This repository was archived by the owner on Apr 26, 2024. It is now read-only.
Send password reset from HS: database stuff#5308
Merged
anoadragon453 merged 12 commits intoJun 5, 2019
Merged
Conversation
Codecov Report
@@ Coverage Diff @@
## anoa/feature_hs_password_resets #5308 +/- ##
===================================================================
- Coverage 63.04% 62.76% -0.29%
===================================================================
Files 341 341
Lines 35637 35536 -101
Branches 5835 5816 -19
===================================================================
- Hits 22468 22304 -164
- Misses 11598 11662 +64
+ Partials 1571 1570 -1 |
Member
|
New schema change should go in |
erikjohnston
suggested changes
Jun 4, 2019
| """Remove threepid validation tokens with expiry dates that have passed""" | ||
| def cull_expired_threepid_validation_tokens_txn(txn, ts): | ||
| sql = ("DELETE FROM threepid_validation_token WHERE " | ||
| "expires < ?") |
Member
There was a problem hiding this comment.
Can you use multiline strings please, it makes it easier to change/c+p etc
| expires BIGINT NOT NULL | ||
| ); | ||
|
|
||
| CREATE INDEX threepid_validations_session_id ON threepid_validation_session(session_id); |
Member
There was a problem hiding this comment.
This will create a duplicate index I believe, since PRIMARY KEY will create a unique index.
|
|
||
| CREATE INDEX threepid_validations_session_id ON threepid_validation_session(session_id); | ||
|
|
||
| CREATE INDEX threepid_validation_token_session_id ON threepid_validation_token(session_id); |
anoadragon453
changed the base branch from
develop
to
anoa/feature_hs_password_resets
erikjohnston
approved these changes
Jun 5, 2019
Member
erikjohnston
left a comment
erikjohnston
left a comment
There was a problem hiding this comment.
Just fix up the sql a bit and then merge into your base branch
| Args: | ||
| medium (str): The medium of the 3PID | ||
| address (str): The address of the 3PID | ||
| sid (str): The ID of the validation session |
Member
There was a problem hiding this comment.
What does it mean if these are None?
|
|
||
| if sid: | ||
| keyvalues["session_id"] = sid | ||
| elif address: |
Member
There was a problem hiding this comment.
elif? If we expect that only one is set, then let's assert that
| "client_secret", "last_send_attempt", "validated_at", | ||
| ] | ||
|
|
||
| sql = "SELECT %s FROM threepid_validation_session" % ", ".join(cols_to_return) |
Member
There was a problem hiding this comment.
Just stick these in the path rather than string concatenating them, see below
| # Convert the resulting row to a dictionary | ||
| ret = {} | ||
| for i in range(len(cols_to_return)): | ||
| ret[cols_to_return[i]] = row[i] |
Member
There was a problem hiding this comment.
We have helper function that uses the returned data structure to do this for us. Instead of txn.fetchone():
rows = self.cursor_to_dict(txn)
if not rows:
return None
return rows[0]| if not row: | ||
| raise ThreepidValidationError( | ||
| 400, "Validation token not found or has expired", | ||
| ) |
Member
There was a problem hiding this comment.
If we're are conditionally doing stuff we should do this in a txn.
anoadragon453
force-pushed
the
anoa/hs_password_reset_database
branch
from
1505cd6 to
8f9daa4
Compare
anoadragon453
added a commit
that referenced
this pull request
Jun 6, 2019
…identity server (#5377) Sends password reset emails from the homeserver instead of proxying to the identity server. This is now the default behaviour for security reasons. If you wish to continue proxying password reset requests to the identity server you must now enable the email.trust_identity_server_for_password_resets option. This PR is a culmination of 3 smaller PRs which have each been separately reviewed: * #5308 * #5345 * #5368
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Database component of new behaviour of sending password reset emails from Synapse instead of Sydent.
Allows one to store threepid validation sessions along with password reset token attempts and retrieve them again.
Relevant spec bits:
https://matrix.org/docs/spec/client_server/unstable.html#post-matrix-client-r0-account-password-email-requesttoken
https://matrix.org/docs/spec/identity_service/r0.1.0.html#post-matrix-identity-api-v1-validate-email-submittoken
Essentially the flow is:
/requestTokenis made with an email address, a client secret and a send_attempt to the homeserver/submitTokenon the homeserver, and we check if those three vars match up with a session and a validation request