This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
SSO: redirect to public URL before setting cookies #9436
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
richvdh
commented
Feb 18, 2021
|
When would requests arrive at the wrong URL? (Is this due to delegation of some kind?) |
The canonical CS API (and hence Mostly for historical reasons, it's also possible to log in via |
clokep
reviewed
Feb 18, 2021
richvdh
force-pushed
the
rav/fix_cookie_path
branch
from
33ce200
to
8299db8
Compare
Hit synapse on the public_baseurl to avoid a redirect.
richvdh
force-pushed
the
rav/fix_cookie_path
branch
from
8299db8
to
7167082
Compare
richvdh
commented
Feb 24, 2021
| BASE_URL = "https://synapse/" | ||
| # synapse server name: used to populate public_base_url in some tests | ||
| SYNAPSE_SERVER_PUBLIC_HOSTNAME = "synapse" | ||
| BASE_URL = "http://%s/" % (SYNAPSE_SERVER_PUBLIC_HOSTNAME,) |
There was a problem hiding this comment.
swapping to http here, because FakeChannel.isSecure() returns False, so synapse will see the requested uri as http://synapse/.... Configuring that as the public_baseurl avoids the redirect.
There was a problem hiding this comment.
Might be good to include this comment in the code. Just looking at the file, I'd be a bit confused why other URLs here were https, but not the public base url.
There was a problem hiding this comment.
fair enough. I've updated some comments.
richvdh
commented
Feb 24, 2021
tests/rest/client/v1/utils.py
Outdated
Comment on lines
553
to
566
| # that should 302 us to the public base url | ||
| assert channel.code == 302 | ||
| location = channel.headers.getRawHeaders("Location")[0] | ||
| parts = urllib.parse.urlsplit(location) | ||
| channel = make_request( | ||
| self.hs.get_reactor(), | ||
| self.site, | ||
| "GET", | ||
| urllib.parse.urlunsplit(("", "") + parts[2:]), | ||
| custom_headers=[ | ||
| ("Host", parts[1]), | ||
| ], | ||
| ) | ||
|
|
There was a problem hiding this comment.
this was the easiest way of figuring out what the Host header should be set to.
richvdh
commented
Feb 24, 2021
| @@ -161,7 +161,7 @@ class UIAuthTests(unittest.HomeserverTestCase): | |||
|
|
|||
| def default_config(self): | |||
| config = super().default_config() | |||
| config["public_baseurl"] = "https://synapse.test" | |||
| config["public_baseurl"] = "http://synapse.test" | |||
|
I think this is finally ready-for-review after a week of banging my head against various infrastructure-related problems. The commits should be reviewable independently. |
anoadragon453
approved these changes
Feb 26, 2021
| BASE_URL = "https://synapse/" | ||
| # synapse server name: used to populate public_base_url in some tests | ||
| SYNAPSE_SERVER_PUBLIC_HOSTNAME = "synapse" | ||
| BASE_URL = "http://%s/" % (SYNAPSE_SERVER_PUBLIC_HOSTNAME,) |
There was a problem hiding this comment.
Might be good to include this comment in the code. Just looking at the file, I'd be a bit confused why other URLs here were https, but not the public base url.
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Mar 14, 2021
Synapse 1.29.0 (2021-03-08) =========================== Note that synapse now expects an `X-Forwarded-Proto` header when used with a reverse proxy. Please see [UPGRADE.rst](UPGRADE.rst#upgrading-to-v1290) for more details on this change. No significant changes. Synapse 1.29.0rc1 (2021-03-04) ============================== Features -------- - Add rate limiters to cross-user key sharing requests. ([\#8957](matrix-org/synapse#8957)) - Add `order_by` to the admin API `GET /_synapse/admin/v1/users/<user_id>/media`. Contributed by @dklimpel. ([\#8978](matrix-org/synapse#8978)) - Add some configuration settings to make users' profile data more private. ([\#9203](matrix-org/synapse#9203)) - The `no_proxy` and `NO_PROXY` environment variables are now respected in proxied HTTP clients with the lowercase form taking precedence if both are present. Additionally, the lowercase `https_proxy` environment variable is now respected in proxied HTTP clients on top of existing support for the uppercase `HTTPS_PROXY` form and takes precedence if both are present. Contributed by Timothy Leung. ([\#9372](matrix-org/synapse#9372)) - Add a configuration option, `user_directory.prefer_local_users`, which when enabled will make it more likely for users on the same server as you to appear above other users. ([\#9383](matrix-org/synapse#9383), [\#9385](matrix-org/synapse#9385)) - Add support for regenerating thumbnails if they have been deleted but the original image is still stored. ([\#9438](matrix-org/synapse#9438)) - Add support for `X-Forwarded-Proto` header when using a reverse proxy. ([\#9472](matrix-org/synapse#9472), [\#9501](matrix-org/synapse#9501), [\#9512](matrix-org/synapse#9512), [\#9539](matrix-org/synapse#9539)) Bugfixes -------- - Fix a bug where users' pushers were not all deleted when they deactivated their account. ([\#9285](matrix-org/synapse#9285), [\#9516](matrix-org/synapse#9516)) - Fix a bug where a lot of unnecessary presence updates were sent when joining a room. ([\#9402](matrix-org/synapse#9402)) - Fix a bug that caused multiple calls to the experimental `shared_rooms` endpoint to return stale results. ([\#9416](matrix-org/synapse#9416)) - Fix a bug in single sign-on which could cause a "No session cookie found" error. ([\#9436](matrix-org/synapse#9436)) - Fix bug introduced in v1.27.0 where allowing a user to choose their own username when logging in via single sign-on did not work unless an `idp_icon` was defined. ([\#9440](matrix-org/synapse#9440)) - Fix a bug introduced in v1.26.0 where some sequences were not properly configured when running `synapse_port_db`. ([\#9449](matrix-org/synapse#9449)) - Fix deleting pushers when using sharded pushers. ([\#9465](matrix-org/synapse#9465), [\#9466](matrix-org/synapse#9466), [\#9479](matrix-org/synapse#9479), [\#9536](matrix-org/synapse#9536)) - Fix missing startup checks for the consistency of certain PostgreSQL sequences. ([\#9470](matrix-org/synapse#9470)) - Fix a long-standing bug where the media repository could leak file descriptors while previewing media. ([\#9497](matrix-org/synapse#9497)) - Properly purge the event chain cover index when purging history. ([\#9498](matrix-org/synapse#9498)) - Fix missing chain cover index due to a schema delta not being applied correctly. Only affected servers that ran development versions. ([\#9503](matrix-org/synapse#9503)) - Fix a bug introduced in v1.25.0 where `/_synapse/admin/join/` would fail when given a room alias. ([\#9506](matrix-org/synapse#9506)) - Prevent presence background jobs from running when presence is disabled. ([\#9530](matrix-org/synapse#9530)) - Fix rare edge case that caused a background update to fail if the server had rejected an event that had duplicate auth events. ([\#9537](matrix-org/synapse#9537)) Improved Documentation ---------------------- - Update the example systemd config to propagate reloads to individual units. ([\#9463](matrix-org/synapse#9463)) Internal Changes ---------------- - Add documentation and type hints to `parse_duration`. ([\#9432](matrix-org/synapse#9432)) - Remove vestiges of `uploads_path` configuration setting. ([\#9462](matrix-org/synapse#9462)) - Add a comment about systemd-python. ([\#9464](matrix-org/synapse#9464)) - Test that we require validated email for email pushers. ([\#9496](matrix-org/synapse#9496)) - Allow python to generate bytecode for synapse. ([\#9502](matrix-org/synapse#9502)) - Fix incorrect type hints. ([\#9515](matrix-org/synapse#9515), [\#9518](matrix-org/synapse#9518)) - Add type hints to device and event report admin API. ([\#9519](matrix-org/synapse#9519)) - Add type hints to user admin API. ([\#9521](matrix-org/synapse#9521)) - Bump the versions of mypy and mypy-zope used for static type checking. ([\#9529](matrix-org/synapse#9529))
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
... otherwise, we don't get the cookie back.