Implementation for blocking fraudulent 3PID /unbind attempts

2019-02-01 02:34:52 +01:00
parent 4237eeb3b6
commit 635f6fdbe7
21 changed files with 361 additions and 37 deletions
--- a/src/main/java/io/kamax/mxisd/http/undertow/handler/identity/v1/SessionTpidUnbindHandler.java
+++ b/src/main/java/io/kamax/mxisd/http/undertow/handler/identity/v1/SessionTpidUnbindHandler.java
@@ -21,10 +21,9 @@
 package io.kamax.mxisd.http.undertow.handler.identity.v1;

 import com.google.gson.JsonObject;
-import io.kamax.mxisd.exception.FeatureNotAvailable;
-import io.kamax.mxisd.exception.NotAllowedException;
 import io.kamax.mxisd.http.IsAPIv1;
 import io.kamax.mxisd.http.undertow.handler.BasicHttpHandler;
+import io.kamax.mxisd.session.SessionMananger;
 import io.undertow.server.HttpServerExchange;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -33,38 +32,19 @@ public class SessionTpidUnbindHandler extends BasicHttpHandler {

    public static final String Path = IsAPIv1.Base + "/3pid/unbind";

-    private transient final Logger log = LoggerFactory.getLogger(SessionTpidUnbindHandler.class);
+    private static final Logger log = LoggerFactory.getLogger(SessionTpidUnbindHandler.class);
+
+    private final SessionMananger sessMgr;
+
+    public SessionTpidUnbindHandler(SessionMananger sessMgr) {
+        this.sessMgr = sessMgr;
+    }

    @Override
    public void handleRequest(HttpServerExchange exchange) {
        JsonObject body = parseJsonObject(exchange);
-
-        // TODO also check for HS header to know which domain attempting the unbind
-        if (body.entrySet().size() == 2 && body.has("mxisd") && body.has("threepid")) {
-            /* This is a HS request to remove a 3PID and is considered:
-             * - An attack on user privacy
-             * - A baffling spec breakage requiring IS and HS 3PID info to be independent [1]
-             * - A baffling spec breakage that 3PID (un)bind is only one way [2]
-             *
-             * Given the lack of response on our extensive feedback on the proposal [3] which has not landed in the spec yet [4],
-             * We'll be denying such unbind requests and will inform users using their 3PID that a fraudulent attempt of
-             * removing their 3PID binding has been attempting but blocked.
-             *
-             * [1]: https://matrix.org/docs/spec/client_server/r0.4.0.html#adding-account-administrative-contact-information
-             * [2]: https://matrix.org/docs/spec/identity_service/r0.1.0.html#privacy
-             * [3]: https://docs.google.com/document/d/135g2muVxmuml0iUnLoTZxk8M2ZSt3kJzg81chGh51yg/edit
-             * [4]: https://github.com/matrix-org/matrix-doc/issues/1194
-             */
-
-            log.warn("A remote host attempted to unbind without proper authorization. Request was denied");
-
-            // TODO notify the 3PID owner
-
-            throw new NotAllowedException("You have attempted to alter 3PID bindings, which can only be done by the 3PID owner directly. " +
-                    "We have informed the 3PID owner of your fraudulent attempt.");
-        }
-
-        throw new FeatureNotAvailable("Unbind using a 3PID session is not defined in the spec");
+        sessMgr.unbind(body);
+        writeBodyAsUtf8(exchange, "{}");
    }

 }