17 Apr 2024 |
Andrew Morgan (anoa) | Oh, well, I haven't built it locally. Instead opting to get it working in CI.
I could build it locally and then upload to PyPI, yes... | 14:52:17 |
Erik | I built it locally and pushed | 14:53:24 |
Andrew Morgan (anoa) | Oh. I hadn't realised you bumped it on PyPI. lol | 14:53:37 |
Andrew Morgan (anoa) | Well that takes the pressure off. Thank you for doing that. | 14:53:50 |
Andrew Morgan (anoa) | I suppose I'll announce the release then. | 14:53:55 |
Erik | sowwy | 14:55:02 |
Andrew Morgan (anoa) | no worries, the CI changes will make future releases easier hopefully | 14:57:27 |
Andrew Morgan (anoa) | Hello everyone. rust-synapse-compress-state 0.1.4 has just been released.
This was mainly a maintenance release, though there were lots of interesting changes. If you found docker builds for 0.1.3 to fail, give 0.1.4 a try and see how you get on. Thanks!
notes | docker | pypi
| 14:57:29 |
| Andrew F changed their display name from Andrew F to Andrew F (back on April 22). | 18:25:20 |
18 Apr 2024 |
Mikoto ⚡️ | async def grandfather_existing_users() -> Optional[str]:
if self._allow_existing_users:
# If allowing existing users we want to generate a single localpart
# and attempt to match it.
attributes = await oidc_response_to_user_attributes(failures=0)
if attributes.localpart is None:
# If no localpart is returned then we will generate one, so
# there is no need to search for existing users.
return None
user_id = UserID(attributes.localpart, self._server_name).to_string()
users = await self._store.get_users_by_id_case_insensitive(user_id)
if users:
# If an existing matrix ID is returned, then use it.
if len(users) == 1:
previously_registered_user_id = next(iter(users))
elif user_id in users:
previously_registered_user_id = user_id
else:
# Do not attempt to continue generating Matrix IDs.
raise MappingException(
"Attempted to login as '{}' but it matches more than one user inexactly: {}".format(
user_id, users
)
)
return previously_registered_user_id
return None
| 02:12:53 |
Mikoto ⚡️ | is it just me or is this clearly a loophole that allows hijacking existing accounts on Synapse? | 02:14:40 |
Cat | Mikoto ⚡️: what are you attempting? | 02:15:34 |
Mikoto ⚡️ | In reply to@cat:feline.support Mikoto ⚡️: what are you attempting? I'm just reading the source of Synapse and utterly surprised by how someone thought this was fine | 02:16:24 |
Mikoto ⚡️ | when a separate endpoint that requires an auth token header could have achieved the same goal | 02:16:57 |
Mikoto ⚡️ | I mean sure, the claim used for localpart can be configured but | 02:18:55 |
Mikoto ⚡️ | the average person setting up Matrix won't bother wondering how allow_existing_users works | 02:20:03 |
Cat | What does the code do? | 02:24:01 |
Mikoto ⚡️ | as an example, your user ID is @cat:feline.support and feline.support is your homeserver | 02:25:47 |
Mikoto ⚡️ | if later you decide to configure Github as your SSO provider, and Github usernames end up being used as the subject claim (which is completely valid, it's a unique ID), https://github.com/cat will be able to hijack your account as far as I understood here | 02:27:02 |
Mikoto ⚡️ | is this correct? can anyone confirm? | 02:28:30 |
Cat | Oh ye that’s a problem | 02:43:56 |
Mikoto ⚡️ | In reply to@cat:feline.support Oh ye that’s a problem not like it's easy to exploit, more like easy to overlook and making it happen by coincidence | 02:50:24 |
honestyallan | hello guys, answer a question : How to connect elements and integrations | 06:30:06 |
xiretza | In reply to @honestyallan:matrix.org hello guys, answer a question : How to connect elements and integrations this is definitely not the right room for that question | 06:57:38 |
honestyallan | Redacted or Malformed Event | 07:10:14 |
honestyallan | Redacted or Malformed Event | 07:11:30 |
honestyallan | Redacted or Malformed Event | 07:12:40 |
Olivier 'reivilibre' | In reply to @mikoto:kurosaki.cx
async def grandfather_existing_users() -> Optional[str]:
if self._allow_existing_users:
# If allowing existing users we want to generate a single localpart
# and attempt to match it.
attributes = await oidc_response_to_user_attributes(failures=0)
if attributes.localpart is None:
# If no localpart is returned then we will generate one, so
# there is no need to search for existing users.
return None
user_id = UserID(attributes.localpart, self._server_name).to_string()
users = await self._store.get_users_by_id_case_insensitive(user_id)
if users:
# If an existing matrix ID is returned, then use it.
if len(users) == 1:
previously_registered_user_id = next(iter(users))
elif user_id in users:
previously_registered_user_id = user_id
else:
# Do not attempt to continue generating Matrix IDs.
raise MappingException(
"Attempted to login as '{}' but it matches more than one user inexactly: {}".format(
user_id, users
)
)
return previously_registered_user_id
return None
isn't that exactly what the feature is intended to do? You say hijacking, others say migrating from not-SSO to SSO? | 08:30:23 |
Olivier 'reivilibre' | now, this might need a sufficiently red warning label on it, I don't know if it does have that or not, but ... it's not clear how this feature would work without the 'loophole' :) | 08:31:17 |
Olivier 'reivilibre' | I don't think it is particularly intended for SSO with GitHub, think more like a company SSO system for a company Synapse server, | 08:34:29 |