This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Add ability to perform password reset via email without trusting the identity server #5377
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Database component of new behaviour of sending password reset emails from Synapse instead of Sydent. Allows one to store threepid validation sessions along with password reset token attempts and retrieve them again.
* Ability to send password reset emails This changes the default behaviour of Synapse to send password reset emails itself rather than through an identity server. The reasoning behind the change is to prevent a malicious identity server from being able to initiate a password reset attempt and then answering it, successfully resetting their password, all without the user's knowledge. This also aides in decentralisation by putting less trust on the identity server itself, which traditionally is quite centralised. If users wish to continue with the old behaviour of proxying password reset requests through the user's configured identity server, they can do so by setting email.enable_password_reset_from_is to True in Synapse's config. Users should be able that with that option disabled (the default), password resets will now no longer work unless email sending has been enabled and set up correctly. * Fix validation token lifetime email_ prefix * Add changelog * Update manifest to include txt/html template files * Update db * mark jinja2 and bleach as required dependencies * Add email settings to default unit test config * Update unit test template dir * gen sample config * Add html5lib as a required dep * Modify check for smtp settings to be kinder to CI * silly linting rules * Correct html5lib dep version number * one more time * Change template_dir to originate from synapse root dir * Revert "Modify check for smtp settings to be kinder to CI" This reverts commit 6d2d3c9. * Move templates. New option to disable password resets * Update templates and make password reset option work * Change jinja2 and bleach back to opt deps * Update email condition requirement * Only import jinja2/bleach if we need it * Update sample config * Revert manifest changes for new res directory * Remove public_baseurl from unittest config * infer ability to reset password from email config * Address review comments * regen sample config * test for ci * Remove CI test * fix bug? * Run bg update on the master process
* Ability to send password reset emails This changes the default behaviour of Synapse to send password reset emails itself rather than through an identity server. The reasoning behind the change is to prevent a malicious identity server from being able to initiate a password reset attempt and then answering it, successfully resetting their password, all without the user's knowledge. This also aides in decentralisation by putting less trust on the identity server itself, which traditionally is quite centralised. If users wish to continue with the old behaviour of proxying password reset requests through the user's configured identity server, they can do so by setting email.enable_password_reset_from_is to True in Synapse's config. Users should be able that with that option disabled (the default), password resets will now no longer work unless email sending has been enabled and set up correctly. * Fix validation token lifetime email_ prefix * Add changelog * Update manifest to include txt/html template files * Update db * mark jinja2 and bleach as required dependencies * Add email settings to default unit test config * Update unit test template dir * gen sample config * Add html5lib as a required dep * Modify check for smtp settings to be kinder to CI * silly linting rules * Correct html5lib dep version number * one more time * Change template_dir to originate from synapse root dir * Revert "Modify check for smtp settings to be kinder to CI" This reverts commit 6d2d3c9. * Move templates. New option to disable password resets * Update templates and make password reset option work * Change jinja2 and bleach back to opt deps * Update email condition requirement * Only import jinja2/bleach if we need it * Update sample config * Revert manifest changes for new res directory * Remove public_baseurl from unittest config * infer ability to reset password from email config * Reimplementation of /submitToken on the homeserver side. Only used by password resets This PR creates an endpoint GET/POST /_matrix/identity/api/v1/validate/email/submitToken which mirrors the same endpoint on the identity server used for submitting tokens used for validating 3PID addresses. When the token is submitted, it is checked along with the client_secret and session_id in the db and if it matches and isn't expired, we mark the session as validated. Then, when the user attempts to change their password, we check if the session is valid, and if so allow it. We also delete the session at this point, as as far as I can tell there's no further use for it. * Add changelog * fix merge issue * regen sample config * Address review comments * regen sample config * test for ci * Remove CI test * fix bug? * Move endpoint to _synapse * Run bg update on the master process * update endpoint * lint * Fix clientip bug * Fix bugs with database * Make servlet clearer * Fix checkers, remove debug logging * We don't support msisdn, geddit? * Fix typo and logic issue * lint
Codecov Report
@@ Coverage Diff @@
## develop #5377 +/- ##
==========================================
- Coverage 63.03% 62.83% -0.2%
==========================================
Files 341 341
Lines 35660 35838 +178
Branches 5838 5872 +34
==========================================
+ Hits 22478 22520 +42
- Misses 11612 11743 +131
- Partials 1570 1575 +5 |
erikjohnston
approved these changes
Jun 6, 2019
neilisfragile
added a commit
that referenced
this pull request
Jun 7, 2019
