Generate new devices for each new /login (#281)

This commit is contained in:
Erik Johnston 2017-10-10 10:40:52 +01:00 committed by GitHub
parent c78d9a5952
commit 38999c54e1
5 changed files with 56 additions and 26 deletions

View File

@ -29,17 +29,13 @@ import (
"github.com/matrix-org/util" "github.com/matrix-org/util"
) )
// UnknownDeviceID is the default device id if one is not specified.
// This deviates from Synapse which generates a new device ID if one is not specified.
// It's preferable to not amass a huge list of valid access tokens for an account,
// so limiting it to 1 unknown device for now limits the number of valid tokens.
// Clients should be giving us device IDs.
var UnknownDeviceID = "unknown-device"
// OWASP recommends at least 128 bits of entropy for tokens: https://www.owasp.org/index.php/Insufficient_Session-ID_Length // OWASP recommends at least 128 bits of entropy for tokens: https://www.owasp.org/index.php/Insufficient_Session-ID_Length
// 32 bytes => 256 bits // 32 bytes => 256 bits
var tokenByteLength = 32 var tokenByteLength = 32
// The length of generated device IDs
var deviceIDByteLength = 6
// DeviceDatabase represents a device database. // DeviceDatabase represents a device database.
type DeviceDatabase interface { type DeviceDatabase interface {
// Look up the device matching the given access token. // Look up the device matching the given access token.
@ -62,8 +58,8 @@ func VerifyAccessToken(req *http.Request, deviceDB DeviceDatabase) (device *auth
if err != nil { if err != nil {
if err == sql.ErrNoRows { if err == sql.ErrNoRows {
resErr = &util.JSONResponse{ resErr = &util.JSONResponse{
Code: 403, Code: 401,
JSON: jsonerror.Forbidden("Invalid access token"), JSON: jsonerror.UnknownToken("Unknown token"),
} }
} else { } else {
resErr = &util.JSONResponse{ resErr = &util.JSONResponse{
@ -86,6 +82,18 @@ func GenerateAccessToken() (string, error) {
return base64.RawURLEncoding.EncodeToString(b), nil return base64.RawURLEncoding.EncodeToString(b), nil
} }
// GenerateDeviceID creates a new device id. Returns an error if failed to generate
// random bytes.
func GenerateDeviceID() (string, error) {
b := make([]byte, deviceIDByteLength)
_, err := rand.Read(b)
if err != nil {
return "", err
}
// url-safe no padding
return base64.RawURLEncoding.EncodeToString(b), nil
}
// extractAccessToken from a request, or return an error detailing what went wrong. The // extractAccessToken from a request, or return an error detailing what went wrong. The
// error message MUST be human-readable and comprehensible to the client. // error message MUST be human-readable and comprehensible to the client.
func extractAccessToken(req *http.Request) (string, error) { func extractAccessToken(req *http.Request) (string, error) {

