Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Stabilise support for MSC2918 refresh tokens as they have now been merged into the Matrix specification. #11435

Merged
merged 10 commits into from
Dec 6, 2021
Merged

Stabilise support for MSC2918 refresh tokens as they have now been merged into the Matrix specification. #11435

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
dd917bd
Drop unstable prefix on `refresh_token` body parameter to login and r…
reivilibre Nov 25, 2021
8099d81
Switch to stable API endpoint for /refresh
reivilibre Nov 25, 2021
8682540
Newsfile
reivilibre Nov 26, 2021
5600fe4
Document new configuration values
reivilibre Nov 26, 2021
a8325ef
Fix tests added in concurrent branch
reivilibre Nov 26, 2021
f371ada
Update sample config
reivilibre Nov 26, 2021
07247c2
Rename msc2918_enabled to refresh_tokens_enabled
reivilibre Nov 29, 2021
0242790
Always validate refresh_token parameter and simplify logic for decidi…
reivilibre Nov 29, 2021
a8b7d3a
Do away with pointless and obscuring CLIENT_API_PREFIX.
reivilibre Nov 30, 2021
45450cf
Add notes about lack of retrospective action to the new lifetime options
reivilibre Dec 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
19 changes: 10 additions & 9 deletions synapse/rest/client/login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,15 +163,16 @@ def on_GET(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
async def on_POST(self, request: SynapseRequest) -> Tuple[int, LoginResponse]:
login_submission = parse_json_object_from_request(request)

if self._refresh_tokens_enabled:
# Check if this login should also issue a refresh token, as per MSC2918
should_issue_refresh_token = login_submission.get(
LoginRestServlet.REFRESH_TOKEN_PARAM, False
)
if not isinstance(should_issue_refresh_token, bool):
raise SynapseError(400, "`refresh_token` should be true or false.")
else:
should_issue_refresh_token = False
# Check to see if the client requested a refresh token.
client_requested_refresh_token = login_submission.get(
LoginRestServlet.REFRESH_TOKEN_PARAM, False
)
if not isinstance(client_requested_refresh_token, bool):
raise SynapseError(400, "`refresh_token` should be true or false.")

should_issue_refresh_token = (
self._refresh_tokens_enabled and client_requested_refresh_token
)
Comment on lines +173 to +175
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If they request a refresh token but it's not enabled on this server, are clients required to fall back to the old non-refreshable mechanism?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep! That'd be the same as connecting to a server that doesn't support refresh tokens.


try:
if login_submission["type"] in (
Expand Down
17 changes: 9 additions & 8 deletions synapse/rest/client/register.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -445,14 +445,15 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
f"Do not understand membership kind: {kind}",
)

if self._refresh_tokens_enabled:
# Check if this registration should also issue a refresh token, as
# per MSC2918
should_issue_refresh_token = body.get("refresh_token", False)
if not isinstance(should_issue_refresh_token, bool):
raise SynapseError(400, "`refresh_token` should be true or false.")
else:
should_issue_refresh_token = False
# Check if the clients wishes for this registration to issue a refresh
# token.
client_requested_refresh_tokens = body.get("refresh_token", False)
if not isinstance(client_requested_refresh_tokens, bool):
raise SynapseError(400, "`refresh_token` should be true or false.")

should_issue_refresh_token = (
self._refresh_tokens_enabled and client_requested_refresh_tokens
)

# Pull out the provided username and do basic sanity checks early since
# the auth layer will store these in sessions.
Expand Down