https://github.com/ma1uta/ma1sd/issues/3 Allow extended character sets for backward compatibility.

Add the configuration description for enable/disable unbind feature in the session.md
Merge pull request #5 from eyecreate/patch-2
2019-10-23 00:09:29 +03:00 · 2019-10-22 23:54:53 +03:00 · 2019-10-22 20:52:46 +00:00 · 2019-10-21 20:27:33 +00:00 · 2019-10-21 16:06:23 -04:00 · 2019-10-21 15:33:28 -04:00
6 changed files with 43 additions and 17 deletions
--- a/README.md
+++ b/README.md
@@ -15,7 +15,8 @@ ma1sd - Federated Matrix Identity Server

 ---

-* This project is a fork of the https://github.com/kamax-matrix/mxisd which has been archived and no longer supported. *
+* This project is a fork (not successor) of the https://github.com/kamax-matrix/mxisd, which has been archived and no longer maintained as a standalone product.
+Also, ma1sd is supported by the volunteer not developers of the original project.

 ---

--- a/docs/configure.md
+++ b/docs/configure.md
@@ -45,6 +45,14 @@ Create a list under the label `myOtherServers` containing two Identity servers:
 - `server.port`: HTTP port to listen on (unencrypted)
 - `server.publicUrl`: Defaults to `https://{server.name}`

+## Unbind (MSC1915)
+- `session.policy.unbind.enabled`: Enable or disable unbind functionality (MSC1915). (Defaults to true).
+
+*Warning*: Unbind check incoming request by two ways:
+- session validation.
+- request signature via `X-Matrix` header and uses `server.publicUrl` property to construct the signing json;
+Commonly the `server.publicUrl` should be the same value as the `trusted_third_party_id_servers` property in the synapse config.
+
 ## Storage
 ### SQLite
 `storage.provider.sqlite.database`: Absolute location of the SQLite database
--- a/docs/threepids/session/session.md
+++ b/docs/threepids/session/session.md
@@ -103,8 +103,8 @@ session:
    validation:
      enabled: true
    unbind:
-      notification:
-        enabled: true
+      notifications: true
+      enabled: true

 # DO NOT COPY/PASTE AS-IS IN YOUR CONFIGURATION
 # CONFIGURATION EXAMPLE
@@ -115,7 +115,7 @@ are allowed to do in terms of 3PID sessions. The policy has a global on/off swit

 ---

-`unbind` controls warning notifications for 3PID removal.  
+`unbind` controls warning notifications for 3PID removal. Setting `notifications` for `unbind` to false will prevent unbind emails from sending.

 ### Web views
 Once a user click on a validation link, it is taken to the Identity Server validation page where the token is submitted.  
--- a/src/main/java/io/kamax/mxisd/auth/AuthManager.java
+++ b/src/main/java/io/kamax/mxisd/auth/AuthManager.java
@@ -140,7 +140,7 @@ public class AuthManager {
                }

                try {
-                    MatrixID.asValid(mxId);
+                    MatrixID.asAcceptable(mxId);
                } catch (IllegalArgumentException e) {
                    log.warn("The returned User ID {} is not a valid Matrix ID. Login might fail at the Homeserver level", mxId);
                }
--- a/src/main/java/io/kamax/mxisd/config/SessionConfig.java
+++ b/src/main/java/io/kamax/mxisd/config/SessionConfig.java
@@ -47,6 +47,8 @@ public class SessionConfig {
        public static class PolicyUnbind {

            private boolean enabled = true;
+            
+            private boolean notifications = true;

            public boolean getEnabled() {
                return enabled;
@@ -55,11 +57,20 @@ public class SessionConfig {
            public void setEnabled(boolean enabled) {
                this.enabled = enabled;
            }
+            
+            public boolean shouldNotify() {
+                return notifications;
+            }
+            
+            public void setNotifications(boolean notifications) {
+                this.notifications = notifications;
+            }
        }

        public Policy() {
            validation.enabled = true;
            unbind.enabled = true;
+            unbind.notifications = true;
        }

        private PolicyTemplate validation = new PolicyTemplate();
--- a/src/main/java/io/kamax/mxisd/session/SessionManager.java
+++ b/src/main/java/io/kamax/mxisd/session/SessionManager.java
@@ -57,6 +57,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import java.io.IOException;
+import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.Calendar;
@@ -218,8 +219,15 @@ public class SessionManager {
            throw new BadRequestException("Missing required 3PID");
        }