View File

@ -18,6 +18,7 @@ import (
"context" "context"
"database/sql" "database/sql"
"github.com/matrix-org/dendrite/clientapi/auth"
"github.com/matrix-org/dendrite/clientapi/auth/authtypes" "github.com/matrix-org/dendrite/clientapi/auth/authtypes"
"github.com/matrix-org/dendrite/common" "github.com/matrix-org/dendrite/common"
"github.com/matrix-org/gomatrixserverlib" "github.com/matrix-org/gomatrixserverlib"
@ -55,20 +56,42 @@ func (d *Database) GetDeviceByAccessToken(
// If there is already a device with the same device ID for this user, that access token will be revoked // If there is already a device with the same device ID for this user, that access token will be revoked
// and replaced with the given accessToken. If the given accessToken is already in use for another device, // and replaced with the given accessToken. If the given accessToken is already in use for another device,
// an error will be returned. // an error will be returned.
// If no device ID is given one is generated.
// Returns the device on success. // Returns the device on success.
func (d *Database) CreateDevice( func (d *Database) CreateDevice(
ctx context.Context, localpart, deviceID, accessToken string, ctx context.Context, localpart string, deviceID *string, accessToken string,
) (dev *authtypes.Device, returnErr error) { ) (dev *authtypes.Device, returnErr error) {
returnErr = common.WithTransaction(d.db, func(txn *sql.Tx) error { if deviceID != nil {
var err error returnErr = common.WithTransaction(d.db, func(txn *sql.Tx) error {
// Revoke existing token for this device var err error
if err = d.devices.deleteDevice(ctx, txn, deviceID, localpart); err != nil { // Revoke existing token for this device
return err if err = d.devices.deleteDevice(ctx, txn, *deviceID, localpart); err != nil {
} return err
}
dev, err = d.devices.insertDevice(ctx, txn, deviceID, localpart, accessToken) dev, err = d.devices.insertDevice(ctx, txn, *deviceID, localpart, accessToken)
return err return err
}) })
} else {
// We generate device IDs in a loop in case its already taken.
// We cap this at going round 5 times to ensure we don't spin forever
var newDeviceID string
for i := 1; i <= 5; i++ {
newDeviceID, returnErr = auth.GenerateDeviceID()
if returnErr != nil {
return
}
returnErr = common.WithTransaction(d.db, func(txn *sql.Tx) error {
var err error
dev, err = d.devices.insertDevice(ctx, txn, newDeviceID, localpart, accessToken)
return err
})
if returnErr == nil {
return
}
}
}
return return
} }

View File

@ -46,6 +46,7 @@ type loginResponse struct {
UserID string `json:"user_id"` UserID string `json:"user_id"`
AccessToken string `json:"access_token"` AccessToken string `json:"access_token"`
HomeServer gomatrixserverlib.ServerName `json:"home_server"` HomeServer gomatrixserverlib.ServerName `json:"home_server"`
DeviceID string `json:"device_id"`
} }
func passwordLogin() loginFlows { func passwordLogin() loginFlows {
@ -113,15 +114,12 @@ func Login(
token, err := auth.GenerateAccessToken() token, err := auth.GenerateAccessToken()
if err != nil { if err != nil {
return util.JSONResponse{ httputil.LogThenError(req, err)
Code: 500,
JSON: jsonerror.Unknown("Failed to generate access token"),
}
} }
// TODO: Use the device ID in the request // TODO: Use the device ID in the request
dev, err := deviceDB.CreateDevice( dev, err := deviceDB.CreateDevice(
req.Context(), acc.Localpart, auth.UnknownDeviceID, token, req.Context(), acc.Localpart, nil, token,
) )
if err != nil { if err != nil {
return util.JSONResponse{ return util.JSONResponse{
@ -136,6 +134,7 @@ func Login(
UserID: dev.UserID, UserID: dev.UserID,
AccessToken: dev.AccessToken, AccessToken: dev.AccessToken,
HomeServer: cfg.Matrix.ServerName, HomeServer: cfg.Matrix.ServerName,
DeviceID: dev.ID,
}, },
} }
} }

View File

@ -303,7 +303,7 @@ func completeRegistration(
} }
// // TODO: Use the device ID in the request. // // TODO: Use the device ID in the request.
dev, err := deviceDB.CreateDevice(ctx, username, auth.UnknownDeviceID, token) dev, err := deviceDB.CreateDevice(ctx, username, nil, token)
if err != nil { if err != nil {
return util.JSONResponse{ return util.JSONResponse{
Code: 500, Code: 500,

View File

@ -87,7 +87,7 @@ func main() {
} }
device, err := deviceDB.CreateDevice( device, err := deviceDB.CreateDevice(
context.Background(), *username, "create-account-script", *accessToken, context.Background(), *username, nil, *accessToken,
) )
if err != nil { if err != nil {
fmt.Println(err.Error()) fmt.Println(err.Error())