Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Added possibilty to disable local password authentication (#5092)
Browse files Browse the repository at this point in the history
Signed-off-by: Daniel Hoffend <[email protected]>
  • Loading branch information
dhoffend authored and richvdh committed Jun 27, 2019
1 parent 457b8e4 commit 9646a59
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 1 deletion.
1 change: 1 addition & 0 deletions changelog.d/5092.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Added possibilty to disable local password authentication. Contributed by Daniel Hoffend.
6 changes: 6 additions & 0 deletions docs/sample_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1046,6 +1046,12 @@ password_config:
#
#enabled: false

# Uncomment to disable authentication against the local password
# database. This is ignored if `enabled` is false, and is only useful
# if you have other password_providers.
#
#localdb_enabled: false

# Uncomment and change to a secret random string for extra security.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
#
Expand Down
7 changes: 7 additions & 0 deletions synapse/config/password.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ def read_config(self, config, **kwargs):
password_config = {}

self.password_enabled = password_config.get("enabled", True)
self.password_localdb_enabled = password_config.get("localdb_enabled", True)
self.password_pepper = password_config.get("pepper", "")

def generate_config_section(self, config_dir_path, server_name, **kwargs):
Expand All @@ -35,6 +36,12 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs):
#
#enabled: false
# Uncomment to disable authentication against the local password
# database. This is ignored if `enabled` is false, and is only useful
# if you have other password_providers.
#
#localdb_enabled: false
# Uncomment and change to a secret random string for extra security.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
#
Expand Down
2 changes: 1 addition & 1 deletion synapse/handlers/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -743,7 +743,7 @@ def validate_login(self, username, login_submission):
result = (result, None)
defer.returnValue(result)

if login_type == LoginType.PASSWORD:
if login_type == LoginType.PASSWORD and self.hs.config.password_localdb_enabled:
known_login_type = True

canonical_user_id = yield self._check_local_password(
Expand Down
3 changes: 3 additions & 0 deletions synapse/handlers/set_password.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ def __init__(self, hs):

@defer.inlineCallbacks
def set_password(self, user_id, newpassword, requester=None):
if not self.hs.config.password_localdb_enabled:
raise SynapseError(403, "Password change disabled", errcode=Codes.FORBIDDEN)

password_hash = yield self._auth_handler.hash(newpassword)

except_device_id = requester.device_id if requester else None
Expand Down

0 comments on commit 9646a59

Please sign in to comment.