Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Added possibilty to disable local password authentication #5092

Merged
merged 7 commits into from
Jun 27, 2019
Merged

Added possibilty to disable local password authentication #5092

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
4e2c562
Added possibilty to disable local password authentication
dhoffend Apr 22, 2019
27e67b8
Added changelog for pull request #5092
dhoffend Apr 22, 2019
7f3d04c
update sample_config
dhoffend Apr 22, 2019
e53d896
Update sample config wording
richvdh Jun 27, 2019
c7cd871
Fix up changelog
richvdh Jun 27, 2019
5565316
Merge remote-tracking branch 'origin/develop' into rav/disable_passwo…
richvdh Jun 27, 2019
43528f4
fix formatting
richvdh Jun 27, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/5092.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Added possibilty to disable local password authentication. Contributed by Daniel Hoffend.
6 changes: 6 additions & 0 deletions docs/sample_config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1046,6 +1046,12 @@ password_config:
#
#enabled: false

# Uncomment to disable authentication against the local password
# database. This is ignored if `enabled` is false, and is only useful
# if you have other password_providers.
#
#localdb_enabled: false

# Uncomment and change to a secret random string for extra security.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
#
Expand Down
7 changes: 7 additions & 0 deletions synapse/config/password.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ def read_config(self, config, **kwargs):
password_config = {}

self.password_enabled = password_config.get("enabled", True)
self.password_localdb_enabled = password_config.get("localdb_enabled", True)
self.password_pepper = password_config.get("pepper", "")

def generate_config_section(self, config_dir_path, server_name, **kwargs):
Expand All @@ -35,6 +36,12 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs):
#
#enabled: false

# Uncomment to disable authentication against the local password
# database. This is ignored if `enabled` is false, and is only useful
# if you have other password_providers.
#
#localdb_enabled: false

# Uncomment and change to a secret random string for extra security.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
#
Expand Down
2 changes: 1 addition & 1 deletion synapse/handlers/auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -743,7 +743,7 @@ def validate_login(self, username, login_submission):
result = (result, None)
defer.returnValue(result)

if login_type == LoginType.PASSWORD:
if login_type == LoginType.PASSWORD and self.hs.config.password_localdb_enabled:
known_login_type = True

canonical_user_id = yield self._check_local_password(
Expand Down
3 changes: 3 additions & 0 deletions synapse/handlers/set_password.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ def __init__(self, hs):

@defer.inlineCallbacks
def set_password(self, user_id, newpassword, requester=None):
if not self.hs.config.password_localdb_enabled:
raise SynapseError(403, "Password change disabled", errcode=Codes.FORBIDDEN)

password_hash = yield self._auth_handler.hash(newpassword)

except_device_id = requester.device_id if requester else None
Expand Down