Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Save the SSO user ID for later comparison to the auth user ID.
Browse files Browse the repository at this point in the history
  • Loading branch information
@clokep
clokep committed Mar 30, 2020
1 parent 1e310f2 commit 266e7d4
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 13 deletions.
15 changes: 4 additions & 11 deletions synapse/handlers/auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1045,11 +1045,7 @@ def start_sso_ui_auth(self, redirect_url: str) -> str:
return self._sso_auth_confirm_template.render(redirect_url=redirect_url,)

def complete_sso_ui_auth(
self,
registered_user_id: str,
session_id: str,
request: SynapseRequest,
requester: Requester,
self, registered_user_id: str, session_id: str, request: SynapseRequest,
):
"""Having figured out a mxid for this user, complete the HTTP request
Expand All @@ -1059,18 +1055,15 @@ def complete_sso_ui_auth(
client_redirect_url: The URL to which to redirect the user at the end of the
process.
"""
# If the user ID of the SAML session does not match the user from the
# request, something went wrong.
if registered_user_id != requester.user.to_string():
raise SynapseError(403, "SAML user does not match requester.")

# Mark the stage of the authentication as successful.
sess = self._get_session_info(session_id)
if "creds" not in sess:
sess["creds"] = {}
creds = sess["creds"]

creds[LoginType.SSO] = True
# Save the user who authenticated with SSO, this will be used to ensure
# that the account be modified is also the person who logged in.
creds[LoginType.SSO] = registered_user_id
self._save_session(sess)

# Render the HTML and return.
Expand Down
3 changes: 1 addition & 2 deletions synapse/handlers/saml_handler.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,9 +149,8 @@ async def handle_saml_response(self, request):

# Complete the interactive auth session or the login.
if current_session and current_session.ui_auth_session_id:
requester = await self._auth.get_user_by_req(request)
self._auth_handler.complete_sso_ui_auth(
user_id, current_session.ui_auth_session_id, request, requester
user_id, current_session.ui_auth_session_id, request
)

else:
Expand Down

0 comments on commit 266e7d4

Please sign in to comment.