Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Fix incorrectly sending authentication tokens to application service as headers #14301

Merged
merged 3 commits into from
Oct 26, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/14301.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix a bug introduced in Synapse 1.70.0rc1 where access tokens would be incorrectly sent to application services as headers. Application services which were obtaining access tokens from query parameters were not affected.
12 changes: 7 additions & 5 deletions synapse/appservice/api.py
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ async def query_user(self, service: "ApplicationService", user_id: str) -> bool:
response = await self.get_json(
uri,
{"access_token": service.hs_token},
headers={"Authorization": f"Bearer {service.hs_token}"},
headers={"Authorization": [f"Bearer {service.hs_token}"]},
)
if response is not None: # just an empty json object
return True
Expand All @@ -147,7 +147,7 @@ async def query_alias(self, service: "ApplicationService", alias: str) -> bool:
response = await self.get_json(
uri,
{"access_token": service.hs_token},
headers={"Authorization": f"Bearer {service.hs_token}"},
headers={"Authorization": [f"Bearer {service.hs_token}"]},
)
if response is not None: # just an empty json object
return True
Expand Down Expand Up @@ -190,7 +190,9 @@ async def query_3pe(
b"access_token": service.hs_token,
}
response = await self.get_json(
uri, args=args, headers={"Authorization": f"Bearer {service.hs_token}"}
uri,
args=args,
headers={"Authorization": [f"Bearer {service.hs_token}"]},
)
if not isinstance(response, list):
logger.warning(
Expand Down Expand Up @@ -230,7 +232,7 @@ async def _get() -> Optional[JsonDict]:
info = await self.get_json(
uri,
{"access_token": service.hs_token},
headers={"Authorization": f"Bearer {service.hs_token}"},
headers={"Authorization": [f"Bearer {service.hs_token}"]},
)

if not _is_valid_3pe_metadata(info):
Expand Down Expand Up @@ -327,7 +329,7 @@ async def push_bulk(
uri=uri,
json_body=body,
args={"access_token": service.hs_token},
headers={"Authorization": f"Bearer {service.hs_token}"},
headers={"Authorization": [f"Bearer {service.hs_token}"]},
)
if logger.isEnabledFor(logging.DEBUG):
logger.debug(
Expand Down
8 changes: 5 additions & 3 deletions tests/appservice/test_api.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from typing import Any, List, Mapping
from typing import Any, List, Mapping, Sequence, Union
from unittest.mock import Mock

from twisted.test.proto_helpers import MemoryReactor
Expand Down Expand Up @@ -70,13 +70,15 @@ def test_query_3pe_authenticates_token(self):
self.request_url = None

async def get_json(
url: str, args: Mapping[Any, Any], headers: Mapping[Any, Any]
url: str,
args: Mapping[Any, Any],
headers: Mapping[Union[str, bytes], Sequence[Union[str, bytes]]],
) -> List[JsonDict]:
# Ensure the access token is passed as both a header and query arg.
if not headers.get("Authorization") or not args.get(b"access_token"):
raise RuntimeError("Access token not provided")

self.assertEqual(headers.get("Authorization"), f"Bearer {TOKEN}")
self.assertEqual(headers.get("Authorization"), [f"Bearer {TOKEN}"])
self.assertEqual(args.get(b"access_token"), TOKEN)
self.request_url = url
if url == URL_USER:
Expand Down