Only clear the session once the final request comes through without a…

…n auth flow.
matrix-org · Mar 20, 2020 · 90c2b6c · 90c2b6c
1 parent afe0a36
commit 90c2b6c
Showing 1 changed file with 8 additions and 9 deletions.
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
@@ -343,8 +343,11 @@ def check_auth(
                     list(clientdict),
                 )
 
-                # Blow away the session so it can not be re-used.
-                self._invalidate_session(session["id"])
+                # If the authentication flow is complete and this is the
+                # subsequent request, mark this session as invalid, so it cannot
+                # be re-used.
+                if "type" not in authdict:
+                    self._remove_session(session["id"])
 
                 return creds, clientdict, session["id"]
 
@@ -518,13 +521,9 @@ def _get_session_info(self, session_id: Optional[str]) -> dict:
 
         return self.sessions[session_id]
 
-    def _invalidate_session(self, session_id) -> None:
-        """Invalidate session information for session ID"""
-        session = self.sessions.get(session_id, None)
-        if session and "ui_auth" in session:
-            # Set the items in the ui_auth session to sentinel values that can
-            # never be equaled.
-            session["ui_auth"] = object()
+    def _remove_session(self, session_id) -> None:
+        """Remove a session (if it exists)."""
+        self.sessions.pop(session_id, None)
 
     @defer.inlineCallbacks
     def get_access_token_for_user_id(