From 94a2344f3bc8a1eadde4d04cd00e5923421afe40 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Fri, 13 Jul 2018 22:47:09 +0300 Subject: [PATCH] Enable and spec authorization and json validation --- mautrix_telegram/__main__.py | 2 +- mautrix_telegram/web/provisioning/__init__.py | 39 ++++++++++++------- mautrix_telegram/web/provisioning/spec.yaml | 32 ++++++++++++--- 3 files changed, 51 insertions(+), 22 deletions(-) diff --git a/mautrix_telegram/__main__.py b/mautrix_telegram/__main__.py index 9702468f..c8865686 100644 --- a/mautrix_telegram/__main__.py +++ b/mautrix_telegram/__main__.py @@ -93,7 +93,7 @@ if config["appservice.public.enabled"]: appserv.app.add_subapp(config["appservice.public.prefix"] or "/public", public.app) if config["appservice.provisioning.enabled"]: - provisioning_api = ProvisioningAPI(loop) + provisioning_api = ProvisioningAPI(config, loop) appserv.app.add_subapp(config["appservice.provisioning.prefix"] or "/_matrix/provisioning", provisioning_api.app) diff --git a/mautrix_telegram/web/provisioning/__init__.py b/mautrix_telegram/web/provisioning/__init__.py index 909725c6..1c609aaf 100644 --- a/mautrix_telegram/web/provisioning/__init__.py +++ b/mautrix_telegram/web/provisioning/__init__.py @@ -16,6 +16,7 @@ # along with this program. If not, see . from aiohttp import web import logging +import json from ...user import User from ..common import AuthAPI @@ -24,8 +25,9 @@ from ..common import AuthAPI class ProvisioningAPI(AuthAPI): log = logging.getLogger("mau.web.provisioning") - def __init__(self, loop): + def __init__(self, config, loop): super().__init__(loop) + self.secret = config["appservice.provisioning.shared_secret"] self.app = web.Application(loop=loop) @@ -56,43 +58,50 @@ class ProvisioningAPI(AuthAPI): return web.json_response(resp, status=status) async def get_request_info(self, request: web.Request): + auth = request.headers.get("Authorization", "") + if auth != f"Bearer {self.secret}": + return None, None, self.get_login_response(error="Shared secret is not valid.", + errcode="shared_secret_invalid", + status=401) + + data = None + try: + data = await request.json() + except json.JSONDecodeError: + pass + if not data: + return None, None, self.get_login_response(error="Invalid JSON.", + errcode="json_invalid", status=400) + mxid = request.match_info["mxid"] user = await User.get_by_mxid(mxid).ensure_started(even_if_no_session=True) if not user.puppet_whitelisted: - return None, user, self.get_login_response(mxid=user.mxid, - error="You are not whitelisted.", + return None, user, self.get_login_response(error="You are not whitelisted.", errcode="mxid_not_whitelisted", status=403) elif await user.is_logged_in(): - return None, user, self.get_login_response(mxid=user.mxid, username=user.username, - status=409) - - try: - data = await request.json() - except Exception: - return None, user, self.get_login_response(mxid=user.mxid, error="Invalid JSON.", - errcode="invalid_json", status=400) + return None, user, self.get_login_response(username=user.username, status=409) return data, user, None async def send_bot_token(self, request: web.Request): data, user, err = await self.get_request_info(request) - if err: + if err is not None: return err return await self.post_login_token(user, data.get("token", "")) async def request_code(self, request: web.Request): data, user, err = await self.get_request_info(request) - if err: + if err is not None: return err return await self.post_login_phone(user, data.get("phone", "")) async def send_code(self, request: web.Request): data, user, err = await self.get_request_info(request) - if err: + if err is not None: return err return await self.post_login_code(user, data.get("code", 0), password_in_data=False) async def send_password(self, request: web.Request): data, user, err = await self.get_request_info(request) - if err: + if err is not None: return err return await self.post_login_password(user, data.get("password", "")) diff --git a/mautrix_telegram/web/provisioning/spec.yaml b/mautrix_telegram/web/provisioning/spec.yaml index e8fe08f3..aa911d46 100644 --- a/mautrix_telegram/web/provisioning/spec.yaml +++ b/mautrix_telegram/web/provisioning/spec.yaml @@ -39,7 +39,7 @@ paths: 400: $ref: "#/responses/MissingMXIDError" 401: - description: Invalid or expired bot token + description: Invalid or expired bot token or invalid shared secret schema: type: object title: Error @@ -52,6 +52,7 @@ paths: enum: - bot_token_invalid - bot_token_expired + - shared_secret_invalid error: $ref: "#/definitions/HumanReadableError" 403: @@ -87,7 +88,7 @@ paths: schema: $ref: "#/definitions/AuthSuccess" 400: - description: Invalid phone number or missing Matrix ID + description: Invalid phone number or JSON or missing Matrix ID schema: type: object title: Error @@ -100,6 +101,21 @@ paths: enum: - phone_number_invalid - mxid_empty + - json_invalid + error: + $ref: "#/definitions/HumanReadableError" + 401: + description: Invalid shared secret + schema: + type: object + title: Error + properties: + errcode: + type: string + title: Error code + description: A machine-readable error code + enum: + - shared_secret_invalid error: $ref: "#/definitions/HumanReadableError" 403: @@ -185,7 +201,7 @@ paths: 400: $ref: "#/responses/MissingMXIDError" 401: - description: Invalid phone code + description: Invalid phone code or shared secret schema: type: object title: Error @@ -196,6 +212,7 @@ paths: description: A machine-readable error code enum: - phone_code_invalid + - shared_secret_invalid error: $ref: "#/definitions/HumanReadableError" 403: @@ -246,7 +263,7 @@ paths: schema: $ref: "#/definitions/AuthSuccess" 400: - description: Missing password or Matrix ID + description: Missing password or Matrix ID or invalid JSON schema: type: object title: Error @@ -259,10 +276,11 @@ paths: enum: - password_empty - mxid_empty + - json_invalid error: $ref: "#/definitions/HumanReadableError" 401: - description: Incorrect password + description: Incorrect password or invalid shared secret schema: type: object title: Error @@ -273,6 +291,7 @@ paths: description: A machine-readable error code enum: - password_invalid + - shared_secret_invalid error: $ref: "#/definitions/HumanReadableError" 403: @@ -327,7 +346,7 @@ responses: type: string description: The Telegram username the user is logged in as. MissingMXIDError: - description: Missing Matrix ID + description: Missing Matrix ID or invalid JSON. schema: type: object title: Error @@ -338,6 +357,7 @@ responses: description: A machine-readable error code enum: - mxid_empty + - json_invalid error: $ref: "#/definitions/HumanReadableError" UnknownError: