Merge pull request #1035 from matrix-org/hs/auth-provisioner

Authenticate requests to the /provision endpoint

changelog.d/1035.bugfix

@@ -0,0 +1 @@
+**SECURITY FIX** The bridge now authenticatess the /_matrix/provision set of endpoints. It now requires either a `access_token` query parameter or a `Authorization` header containing the `hs_token` provided in the registration file.

package.json

@@ -36,7 +36,7 @@
     "js-yaml": "^3.2.7",
     "logform": "^2.1.2",
     "matrix-appservice": "^0.4.1",
-    "matrix-appservice-bridge": "^1.11.1",
+    "matrix-appservice-bridge": "^1.12.1",
     "matrix-lastactive": "^0.1.3",
     "nedb": "^1.1.2",
     "nopt": "^3.0.1",

src/provisioning/Provisioner.ts

@@ -130,13 +130,20 @@ export class Provisioner {
             });
         }
 
-        // Deal with CORS (temporarily for s-web)
         app.use((req, res, next) => {
+            // Deal with CORS (temporarily for s-web)
             if (this.isProvisionRequest(req)) {
                 res.header("Access-Control-Allow-Origin", "*");
                 res.header("Access-Control-Allow-Headers",
                     "Origin, X-Requested-With, Content-Type, Accept");
             }
+            if (!this.ircBridge.getAppServiceBridge().requestCheckToken(req)) {
+                res.status(403).send({
+                    errcode: "M_FORBIDDEN",
+                    error: "Bad token supplied"
+                });
+                return;
+            }
             next();
         });
 

types/matrix-appservice-bridge/index.d.ts

@@ -260,7 +260,7 @@ declare module 'matrix-appservice-bridge' {
         getPrometheusMetrics(): PrometheusMetrics;
         getIntent(userId?: string): Intent;
         getIntentFromLocalpart(localpart: string): Intent;
-
+        requestCheckToken(req: Express.Request): boolean;
         run(port: number, config: undefined, appservice?: import("matrix-appservice").AppService, hostname?: string): void;
         registerBridgeGauges(cb: () => void): void;
         getClientFactory(): ClientFactory;