Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

#12274 org.matrix.login.jwt login succeeded even if user is deactivated#12276

Closed
laurent-treeb wants to merge 1 commit intomatrix-org:developfrom
laurent-treeb:hotfix/12274
Closed

#12274 org.matrix.login.jwt login succeeded even if user is deactivated#12276
laurent-treeb wants to merge 1 commit intomatrix-org:developfrom
laurent-treeb:hotfix/12274

Conversation

@laurent-treeb
Copy link

@laurent-treeb laurent-treeb commented Mar 23, 2022

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Pull request includes a sign off
  • Code style is correct
    (run the linters)

@laurent-treeb laurent-treeb requested a review from a team as a code owner March 23, 2022 16:02
@laurent-treeb laurent-treeb mentioned this pull request Mar 23, 2022
Closed
@dklimpel
Copy link
Contributor

dklimpel commented Mar 24, 2022

Is it useful to create a test to avoid it in feature?

clokep
clokep reviewed Mar 24, 2022
View reviewed changes
synapse/rest/client/login.py
Comment on lines +322 to +325
else: # check if user deactivated
deactivated = await self.hs.get_datastore().get_user_deactivated_status(canonical_uid)
if deactivated:
raise UserDeactivatedError("This account has been deactivated")
Copy link
Member

@clokep clokep Mar 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't look quite right since it is in the create_non_existent_users block.

I'd be curious where we check for deactivation for password users / SSO users and why that isn't being applied properly. Can we consolidate that logic into a single spot?

Copy link
Member

@anoadragon453 anoadragon453 Mar 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Annoyingly the place where we currently check for user deactivation is while authenticating against the local password database:

synapse/synapse/handlers/auth.py

Lines 1379 to 1383 in e24ff8e

# If the password hash is None, the account has likely been deactivated
if not password_hash:
deactivated = await self.store.get_user_deactivated_status(user_id)
if deactivated:
raise UserDeactivatedError("This account has been deactivated")
.

Thankfully we can check if a user is deactivated via the deactivated column on the users table (rather than using an empty password hash as a heuristic).

So I'd recommend pulling the user deactivated check out of _check_local_password and instead moving it into _validate_userid_login, such that it can be applied to all user logins; not just those against the local password database.

Copy link
Member

@clokep clokep Mar 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for digging into that @anoadragon453! That sounds sensible to me... I think we did something like this for SSO too at some point.

Looks like we did something specific for SSO too (see #7240).

Copy link
Member

@anoadragon453 anoadragon453 Mar 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, it makes sense that you'd want to show an error page for SSO flows, rather than raising an UserDeactivatedError.

Still, the local password and JWT flows could be consolidated.

@anoadragon453 anoadragon453 linked an issue Mar 28, 2022 that may be closed by this pull request
org.matrix.login.jwt login succeeded even if user is deactivated #12274
Closed
@DMRobertson DMRobertson added the X-Awaiting-Changes A contributed PR which needs changes and re-review before it can be merged label May 6, 2022
@clokep
Copy link
Member

clokep commented Apr 14, 2023

Closing due to lack of response. If you're still interested in working on this please take a look at the review comments above and let us know.

@clokep clokep closed this Apr 14, 2023
@clokep clokep mentioned this pull request May 18, 2023
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@clokep clokep clokep left review comments

@anoadragon453 anoadragon453 anoadragon453 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

X-Awaiting-Changes A contributed PR which needs changes and re-review before it can be merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

org.matrix.login.jwt login succeeded even if user is deactivated

5 participants

@laurent-treeb @dklimpel @clokep @anoadragon453 @DMRobertson