Fix handling of guest accounts (MSC3069)

b5181187 · Travis Ralston · e0ddaf9c · b5181187 · b5181187 · b5181187
Commit b5181187 authored 4 years ago by Travis Ralston
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ## [Unreleased]

+### Fixed
+
+* Handle guest accounts properly. Previously they were still declined, though by coincidence.
+
 ## [1.2.5] - March 17th, 2021

 ### Added

--- a/api/auth.go
+++ b/api/auth.go
@@ -39,6 +39,9 @@ func AccessTokenRequiredRoute(next func(r *http.Request, rctx rcontext.RequestCo
 		appserviceUserId := util.GetAppserviceUserIdFromRequest(r)
 		userId, err := auth_cache.GetUserId(rctx, accessToken, appserviceUserId)
 		if err != nil || userId == "" {
+			if err == matrix.ErrGuestToken {
+				return GuestAuthFailed()
+			}
 			if err != nil && err != matrix.ErrInvalidToken {
 				sentry.CaptureException(err)
 				rctx.Log.Error("Error verifying token (fatal): ", err)

--- a/api/responses.go
+++ b/api/responses.go
@@ -46,6 +46,10 @@ func AuthFailed() *ErrorResponse {
 	return &ErrorResponse{common.ErrCodeUnknownToken, "Authentication Failed", common.ErrCodeUnknownToken}
 }

+func GuestAuthFailed() *ErrorResponse {
+	return &ErrorResponse{common.ErrCodeNoGuests, "Guests cannot use this endpoint", common.ErrCodeNoGuests}
+}
+
 func BadRequest(message string) *ErrorResponse {
 	return &ErrorResponse{common.ErrCodeUnknown, message, common.ErrCodeBadRequest}
 }

--- a/common/errorcodes.go
+++ b/common/errorcodes.go
@@ -5,6 +5,7 @@ const ErrCodeHostNotFound = "M_HOST_NOT_FOUND"
 const ErrCodeHostBlacklisted = "M_HOST_BLACKLISTED"
 const ErrCodeNotFound = "M_NOT_FOUND"
 const ErrCodeUnknownToken = "M_UNKNOWN_TOKEN"
+const ErrCodeNoGuests = "M_GUEST_ACCESS_FORBIDDEN"
 const ErrCodeMissingToken = "M_MISSING_TOKEN"
 const ErrCodeMediaTooLarge = "M_MEDIA_TOO_LARGE"
 const ErrCodeMediaTooSmall = "M_MEDIA_TOO_SMALL"

--- a/matrix/auth.go
+++ b/matrix/auth.go
@@ -10,6 +10,7 @@ import (
 )

 var ErrInvalidToken = errors.New("Missing or invalid access token")
+var ErrGuestToken = errors.New("Token belongs to a guest")

 func doBreakerRequest(ctx rcontext.RequestContext, serverName string, accessToken string, appserviceUserId string, ipAddr string, method string, path string, resp interface{}) error {
 	if accessToken == "" {
@@ -53,6 +54,9 @@ func GetUserIdFromToken(ctx rcontext.RequestContext, serverName string, accessTo
 	if err != nil {
 		return "", err
 	}
+	if response.IsGuest {
+		return "", ErrGuestToken
+	}
 	return response.UserId, nil
 }


--- a/matrix/matrix.go
+++ b/matrix/matrix.go
@@ -36,9 +36,11 @@ func filterError(err error) (error, error) {

 	// Unknown token errors should be filtered out explicitly to ensure we don't break on bad requests
 	if httpErr, ok := err.(*errorResponse); ok {
+		// We send back our own version of errors to ensure we can filter them out elsewhere
 		if httpErr.ErrorCode == common.ErrCodeUnknownToken {
-			// We send back our own version of 'unknown token' to ensure we can filter it out elsewhere
 			return nil, ErrInvalidToken
+		} else if httpErr.ErrorCode == common.ErrCodeNoGuests {
+			return nil, ErrGuestToken
 		}
 	}


--- a/matrix/responses.go
+++ b/matrix/responses.go
@@ -8,7 +8,8 @@ type emptyResponse struct {
 }

 type userIdResponse struct {
-	UserId string `json:"user_id"`
+	UserId  string `json:"user_id"`
+	IsGuest bool   `json:"org.matrix.msc3069.is_guest"`
 }

 type whoisResponse struct {