This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Clean up synapse.api.auth.Auth #13019
Assignees
Labels
T-Task
Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks.
Comments
4 tasks
|
Another thought: I think it would make sense to make the permissions-related functions pass a |
4 tasks
reivilibre
added
the
T-Task
This was referenced Jun 15, 2022
richvdh
pushed a commit
that referenced
this issue
Aug 22, 2022
…`Requester` instead of the `UserID` (#13024) Part of #13019 This changes all the permission-related methods to rely on the Requester instead of the UserID. This is a first step towards enabling scoped access tokens at some point, since I expect the Requester to have scope-related informations in it. It also changes methods which figure out the user/device/appservice out of the access token to return a Requester instead of something else. This avoids having store-related objects in the methods signatures.
|
@sandhose Is this all set? I don't see any remaining work. |
|
The only outstanding thing from @sandhose's list is
which might still be worthwhile? |
|
Let's close, if the last remaining item is valuable then lets open a new issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I'm trying to make sense to what is in
synapse.api.auth.Auth.The goal is to extract a clear interface for verifying access tokens, so we can override that more easily for the OIDC work.
I already cleaned up things related to access token verification & macaroons in #12986
I'm finding a few method types:
check_user_in_room_or_world_readablecheck_can_change_room_listcheck_user_in_roomis_server_adminhas_access_tokenget_access_token_from_requestget_user_by_access_tokenget_user_by_reqget_appservice_by_reqThere is also
check_auth_blocking, which only acts as a proxy toAuthBlocking.check_auth_blocking.Note that
is_server_adminis also a simple proxy toRegistrationWorkerStore.is_server_admin.The other interesting thing I found out is that
check_user_in_roomis called from three places:check_user_in_room_or_world_readable(which makes sense)rest.client.room.TimestampLookupRestServlet, which looks like an oversight, and should probably callcheck_user_in_room_or_world_readableinsteadOther interesting things about a method:
get_appservice_by_reqis called from three places:/register, which seems not necessary, since a few lines bellow it would raise anyway if the appservice does not existDELETE /directory/room/<room_alias>, for some reason?/login, which looks like the only legit place where it is calledSo, what I would like to do is:
check_auth_blockingmethod, and use directlyAuthBlocking.check_auth_blockingwhere it makes sense Decouplesynapse.api.auth_blocking.AuthBlockingfromsynapse.api.auth.Auth. #13021TimestampLookupRestServletusecheck_user_in_room_or_world_readableAllow MSC3030 'timestamp_to_event' calls from anyone on world-readable rooms. #13062get_appservice_by_req:Auth.get_user_by_reqfor checking the AS token. #13094The text was updated successfully, but these errors were encountered: