From a112a5e57cb38ad282939d2dcb9c1476e038af39 Mon Sep 17 00:00:00 2001
From: Anatoly Sablin <sablintolya@gmail.com>
Date: Wed, 7 Aug 2019 21:44:50 +0300
Subject: [PATCH] Improve request verification. Allow unbind only for
 configured matrix domain.

---
 .../kamax/mxisd/session/SessionManager.java   | 23 +++++++++++--------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/src/main/java/io/kamax/mxisd/session/SessionManager.java b/src/main/java/io/kamax/mxisd/session/SessionManager.java
index 3b50d64..004cb58 100644
--- a/src/main/java/io/kamax/mxisd/session/SessionManager.java
+++ b/src/main/java/io/kamax/mxisd/session/SessionManager.java
@@ -218,8 +218,15 @@ public class SessionManager {
             throw new BadRequestException("Missing required 3PID");
         }
 
+        // We only allow unbind for the domain we manage, mirroring bind
+        final CharSequence domain = cfg.getMatrix().getDomain();
+        if (!StringUtils.equalsIgnoreCase(domain, mxid.getDomain())) {
+            throw new NotAllowedException("Only Matrix IDs from domain " + domain + " can be unbound");
+        }
+
+        log.info("Request was authorized.");
         if (StringUtils.isNotBlank(sid) && StringUtils.isNotBlank(secret)) {
-            checkSession(sid, secret, tpid, mxid);
+            checkSession(sid, secret, tpid);
         } else if (StringUtils.isNotBlank(auth)) {
             checkAuthorization(auth, reqData);
         } else {
@@ -269,6 +276,10 @@ public class SessionManager {
             throw new BadRequestException("Missing required header parameters");
         }
 
+        if (!cfg.getMatrix().getDomain().equalsIgnoreCase(origin)) {
+            throw new NotAllowedException("Only Matrix IDs from domain " + origin + " can be unbound");
+        }
+
         JsonObject jsonObject = new JsonObject();
         jsonObject.addProperty("method", "POST");
         jsonObject.addProperty("uri", "/_matrix/identity/api/v1/3pid/unbind");
@@ -340,7 +351,7 @@ public class SessionManager {
         log.info("Request was authorized.");
     }
 
-    private void checkSession(String sid, String secret, ThreePid tpid, _MatrixID mxid) {
+    private void checkSession(String sid, String secret, ThreePid tpid) {
         // We ensure the session was validated
         ThreePidSession session = getSessionIfValidated(sid, secret);
 
@@ -348,13 +359,5 @@ public class SessionManager {
         if (!session.getThreePid().equals(tpid)) {
             throw new BadRequestException("3PID to unbind does not match the one from the validated session");
         }
-
-        // We only allow unbind for the domain we manage, mirroring bind
-        final CharSequence domain = cfg.getMatrix().getDomain();
-        if (!StringUtils.equalsIgnoreCase(domain, mxid.getDomain())) {
-            throw new NotAllowedException("Only Matrix IDs from domain " + domain + " can be unbound");
-        }
-
-        log.info("Request was authorized.");
     }
 }