Pydantic for add_threepid endpoints

changelog.d/13188.feature

@@ -1 +1 @@
-Improve validation of request bodies for the following client-server API endpoints: [`/account/3pid/msisdn/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3account3pidmsisdnrequesttoken).
+Improve validation of request bodies for the following client-server API endpoints: [`/account/3pid/msisdn/requestToken`](https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3account3pidmsisdnrequesttoken). Also improve validation for Synapse-internal `/add_threepid` endpoints.

synapse/rest/client/account.py

@@ -36,7 +36,6 @@
     assert_params_in_dict,
     parse_and_validate_json_object_from_request,
     parse_json_object_from_request,
-    parse_string,
 )
 from synapse.http.site import SynapseRequest
 from synapse.metrics import threepid_send_requests
@@ -45,6 +44,7 @@
     AuthenticationData,
     EmailRequestTokenBody,
     MsisdnRequestTokenBody,
+    AddThreepidSubmitTokenBody,
 )
 from synapse.rest.models import RequestBodyModel
 from synapse.types import JsonDict
@@ -491,16 +491,15 @@ async def on_GET(self, request: Request) -> None:
                 400, "Adding an email to your account is disabled on this server"
             )
 
-        sid = parse_string(request, "sid", required=True)
-        token = parse_string(request, "token", required=True)
-        client_secret = parse_string(request, "client_secret", required=True)
-        assert_valid_client_secret(client_secret)
+        body = parse_and_validate_json_object_from_request(
+            request, AddThreepidSubmitTokenBody
+        )
 
         # Attempt to validate a 3PID session
         try:
             # Mark the session as valid
             next_link = await self.store.validate_threepid_session(
-                sid, client_secret, token, self.clock.time_msec()
+                body.sid, body.client_secret, body.token, self.clock.time_msec()
             )
 
             # Perform a 302 redirect if next_link is set
@@ -547,16 +546,16 @@ async def on_POST(self, request: Request) -> Tuple[int, JsonDict]:
                 "instead.",
             )
 
-        body = parse_json_object_from_request(request)
-        assert_params_in_dict(body, ["client_secret", "sid", "token"])
-        assert_valid_client_secret(body["client_secret"])
+        body = parse_and_validate_json_object_from_request(
+            request, AddThreepidSubmitTokenBody
+        )
 
         # Proxy submit_token request to msisdn threepid delegate
         response = await self.identity_handler.proxy_msisdn_submit_token(
             self.config.registration.account_threepid_delegate_msisdn,
-            body["client_secret"],
-            body["sid"],
-            body["token"],
+            body.client_secret,
+            body.sid,
+            body.token,
         )
         return 200, response
 

synapse/rest/client/models.py

@@ -36,18 +36,20 @@ class Config:
     type: Optional[StrictStr] = None
 
 
-class ThreePidRequestTokenBody(RequestBodyModel):
-    if TYPE_CHECKING:
-        client_secret: StrictStr
-    else:
-        # See also assert_valid_client_secret()
-        client_secret: constr(
-            regex="[0-9a-zA-Z.=_-]",  # noqa: F722
-            min_length=0,
-            max_length=255,
-            strict=True,
-        )
+if TYPE_CHECKING:
+    ClientSecretType = StrictStr
+else:
+    # See also assert_valid_client_secret()
+    ClientSecretType = constr(
+        regex="[0-9a-zA-Z.=_-]",
+        min_length=0,
+        max_length=255,
+        strict=True,
+    )
+
 
+class ThreePidRequestTokenBody(RequestBodyModel):
+    client_secret: ClientSecretType
     id_server: Optional[StrictStr]
     id_access_token: Optional[StrictStr]
     next_link: Optional[StrictStr]
@@ -77,3 +79,9 @@ class MsisdnRequestTokenBody(ThreePidRequestTokenBody):
     # Two-letter uppercase ISO-3166-1-alpha-2
     country: StrictStr
     phone_number: StrictStr
+
+
+class AddThreepidSubmitTokenBody(RequestBodyModel):
+    sid: StrictStr
+    token: StrictStr
+    client_secret: ClientSecretType