diff options
author | Jason Robinson <jasonr@matrix.org> | 2021-01-04 12:43:23 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-04 10:43:23 +0000 |
commit | 597350a67f6fc803e1a81e4d651be3efbd0d5907 (patch) | |
tree | 6381f965ebe9e6ac80a09990647707d934a4220a /userapi/internal | |
parent | e7f2d770df5bef435f8cb04e1ca4885e80902644 (diff) |
Ensure appservices can auth as users in their namespaces (#1672)
* Ensure appservices can auth as users in their namespaces
Currently in Dendrite appservices can only auth as a user if the user was created by said appservice. This does not align with the appservices spec which specifically says:
> The application service may specify the virtual user to act as through use of a user_id query string parameter on the request. The user specified in the query string must be covered by one of the application service’s user namespaces.
https://matrix.org/docs/spec/application_service/r0.1.2#identity-assertion
In the case that a user has been created for example via manual registration but belongs to an appservice namespace, the current functionality does not allow appservices to auth as them. This PR fixes that by replacing the appservice ID check with a check against the appservice namespace.
This also matches Synapse functionality, which I confirmed to allow appservices to auth as a user in their namespace, irregardless of how the user was registered.
* Also allow appservice itself to auth with user_id
Appservice user_id + access token check needs to work both when user_id is the appservice and when appservice has the user in their user namespace.
Signed-off-by: Jason Robinson <mail@jasonrobinson.me>
Diffstat (limited to 'userapi/internal')
-rw-r--r-- | userapi/internal/api.go | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/userapi/internal/api.go b/userapi/internal/api.go index c1b9bcab..cf588a40 100644 --- a/userapi/internal/api.go +++ b/userapi/internal/api.go @@ -390,8 +390,9 @@ func (a *UserInternalAPI) queryAppServiceToken(ctx context.Context, token, appSe if localpart != "" { // AS is masquerading as another user // Verify that the user is registered account, err := a.AccountDB.GetAccountByLocalpart(ctx, localpart) - // Verify that account exists & appServiceID matches - if err == nil && account.AppServiceID == appService.ID { + // Verify that the account exists and either appServiceID matches or + // it belongs to the appservice user namespaces + if err == nil && (account.AppServiceID == appService.ID || appService.IsInterestedInUserID(appServiceUserID)) { // Set the userID of dummy device dev.UserID = appServiceUserID return &dev, nil |