Support for m.login.token (#2014)

* Add GOPATH to PATH in find-lint.sh. The user doesn't necessarily have it in PATH. * Refactor LoginTypePassword and Type to support m.login.token and m.login.sso. For login token: * m.login.token will require deleting the token after completeAuth has generated an access token, so a cleanup function is returned by Type.Login. * Allowing different login types will require parsing the /login body twice: first to extract the "type" and then the type-specific parsing. Thus, we will have to buffer the request JSON in /login, like UserInteractive already does. For SSO: * NewUserInteractive will have to also use GetAccountByLocalpart. It makes more sense to just pass a (narrowed-down) accountDB interface to it than adding more function pointers. Code quality: * Passing around (and down-casting) interface{} for login request types has drawbacks in terms of type-safety, and no inherent benefits. We always decode JSON anyway. Hence renaming to Type.LoginFromJSON. Code that directly uses LoginTypePassword with parsed data can still use Login. * Removed a TODO for SSO. This is already tracked in #1297. * httputil.UnmarshalJSON is useful because it returns a JSONResponse. This change is intended to have no functional changes. * Support login tokens in User API. This adds full lifecycle functions for login tokens: create, query, delete. * Support m.login.token in /login. * Fixes for PR review. * Set @matrix-org/dendrite-core as repository code owner * Return event NID from `StoreEvent`, match PSQL vs SQLite behaviour, tweak backfill persistence (#2071) Co-authored-by: kegsay <kegan@matrix.org> Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2025-09-14 05:12:26 +03:00 · 2022-02-10 11:27:26 +01:00 · 2022-02-10 11:27:26 +01:00 · c36e4546c3
commit c36e4546c3
parent 432c35a307
28 changed files with 1244 additions and 80 deletions
--- a/userapi/userapi_test.go
+++ b/userapi/userapi_test.go
@ -1,4 +1,18 @@
-package userapi_test
+// Copyright 2020 The Matrix.org Foundation C.I.C.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package userapi

 import (
 	"context"
@ -6,15 +20,16 @@ import (
 	"net/http"
 	"reflect"
 	"testing"
+	"time"

 	"github.com/gorilla/mux"
 	"github.com/matrix-org/dendrite/internal/httputil"
 	"github.com/matrix-org/dendrite/internal/test"
 	"github.com/matrix-org/dendrite/setup/config"
-	"github.com/matrix-org/dendrite/userapi"
 	"github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/dendrite/userapi/inthttp"
 	"github.com/matrix-org/dendrite/userapi/storage/accounts"
+	"github.com/matrix-org/dendrite/userapi/storage/devices"
 	"github.com/matrix-org/gomatrixserverlib"
 	"golang.org/x/crypto/bcrypt"
 )
@ -23,31 +38,41 @@ const (
 	serverName = gomatrixserverlib.ServerName("example.com")
 )

-func MustMakeInternalAPI(t *testing.T) (api.UserInternalAPI, accounts.Database) {
-	accountDB, err := accounts.NewDatabase(&config.DatabaseOptions{
-		ConnectionString: "file::memory:",
-	}, serverName, bcrypt.MinCost, config.DefaultOpenIDTokenLifetimeMS)
+type apiTestOpts struct {
+	loginTokenLifetime time.Duration
+}
+
+func MustMakeInternalAPI(t *testing.T, opts apiTestOpts) (api.UserInternalAPI, accounts.Database) {
+	if opts.loginTokenLifetime == 0 {
+		opts.loginTokenLifetime = defaultLoginTokenLifetime
+	}
+	dbopts := &config.DatabaseOptions{
+		ConnectionString:   "file::memory:",
+		MaxOpenConnections: 1,
+		MaxIdleConnections: 1,
+	}
+	accountDB, err := accounts.NewDatabase(dbopts, serverName, bcrypt.MinCost, config.DefaultOpenIDTokenLifetimeMS)
 	if err != nil {
 		t.Fatalf("failed to create account DB: %s", err)
 	}
+	deviceDB, err := devices.NewDatabase(dbopts, serverName, opts.loginTokenLifetime)
+	if err != nil {
+		t.Fatalf("failed to create device DB: %s", err)
+	}
+
 	cfg := &config.UserAPI{
-		DeviceDatabase: config.DatabaseOptions{
-			ConnectionString:   "file::memory:",
-			MaxOpenConnections: 1,
-			MaxIdleConnections: 1,
-		},
 		Matrix: &config.Global{
 			ServerName: serverName,
 		},
 	}

-	return userapi.NewInternalAPI(accountDB, cfg, nil, nil), accountDB
+	return newInternalAPI(accountDB, deviceDB, cfg, nil, nil), accountDB
 }

 func TestQueryProfile(t *testing.T) {
 	aliceAvatarURL := "mxc://example.com/alice"
 	aliceDisplayName := "Alice"
-	userAPI, accountDB := MustMakeInternalAPI(t)
+	userAPI, accountDB := MustMakeInternalAPI(t, apiTestOpts{})
 	_, err := accountDB.CreateAccount(context.TODO(), "alice", "foobar", "")
 	if err != nil {
 		t.Fatalf("failed to make account: %s", err)
@ -106,7 +131,7 @@ func TestQueryProfile(t *testing.T) {

