Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Save the SSO user ID for later comparison to the auth user ID.
Browse files Browse the repository at this point in the history
  • Loading branch information
clokep committed Mar 27, 2020
1 parent f8ce002 commit eb82002
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 9 deletions.
10 changes: 3 additions & 7 deletions synapse/handlers/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -1049,7 +1049,6 @@ def complete_sso_ui_auth(
registered_user_id: str,
session_id: str,
request: SynapseRequest,
requester: Requester,
):
"""Having figured out a mxid for this user, complete the HTTP request
Expand All @@ -1059,18 +1058,15 @@ def complete_sso_ui_auth(
client_redirect_url: The URL to which to redirect the user at the end of the
process.
"""
# If the user ID of the SAML session does not match the user from the
# request, something went wrong.
if registered_user_id != requester.user.to_string():
raise SynapseError(403, "SAML user does not match requester.")

# Mark the stage of the authentication as successful.
sess = self._get_session_info(session_id)
if "creds" not in sess:
sess["creds"] = {}
creds = sess["creds"]

creds[LoginType.SSO] = True
# Save the user who authenticated with SSO, this will be used to ensure
# that the account be modified is also the person who logged in.
creds[LoginType.SSO] = registered_user_id
self._save_session(sess)

# Render the HTML and return.
Expand Down
3 changes: 1 addition & 2 deletions synapse/handlers/saml_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -145,9 +145,8 @@ async def handle_saml_response(self, request):

# Complete the interactive auth session or the login.
if current_session and current_session.ui_auth_session_id:
requester = await self._auth.get_user_by_req(request)
self._auth_handler.complete_sso_ui_auth(
user_id, current_session.ui_auth_session_id, request, requester
user_id, current_session.ui_auth_session_id, request
)

else:
Expand Down

0 comments on commit eb82002

Please sign in to comment.