diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index 0cf6e075ff..fb4866f007 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -2598,14 +2598,11 @@ ui_auth: Matrix supports the ability of an existing session to mint a login token for another client. -Synapse disables this by default as it has security ramifications -- a malicious -client could use the mechanism to spawn more than one session. - The duration of time the generated token is valid for can be configured with the `token_timeout` sub-option. -User-interactive authentication is required when this is enabled unless the -`require_ui_auth` sub-option is set to `False`. +To protect against malicious clients abusing this capability, user-interactive authentication +is required unless the `require_ui_auth` sub-option is set to `False`. Example configuration: ```yaml diff --git a/synapse/config/auth.py b/synapse/config/auth.py index c7ab428f28..af59c40806 100644 --- a/synapse/config/auth.py +++ b/synapse/config/auth.py @@ -63,7 +63,7 @@ class AuthConfig(Config): # Logging in with an existing session. login_via_existing = config.get("login_via_existing_session", {}) - self.login_via_existing_enabled = login_via_existing.get("enabled", False) + self.login_via_existing_enabled = login_via_existing.get("enabled", True) self.login_via_existing_require_ui_auth = login_via_existing.get( "require_ui_auth", True ) diff --git a/tests/rest/client/test_login_token_request.py b/tests/rest/client/test_login_token_request.py index f05e619aa8..0e6c81e4bb 100644 --- a/tests/rest/client/test_login_token_request.py +++ b/tests/rest/client/test_login_token_request.py @@ -46,6 +46,7 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase): self.user = "user123" self.password = "password" + @override_config({"login_via_existing_session": {"enabled": False}}) def test_disabled(self) -> None: channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=None) self.assertEqual(channel.code, 404) @@ -56,12 +57,10 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase): channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=token) self.assertEqual(channel.code, 404) - @override_config({"login_via_existing_session": {"enabled": True}}) def test_require_auth(self) -> None: channel = self.make_request("POST", GET_TOKEN_ENDPOINT, {}, access_token=None) self.assertEqual(channel.code, 401) - @override_config({"login_via_existing_session": {"enabled": True}}) def test_uia_on(self) -> None: user_id = self.register_user(self.user, self.password) token = self.login(self.user, self.password) @@ -95,9 +94,7 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase): self.assertEqual(channel.code, 200, channel.result) self.assertEqual(channel.json_body["user_id"], user_id) - @override_config( - {"login_via_existing_session": {"enabled": True, "require_ui_auth": False}} - ) + @override_config({"login_via_existing_session": {"require_ui_auth": False}}) def test_uia_off(self) -> None: user_id = self.register_user(self.user, self.password) token = self.login(self.user, self.password) @@ -119,7 +116,6 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase): @override_config( { "login_via_existing_session": { - "enabled": True, "require_ui_auth": False, "token_timeout": "15s", } @@ -136,7 +132,6 @@ class LoginTokenRequestServletTestCase(unittest.HomeserverTestCase): @override_config( { "login_via_existing_session": { - "enabled": True, "require_ui_auth": False, "token_timeout": "15s", }