+        // We only allow unbind for the domain we manage, mirroring bind
+        final CharSequence domain = cfg.getMatrix().getDomain();
+        if (!StringUtils.equalsIgnoreCase(domain, mxid.getDomain())) {
+            throw new NotAllowedException("Only Matrix IDs from domain " + domain + " can be unbound");
+        }
+
+        log.info("Request was authorized.");
        if (StringUtils.isNotBlank(sid) && StringUtils.isNotBlank(secret)) {
-            checkSession(sid, secret, tpid, mxid);
+            checkSession(sid, secret, tpid);
        } else if (StringUtils.isNotBlank(auth)) {
            checkAuthorization(auth, reqData);
        } else {
@@ -227,7 +235,9 @@ public class SessionManager {
        }

        log.info("Unbinding of {} {} to {} is accepted", tpid.getMedium(), tpid.getAddress(), mxid.getId());
-        notifMgr.sendForUnbind(tpid);
+        if (cfg.getSession().getPolicy().getUnbind().shouldNotify()) {
+            notifMgr.sendForUnbind(tpid);
+        }
    }

    private void checkAuthorization(String auth, JsonObject reqData) {
@@ -269,11 +279,15 @@ public class SessionManager {
            throw new BadRequestException("Missing required header parameters");
        }

+        if (!cfg.getMatrix().getDomain().equalsIgnoreCase(origin)) {
+            throw new NotAllowedException("Only Matrix IDs from domain " + origin + " can be unbound");
+        }
+
        JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty("method", "POST");
        jsonObject.addProperty("uri", "/_matrix/identity/api/v1/3pid/unbind");
        jsonObject.addProperty("origin", origin);
-        jsonObject.addProperty("destination_is", cfg.getServer().getPublicUrl());
+        jsonObject.addProperty("destination_is", URI.create(cfg.getServer().getPublicUrl()).getHost());
        jsonObject.add("content", reqData);

        String canonical = MatrixJson.encodeCanonical(jsonObject);
@@ -340,7 +354,7 @@ public class SessionManager {
        log.info("Request was authorized.");
    }

-    private void checkSession(String sid, String secret, ThreePid tpid, _MatrixID mxid) {
+    private void checkSession(String sid, String secret, ThreePid tpid) {
        // We ensure the session was validated
        ThreePidSession session = getSessionIfValidated(sid, secret);

@@ -348,13 +362,5 @@ public class SessionManager {
        if (!session.getThreePid().equals(tpid)) {
            throw new BadRequestException("3PID to unbind does not match the one from the validated session");
        }
-
-        // We only allow unbind for the domain we manage, mirroring bind
-        final CharSequence domain = cfg.getMatrix().getDomain();
-        if (!StringUtils.equalsIgnoreCase(domain, mxid.getDomain())) {
-            throw new NotAllowedException("Only Matrix IDs from domain " + domain + " can be unbound");
-        }
-
-        log.info("Request was authorized.");
    }
 }
Author	SHA1	Message	Date
Anatoly Sablin	b4776b50e2	https://github.com/ma1uta/ma1sd/issues/3 Allow extended character sets for backward compatibility.	2019-10-23 00:09:29 +03:00
Anatoly Sablin	2458b38b75	Add the configuration description for enable/disable unbind feature in the session.md	2019-10-22 23:54:53 +03:00
ma1uta	249e28a8b5	Merge pull request #5 from eyecreate/patch-2 Allow configuring unbind notifications to be sent or not.	2019-10-22 20:52:46 +00:00
ma1uta	ba9e2d6121	Merge pull request #4 from eyecreate/patch-1 make sure destination only contains the hostname value and not whole URL	2019-10-21 20:27:33 +00:00
eyecreate	f042b82a50	add missing import	2019-10-21 16:06:23 -04:00
eyecreate	59071177ad	typo	2019-10-21 15:33:28 -04:00
eyecreate	6450cd1f20	have session manager check session config for sending notifications on unbinds.	2019-10-21 15:30:46 -04:00
eyecreate	90bc244f3e	update docs to something that works.	2019-10-21 15:29:55 -04:00
eyecreate	6e52a509db	update session config to allow unbindin emails to not be sent.	2019-10-21 15:28:30 -04:00
eyecreate	5ca666981a	make sure destination only contains the hostname value and not whole URL When testing this, the public URL is containing the protocol "https://" which differs from synapse's values. This code makes sure to remove that extra data to signatures match. Is there ever a situation in which the public url is any different?	2019-10-21 14:31:40 -04:00
Anatoly Sablin	36f22e5ca6	Update remarks of the fork.	2019-08-15 22:46:53 +03:00
Anatoly Sablin	a112a5e57c	Improve request verification. Allow unbind only for configured matrix domain.	2019-08-07 21:47:10 +03:00
Anatoly Sablin	dbc764fe65	Add description about the MSC1915 configuration.	2019-08-05 22:15:53 +03:00