 	t.Run("HTTP API", func(t *testing.T) {
 		router := mux.NewRouter().PathPrefix(httputil.InternalPathPrefix).Subrouter()
-		userapi.AddInternalRoutes(router, userAPI)
+		AddInternalRoutes(router, userAPI)
 		apiURL, cancel := test.ListenAndServe(t, router, false)
 		defer cancel()
 		httpAPI, err := inthttp.NewUserAPIClient(apiURL, &http.Client{})
@ -119,3 +144,115 @@ func TestQueryProfile(t *testing.T) {
 		runCases(userAPI)
 	})
 }
+
+func TestLoginToken(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("tokenLoginFlow", func(t *testing.T) {
+		userAPI, accountDB := MustMakeInternalAPI(t, apiTestOpts{})
+
+		_, err := accountDB.CreateAccount(ctx, "auser", "apassword", "")
+		if err != nil {
+			t.Fatalf("failed to make account: %s", err)
+		}
+
+		t.Log("Creating a login token like the SSO callback would...")
+
+		creq := api.PerformLoginTokenCreationRequest{
+			Data: api.LoginTokenData{UserID: "@auser:example.com"},
+		}
+		var cresp api.PerformLoginTokenCreationResponse
+		if err := userAPI.PerformLoginTokenCreation(ctx, &creq, &cresp); err != nil {
+			t.Fatalf("PerformLoginTokenCreation failed: %v", err)
+		}
+
+		if cresp.Metadata.Token == "" {
+			t.Errorf("PerformLoginTokenCreation Token: got %q, want non-empty", cresp.Metadata.Token)
+		}
+		if cresp.Metadata.Expiration.Before(time.Now()) {
+			t.Errorf("PerformLoginTokenCreation Expiration: got %v, want non-expired", cresp.Metadata.Expiration)
+		}
+
+		t.Log("Querying the login token like /login with m.login.token would...")
+
+		qreq := api.QueryLoginTokenRequest{Token: cresp.Metadata.Token}
+		var qresp api.QueryLoginTokenResponse
+		if err := userAPI.QueryLoginToken(ctx, &qreq, &qresp); err != nil {
+			t.Fatalf("QueryLoginToken failed: %v", err)
+		}
+
+		if qresp.Data == nil {
+			t.Errorf("QueryLoginToken Data: got %v, want non-nil", qresp.Data)
+		} else if want := "@auser:example.com"; qresp.Data.UserID != want {
+			t.Errorf("QueryLoginToken UserID: got %q, want %q", qresp.Data.UserID, want)
+		}
+
+		t.Log("Deleting the login token like /login with m.login.token would...")
+
+		dreq := api.PerformLoginTokenDeletionRequest{Token: cresp.Metadata.Token}
+		var dresp api.PerformLoginTokenDeletionResponse
+		if err := userAPI.PerformLoginTokenDeletion(ctx, &dreq, &dresp); err != nil {
+			t.Fatalf("PerformLoginTokenDeletion failed: %v", err)
+		}
+	})
+
+	t.Run("expiredTokenIsNotReturned", func(t *testing.T) {
+		userAPI, _ := MustMakeInternalAPI(t, apiTestOpts{loginTokenLifetime: -1 * time.Second})
+
+		creq := api.PerformLoginTokenCreationRequest{
+			Data: api.LoginTokenData{UserID: "@auser:example.com"},
+		}
+		var cresp api.PerformLoginTokenCreationResponse
+		if err := userAPI.PerformLoginTokenCreation(ctx, &creq, &cresp); err != nil {
+			t.Fatalf("PerformLoginTokenCreation failed: %v", err)
+		}
+
+		qreq := api.QueryLoginTokenRequest{Token: cresp.Metadata.Token}
+		var qresp api.QueryLoginTokenResponse
+		if err := userAPI.QueryLoginToken(ctx, &qreq, &qresp); err != nil {
+			t.Fatalf("QueryLoginToken failed: %v", err)
+		}
+
+		if qresp.Data != nil {
+			t.Errorf("QueryLoginToken Data: got %v, want nil", qresp.Data)
+		}
+	})
+
+	t.Run("deleteWorks", func(t *testing.T) {
+		userAPI, _ := MustMakeInternalAPI(t, apiTestOpts{})
+
+		creq := api.PerformLoginTokenCreationRequest{
+			Data: api.LoginTokenData{UserID: "@auser:example.com"},
+		}
+		var cresp api.PerformLoginTokenCreationResponse
+		if err := userAPI.PerformLoginTokenCreation(ctx, &creq, &cresp); err != nil {
+			t.Fatalf("PerformLoginTokenCreation failed: %v", err)
+		}
+
+		dreq := api.PerformLoginTokenDeletionRequest{Token: cresp.Metadata.Token}
+		var dresp api.PerformLoginTokenDeletionResponse
+		if err := userAPI.PerformLoginTokenDeletion(ctx, &dreq, &dresp); err != nil {
+			t.Fatalf("PerformLoginTokenDeletion failed: %v", err)
+		}
+
+		qreq := api.QueryLoginTokenRequest{Token: cresp.Metadata.Token}
+		var qresp api.QueryLoginTokenResponse
+		if err := userAPI.QueryLoginToken(ctx, &qreq, &qresp); err != nil {
+			t.Fatalf("QueryLoginToken failed: %v", err)
+		}
+
+		if qresp.Data != nil {
+			t.Errorf("QueryLoginToken Data: got %v, want nil", qresp.Data)
+		}
+	})
+
+	t.Run("deleteUnknownIsNoOp", func(t *testing.T) {
+		userAPI, _ := MustMakeInternalAPI(t, apiTestOpts{})
+
+		dreq := api.PerformLoginTokenDeletionRequest{Token: "non-existent token"}
+		var dresp api.PerformLoginTokenDeletionResponse
+		if err := userAPI.PerformLoginTokenDeletion(ctx, &dreq, &dresp); err != nil {
+			t.Fatalf("PerformLoginTokenDeletion failed: %v", err)
+		}
+	})
+}