Update code and links following Matrix 1.0 release

- Support 3PID unbind via 3PID sessions
2019-06-12 00:17:43 +02:00
parent 29603682e5
commit f85345bc97
7 changed files with 56 additions and 62 deletions
--- a/src/main/java/io/kamax/mxisd/http/undertow/handler/identity/v1/SessionTpidUnbindHandler.java
+++ b/src/main/java/io/kamax/mxisd/http/undertow/handler/identity/v1/SessionTpidUnbindHandler.java
@@ -21,15 +21,22 @@
 package io.kamax.mxisd.http.undertow.handler.identity.v1;

 import com.google.gson.JsonObject;
+import io.kamax.mxisd.exception.BadRequestException;
+import io.kamax.mxisd.exception.NotAllowedException;
 import io.kamax.mxisd.http.IsAPIv1;
 import io.kamax.mxisd.http.undertow.handler.BasicHttpHandler;
 import io.kamax.mxisd.session.SessionManager;
 import io.undertow.server.HttpServerExchange;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;

 public class SessionTpidUnbindHandler extends BasicHttpHandler {

    public static final String Path = IsAPIv1.Base + "/3pid/unbind";

+    private static final Logger log = LoggerFactory.getLogger(SessionTpidUnbindHandler.class);
+
    private final SessionManager sessionMgr;

    public SessionTpidUnbindHandler(SessionManager sessionMgr) {
@@ -38,6 +45,18 @@ public class SessionTpidUnbindHandler extends BasicHttpHandler {

    @Override
    public void handleRequest(HttpServerExchange exchange) {
+        String auth = exchange.getRequestHeaders().getFirst("Authorization");
+        if (StringUtils.isNotEmpty(auth)) {
+            // We have a auth header to process
+            if (StringUtils.startsWith(auth, "X-Matrix ")) {
+                log.warn("A remote host attempted to unbind without proper authorization. Request was denied");
+                log.warn("See https://github.com/kamax-matrix/mxisd/wiki/mxisd-and-your-privacy for more info");
+                throw new NotAllowedException("3PID can only be removed via 3PID sessions, not via Homeserver signature");
+            } else {
+                throw new BadRequestException("Illegal authorization type");
+            }
+        }
+
        JsonObject body = parseJsonObject(exchange);
        sessionMgr.unbind(body);
        writeBodyAsUtf8(exchange, "{}");