify that the account exists and either appServiceID matches or
+ // it belongs to the appservice user namespaces
+ if err == nil && (account.AppServiceID == appService.ID || appService.IsInterestedInUserID(appServiceUserID)) {
// Set the userID of dummy device
dev.UserID = appServiceUserID
return &dev, nil