Synapse 1.0.0rc1 (2019-06-07) ============================= Features -------- - Synapse now more efficiently collates room statistics. ([\#4338](#4338), [\#5260](#5260), [\#5324](#5324)) - Add experimental support for relations (aka reactions and edits). ([\#5220](#5220)) - Ability to configure default room version. ([\#5223](#5223), [\#5249](#5249)) - Allow configuring a range for the account validity startup job. ([\#5276](#5276)) - CAS login will now hit the r0 API, not the deprecated v1 one. ([\#5286](#5286)) - Validate federation server TLS certificates by default (implements [MSC1711](https://github.com/matrix-org/matrix-doc/blob/master/proposals/1711-x509-for-federation.md)). ([\#5359](#5359)) - Update /_matrix/client/versions to reference support for r0.5.0. ([\#5360](#5360)) - Add a script to generate new signing-key files. ([\#5361](#5361)) - Update upgrade and installation guides ahead of 1.0. ([\#5371](#5371)) - Replace the `perspectives` configuration section with `trusted_key_servers`, and make validating the signatures on responses optional (since TLS will do this job for us). ([\#5374](#5374)) - Add ability to perform password reset via email without trusting the identity server. ([\#5377](#5377)) - Set default room version to v4. ([\#5379](#5379)) Bugfixes -------- - Fixes client-server API not sending "m.heroes" to lazy-load /sync requests when a rooms name or its canonical alias are empty. Thanks to @dnaf for this work! ([\#5089](#5089)) - Prevent federation device list updates breaking when processing multiple updates at once. ([\#5156](#5156)) - Fix worker registration bug caused by ClientReaderSlavedStore being unable to see get_profileinfo. ([\#5200](#5200)) - Fix race when backfilling in rooms with worker mode. ([\#5221](#5221)) - Fix appservice timestamp massaging. ([\#5233](#5233)) - Ensure that server_keys fetched via a notary server are correctly signed. ([\#5251](#5251)) - Show the correct error when logging out and access token is missing. ([\#5256](#5256)) - Fix error code when there is an invalid parameter on /_matrix/client/r0/publicRooms ([\#5257](#5257)) - Fix error when downloading thumbnail with missing width/height parameter. ([\#5258](#5258)) - Fix schema update for account validity. ([\#5268](#5268)) - Fix bug where we leaked extremities when we soft failed events, leading to performance degradation. ([\#5274](#5274), [\#5278](#5278), [\#5291](#5291)) - Fix "db txn 'update_presence' from sentinel context" log messages. ([\#5275](#5275)) - Fix dropped logcontexts during high outbound traffic. ([\#5277](#5277)) - Fix a bug where it is not possible to get events in the federation format with the request `GET /_matrix/client/r0/rooms/{roomId}/messages`. ([\#5293](#5293)) - Fix performance problems with the rooms stats background update. ([\#5294](#5294)) - Fix noisy 'no key for server' logs. ([\#5300](#5300)) - Fix bug where a notary server would sometimes forget old keys. ([\#5307](#5307)) - Prevent users from setting huge displaynames and avatar URLs. ([\#5309](#5309)) - Fix handling of failures when processing incoming events where calling `/event_auth` on remote server fails. ([\#5317](#5317)) - Ensure that we have an up-to-date copy of the signing key when validating incoming federation requests. ([\#5321](#5321)) - Fix various problems which made the signing-key notary server time out for some requests. ([\#5333](#5333)) - Fix bug which would make certain operations (such as room joins) block for 20 minutes while attemoting to fetch verification keys. ([\#5334](#5334)) - Fix a bug where we could rapidly mark a server as unreachable even though it was only down for a few minutes. ([\#5335](#5335), [\#5340](#5340)) - Fix a bug where account validity renewal emails could only be sent when email notifs were enabled. ([\#5341](#5341)) - Fix failure when fetching batches of events during backfill, etc. ([\#5342](#5342)) - Add a new room version where the timestamps on events are checked against the validity periods on signing keys. ([\#5348](#5348), [\#5354](#5354)) - Fix room stats and presence background updates to correctly handle missing events. ([\#5352](#5352)) - Include left members in room summaries' heroes. ([\#5355](#5355)) - Fix `federation_custom_ca_list` configuration option. ([\#5362](#5362)) - Fix missing logcontext warnings on shutdown. ([\#5369](#5369)) Improved Documentation ---------------------- - Fix docs on resetting the user directory. ([\#5282](#5282)) - Fix notes about ACME in the MSC1711 faq. ([\#5357](#5357)) Internal Changes ---------------- - Synapse will now serve the experimental "room complexity" API endpoint. ([\#5216](#5216)) - The base classes for the v1 and v2_alpha REST APIs have been unified. ([\#5226](#5226), [\#5328](#5328)) - Simplifications and comments in do_auth. ([\#5227](#5227)) - Remove urllib3 pin as requests 2.22.0 has been released supporting urllib3 1.25.2. ([\#5230](#5230)) - Preparatory work for key-validity features. ([\#5232](#5232), [\#5234](#5234), [\#5235](#5235), [\#5236](#5236), [\#5237](#5237), [\#5244](#5244), [\#5250](#5250), [\#5296](#5296), [\#5299](#5299), [\#5343](#5343), [\#5347](#5347), [\#5356](#5356)) - Specify the type of reCAPTCHA key to use. ([\#5283](#5283)) - Improve sample config for monthly active user blocking. ([\#5284](#5284)) - Remove spurious debug from MatrixFederationHttpClient.get_json. ([\#5287](#5287)) - Improve logging for logcontext leaks. ([\#5288](#5288)) - Clarify that the admin change password API logs the user out. ([\#5303](#5303)) - New installs will now use the v54 full schema, rather than the full schema v14 and applying incremental updates to v54. ([\#5320](#5320)) - Improve docstrings on MatrixFederationClient. ([\#5332](#5332)) - Clean up FederationClient.get_events for clarity. ([\#5344](#5344)) - Various improvements to debug logging. ([\#5353](#5353)) - Don't run CI build checks until sample config check has passed. ([\#5370](#5370)) - Automatically retry buildkite builds (max twice) when an agent is lost. ([\#5380](#5380))
|
this implements parts of MSC2078. |
richvdh
added a commit
that referenced
this pull request
Sep 24, 2019
Added in #5377, apparently in error
richvdh
added a commit
that referenced
this pull request
Sep 24, 2019
Added in #5377, apparently in error
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
THIS HAS A VULNERABILITY. See 49e01e5
Sends password reset emails from the homeserver instead of proxying to the identity server. This is now the default behaviour for security reasons. If you wish to continue proxying password reset requests to the identity server you must now enable the
email.trust_identity_server_for_password_resetsoption.This PR is a culmination of 3 smaller PRs which have each been separately reviewed: