Always require users to re-authenticate for dangerous operations. (#10184)

clokep · web-flow · commit 76f9c701c392 · 2021-06-16T11:07:28.000-04:00
Dangerous actions means deactivating an account, modifying an account
password, or adding a 3PID.

Other actions (deleting devices, uploading keys) can re-use the same UI
auth session if ui_auth.session_timeout is configured.
diff --git a/changelog.d/10184.bugfix b/changelog.d/10184.bugfix
@@ -0,0 +1 @@
+Always require users to re-authenticate for dangerous operations: deactivating an account, modifying an account password, and adding 3PIDs.
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
@@ -2318,6 +2318,10 @@ ui_auth:
     # the user-interactive authentication process, by allowing for multiple
     # (and potentially different) operations to use the same validation session.
     #
+    # This is ignored for potentially "dangerous" operations (including
+    # deactivating an account, modifying an account password, and
+    # adding a 3PID).
+    #
     # Uncomment below to allow for credential validation to last for 15
     # seconds.
     #
diff --git a/synapse/config/auth.py b/synapse/config/auth.py
@@ -103,6 +103,10 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs):
             # the user-interactive authentication process, by allowing for multiple
             # (and potentially different) operations to use the same validation session.
             #
+            # This is ignored for potentially "dangerous" operations (including
+            # deactivating an account, modifying an account password, and
+            # adding a 3PID).
+            #
             # Uncomment below to allow for credential validation to last for 15
             # seconds.
             #
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
@@ -302,6 +302,7 @@ async def validate_user_via_ui_auth(
         request: SynapseRequest,
         request_body: Dict[str, Any],
         description: str,
+        can_skip_ui_auth: bool = False,
     ) -> Tuple[dict, Optional[str]]:
         """
         Checks that the user is who they claim to be, via a UI auth.
@@ -320,6 +321,10 @@ async def validate_user_via_ui_auth(
             description: A human readable string to be displayed to the user that
                          describes the operation happening on their account.
 
+            can_skip_ui_auth: True if the UI auth session timeout applies this
+                              action. Should be set to False for any "dangerous"
+                              actions (e.g. deactivating an account).
+
         Returns:
             A tuple of (params, session_id).
 
@@ -343,7 +348,7 @@ async def validate_user_via_ui_auth(
         """
         if not requester.access_token_id:
             raise ValueError("Cannot validate a user without an access token")
-        if self._ui_auth_session_timeout:
+        if can_skip_ui_auth and self._ui_auth_session_timeout:
             last_validated = await self.store.get_access_token_last_validated(
                 requester.access_token_id
             )
diff --git a/synapse/rest/client/v2_alpha/devices.py b/synapse/rest/client/v2_alpha/devices.py
@@ -86,6 +86,9 @@ async def on_POST(self, request):
             request,
             body,
             "remove device(s) from your account",
+            # Users might call this multiple times in a row while cleaning up
+            # devices, allow a single UI auth session to be re-used.
+            can_skip_ui_auth=True,
         )
 
         await self.device_handler.delete_devices(
@@ -135,6 +138,9 @@ async def on_DELETE(self, request, device_id):
             request,
             body,
             "remove a device from your account",
+            # Users might call this multiple times in a row while cleaning up
+            # devices, allow a single UI auth session to be re-used.
+            can_skip_ui_auth=True,
         )
 
         await self.device_handler.delete_device(requester.user.to_string(), device_id)
diff --git a/synapse/rest/client/v2_alpha/keys.py b/synapse/rest/client/v2_alpha/keys.py
@@ -277,6 +277,9 @@ async def on_POST(self, request):
             request,
             body,
             "add a device signing key to your account",
+            # Allow skipping of UI auth since this is frequently called directly
+            # after login and it is silly to ask users to re-auth immediately.
+            can_skip_ui_auth=True,
         )
 
         result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Always require users to re-authenticate for dangerous operations: deactivating an account, modifying an account password, and adding 3PIDs.`
Original file line number	Diff line number	Diff line change
`@@ -2318,6 +2318,10 @@ ui_auth:`
`2318`	`2318`	`# the user-interactive authentication process, by allowing for multiple`
`2319`	`2319`	`# (and potentially different) operations to use the same validation session.`
`2320`	`2320`	`#`
	`2321`	`+ # This is ignored for potentially "dangerous" operations (including`
	`2322`	`+ # deactivating an account, modifying an account password, and`
	`2323`	`+ # adding a 3PID).`
	`2324`	`+ #`
`2321`	`2325`	`# Uncomment below to allow for credential validation to last for 15`
`2322`	`2326`	`# seconds.`
`2323`	`2327`	`#`
Original file line number	Diff line number	Diff line change
`@@ -103,6 +103,10 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs):`
`103`	`103`	`# the user-interactive authentication process, by allowing for multiple`
`104`	`104`	`# (and potentially different) operations to use the same validation session.`
`105`	`105`	`#`
	`106`	`+ # This is ignored for potentially "dangerous" operations (including`
	`107`	`+ # deactivating an account, modifying an account password, and`
	`108`	`+ # adding a 3PID).`
	`109`	`+ #`
`106`	`110`	`# Uncomment below to allow for credential validation to last for 15`
`107`	`111`	`# seconds.`
`108`	`112`	`#`
Original file line number	Diff line number	Diff line change
`@@ -277,6 +277,9 @@ async def on_POST(self, request):`
`277`	`277`	`request,`
`278`	`278`	`body,`
`279`	`279`	`"add a device signing key to your account",`
	`280`	`+ # Allow skipping of UI auth since this is frequently called directly`
	`281`	`+ # after login and it is silly to ask users to re-auth immediately.`
	`282`	`+ can_skip_ui_auth=True,`
`280`	`283`	`)`
`281`	`284`
`282`	`285`	`result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)`