Improve request verification. Allow unbind only for configured matrix domain.

Add description about the MSC1915 configuration.
2019-08-07 21:47:10 +03:00 · 2019-08-05 22:15:53 +03:00
2 changed files with 21 additions and 10 deletions
--- a/docs/configure.md
+++ b/docs/configure.md
@@ -45,6 +45,14 @@ Create a list under the label `myOtherServers` containing two Identity servers:
 - `server.port`: HTTP port to listen on (unencrypted)
 - `server.publicUrl`: Defaults to `https://{server.name}`

+## Unbind (MSC1915)
+- `session.policy.unbind.enabled`: Enable or disable unbind functionality (MSC1915). (Defaults to true).
+
+*Warning*: Unbind check incoming request by two ways:
+- session validation.
+- request signature via `X-Matrix` header and uses `server.publicUrl` property to construct the signing json;
+Commonly the `server.publicUrl` should be the same value as the `trusted_third_party_id_servers` property in the synapse config.
+
 ## Storage
 ### SQLite
 `storage.provider.sqlite.database`: Absolute location of the SQLite database
--- a/src/main/java/io/kamax/mxisd/session/SessionManager.java
+++ b/src/main/java/io/kamax/mxisd/session/SessionManager.java
@@ -218,8 +218,15 @@ public class SessionManager {
            throw new BadRequestException("Missing required 3PID");
        }

+        // We only allow unbind for the domain we manage, mirroring bind
+        final CharSequence domain = cfg.getMatrix().getDomain();
+        if (!StringUtils.equalsIgnoreCase(domain, mxid.getDomain())) {
+            throw new NotAllowedException("Only Matrix IDs from domain " + domain + " can be unbound");
+        }
+
+        log.info("Request was authorized.");
        if (StringUtils.isNotBlank(sid) && StringUtils.isNotBlank(secret)) {
-            checkSession(sid, secret, tpid, mxid);
+            checkSession(sid, secret, tpid);
        } else if (StringUtils.isNotBlank(auth)) {
            checkAuthorization(auth, reqData);
        } else {
@@ -269,6 +276,10 @@ public class SessionManager {
            throw new BadRequestException("Missing required header parameters");
        }

+        if (!cfg.getMatrix().getDomain().equalsIgnoreCase(origin)) {
+            throw new NotAllowedException("Only Matrix IDs from domain " + origin + " can be unbound");
+        }
+
        JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty("method", "POST");
        jsonObject.addProperty("uri", "/_matrix/identity/api/v1/3pid/unbind");
@@ -340,7 +351,7 @@ public class SessionManager {
        log.info("Request was authorized.");
    }

-    private void checkSession(String sid, String secret, ThreePid tpid, _MatrixID mxid) {
+    private void checkSession(String sid, String secret, ThreePid tpid) {
        // We ensure the session was validated
        ThreePidSession session = getSessionIfValidated(sid, secret);

@@ -348,13 +359,5 @@ public class SessionManager {
        if (!session.getThreePid().equals(tpid)) {
            throw new BadRequestException("3PID to unbind does not match the one from the validated session");
        }
-
-        // We only allow unbind for the domain we manage, mirroring bind
-        final CharSequence domain = cfg.getMatrix().getDomain();
-        if (!StringUtils.equalsIgnoreCase(domain, mxid.getDomain())) {
-            throw new NotAllowedException("Only Matrix IDs from domain " + domain + " can be unbound");
-        }
-
-        log.info("Request was authorized.");
    }
 }
Author	SHA1	Message	Date
Anatoly Sablin	a112a5e57c	Improve request verification. Allow unbind only for configured matrix domain.	2019-08-07 21:47:10 +03:00
Anatoly Sablin	dbc764fe65	Add description about the MSC1915 configuration.	2019-08-05 22:15:53 +03:00