Enable and spec authorization and json validation

mautrix_telegram/__main__.py

@@ -93,7 +93,7 @@ if config["appservice.public.enabled"]:
     appserv.app.add_subapp(config["appservice.public.prefix"] or "/public", public.app)
 
 if config["appservice.provisioning.enabled"]:
-    provisioning_api = ProvisioningAPI(loop)
+    provisioning_api = ProvisioningAPI(config, loop)
     appserv.app.add_subapp(config["appservice.provisioning.prefix"] or "/_matrix/provisioning",
                            provisioning_api.app)
 

mautrix_telegram/web/provisioning/__init__.py

@@ -16,6 +16,7 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 from aiohttp import web
 import logging
+import json
 
 from ...user import User
 from ..common import AuthAPI
@@ -24,8 +25,9 @@ from ..common import AuthAPI
 class ProvisioningAPI(AuthAPI):
     log = logging.getLogger("mau.web.provisioning")
 
-    def __init__(self, loop):
+    def __init__(self, config, loop):
         super().__init__(loop)
+        self.secret = config["appservice.provisioning.shared_secret"]
 
         self.app = web.Application(loop=loop)
 
@@ -56,43 +58,50 @@ class ProvisioningAPI(AuthAPI):
         return web.json_response(resp, status=status)
 
     async def get_request_info(self, request: web.Request):
+        auth = request.headers.get("Authorization", "")
+        if auth != f"Bearer {self.secret}":
+            return None, None, self.get_login_response(error="Shared secret is not valid.",
+                                                       errcode="shared_secret_invalid",
+                                                       status=401)
+
+        data = None
+        try:
+            data = await request.json()
+        except json.JSONDecodeError:
+            pass
+        if not data:
+            return None, None, self.get_login_response(error="Invalid JSON.",
+                                                       errcode="json_invalid", status=400)
+
         mxid = request.match_info["mxid"]
         user = await User.get_by_mxid(mxid).ensure_started(even_if_no_session=True)
         if not user.puppet_whitelisted:
-            return None, user, self.get_login_response(mxid=user.mxid,
-                                                       error="You are not whitelisted.",
+            return None, user, self.get_login_response(error="You are not whitelisted.",
                                                        errcode="mxid_not_whitelisted", status=403)
         elif await user.is_logged_in():
-            return None, user, self.get_login_response(mxid=user.mxid, username=user.username,
-                                                       status=409)
-
-        try:
-            data = await request.json()
-        except Exception:
-            return None, user, self.get_login_response(mxid=user.mxid, error="Invalid JSON.",
-                                                       errcode="invalid_json", status=400)
+            return None, user, self.get_login_response(username=user.username, status=409)
         return data, user, None
 
     async def send_bot_token(self, request: web.Request):
         data, user, err = await self.get_request_info(request)
-        if err:
+        if err is not None:
             return err
         return await self.post_login_token(user, data.get("token", ""))
 
     async def request_code(self, request: web.Request):
         data, user, err = await self.get_request_info(request)
-        if err:
+        if err is not None:
             return err
         return await self.post_login_phone(user, data.get("phone", ""))
 
     async def send_code(self, request: web.Request):
         data, user, err = await self.get_request_info(request)
-        if err:
+        if err is not None:
             return err
         return await self.post_login_code(user, data.get("code", 0), password_in_data=False)
 
     async def send_password(self, request: web.Request):
         data, user, err = await self.get_request_info(request)
-        if err:
+        if err is not None:
             return err
         return await self.post_login_password(user, data.get("password", ""))

mautrix_telegram/web/provisioning/spec.yaml

@@ -39,7 +39,7 @@ paths:
         400:
           $ref: "#/responses/MissingMXIDError"
         401:
-          description: Invalid or expired bot token
+          description: Invalid or expired bot token or invalid shared secret
           schema:
             type: object
             title: Error
@@ -52,6 +52,7 @@ paths:
                 enum:
                 - bot_token_invalid
                 - bot_token_expired
+                - shared_secret_invalid
               error:
                 $ref: "#/definitions/HumanReadableError"
         403:
@@ -87,7 +88,7 @@ paths:
           schema:
             $ref: "#/definitions/AuthSuccess"
         400:
-          description: Invalid phone number or missing Matrix ID
+          description: Invalid phone number or JSON or missing Matrix ID
           schema:
             type: object
             title: Error
@@ -100,6 +101,21 @@ paths:
                 enum:
                 - phone_number_invalid
                 - mxid_empty
+                - json_invalid
+              error:
+                $ref: "#/definitions/HumanReadableError"
+        401:
+          description: Invalid shared secret
+          schema:
+            type: object
+            title: Error
+            properties:
+              errcode:
+                type: string
+                title: Error code
+                description: A machine-readable error code
+                enum:
+                - shared_secret_invalid
               error:
                 $ref: "#/definitions/HumanReadableError"
         403:
@@ -185,7 +201,7 @@ paths:
         400:
           $ref: "#/responses/MissingMXIDError"
         401:
-          description: Invalid phone code
+          description: Invalid phone code or shared secret
           schema:
             type: object
             title: Error
@@ -196,6 +212,7 @@ paths:
                 description: A machine-readable error code
                 enum:
                 - phone_code_invalid
+                - shared_secret_invalid
               error:
                 $ref: "#/definitions/HumanReadableError"
         403:
@@ -246,7 +263,7 @@ paths:
           schema:
             $ref: "#/definitions/AuthSuccess"
         400:
-          description: Missing password or Matrix ID
+          description: Missing password or Matrix ID or invalid JSON
           schema:
             type: object
             title: Error
@@ -259,10 +276,11 @@ paths:
                 enum:
                 - password_empty
                 - mxid_empty
+                - json_invalid
               error:
                 $ref: "#/definitions/HumanReadableError"
         401:
-          description: Incorrect password
+          description: Incorrect password or invalid shared secret
           schema:
             type: object
             title: Error
@@ -273,6 +291,7 @@ paths:
                 description: A machine-readable error code
                 enum:
                 - password_invalid
+                - shared_secret_invalid
               error:
                 $ref: "#/definitions/HumanReadableError"
         403:
@@ -327,7 +346,7 @@ responses:
           type: string
           description: The Telegram username the user is logged in as.
   MissingMXIDError:
-    description: Missing Matrix ID
+    description: Missing Matrix ID or invalid JSON.
     schema:
       type: object
       title: Error
@@ -338,6 +357,7 @@ responses:
           description: A machine-readable error code
           enum:
           - mxid_empty
+          - json_invalid
         error:
           $ref: "#/definitions/HumanReadableError"
   UnknownError: