dendrite/clientapi/routing/device.go
2023-05-09 22:46:49 +00:00

302 lines
7.9 KiB
Go

// Copyright 2017 Paul Tötterman <paul.totterman@iki.fi>
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package routing
import (
"encoding/json"
"io"
"net"
"net/http"
"github.com/matrix-org/dendrite/clientapi/auth"
"github.com/matrix-org/dendrite/clientapi/httputil"
"github.com/matrix-org/dendrite/userapi/api"
"github.com/matrix-org/gomatrixserverlib"
"github.com/matrix-org/gomatrixserverlib/spec"
"github.com/matrix-org/util"
"github.com/tidwall/gjson"
)
// https://matrix.org/docs/spec/client_server/r0.6.1#get-matrix-client-r0-devices
type deviceJSON struct {
DeviceID string `json:"device_id"`
DisplayName string `json:"display_name"`
LastSeenIP string `json:"last_seen_ip"`
LastSeenTS int64 `json:"last_seen_ts"`
}
type devicesJSON struct {
Devices []deviceJSON `json:"devices"`
}
type deviceUpdateJSON struct {
DisplayName *string `json:"display_name"`
}
type devicesDeleteJSON struct {
Devices []string `json:"devices"`
}
// GetDeviceByID handles /devices/{deviceID}
func GetDeviceByID(
req *http.Request, userAPI api.ClientUserAPI, device *api.Device,
deviceID string,
) util.JSONResponse {
var queryRes api.QueryDevicesResponse
err := userAPI.QueryDevices(req.Context(), &api.QueryDevicesRequest{
UserID: device.UserID,
}, &queryRes)
if err != nil {
util.GetLogger(req.Context()).WithError(err).Error("QueryDevices failed")
return spec.InternalServerError()
}
var targetDevice *api.Device
for _, device := range queryRes.Devices {
if device.ID == deviceID {
targetDevice = &device
break
}
}
if targetDevice == nil {
return util.JSONResponse{
Code: http.StatusNotFound,
JSON: spec.NotFound("Unknown device"),
}
}
return util.JSONResponse{
Code: http.StatusOK,
JSON: deviceJSON{
DeviceID: targetDevice.ID,
DisplayName: targetDevice.DisplayName,
LastSeenIP: stripIPPort(targetDevice.LastSeenIP),
LastSeenTS: targetDevice.LastSeenTS,
},
}
}
// GetDevicesByLocalpart handles /devices
func GetDevicesByLocalpart(
req *http.Request, userAPI api.ClientUserAPI, device *api.Device,
) util.JSONResponse {
var queryRes api.QueryDevicesResponse
err := userAPI.QueryDevices(req.Context(), &api.QueryDevicesRequest{
UserID: device.UserID,
}, &queryRes)
if err != nil {
util.GetLogger(req.Context()).WithError(err).Error("QueryDevices failed")
return spec.InternalServerError()
}
res := devicesJSON{}
for _, dev := range queryRes.Devices {
res.Devices = append(res.Devices, deviceJSON{
DeviceID: dev.ID,
DisplayName: dev.DisplayName,
LastSeenIP: stripIPPort(dev.LastSeenIP),
LastSeenTS: dev.LastSeenTS,
})
}
return util.JSONResponse{
Code: http.StatusOK,
JSON: res,
}
}
// UpdateDeviceByID handles PUT on /devices/{deviceID}
func UpdateDeviceByID(
req *http.Request, userAPI api.ClientUserAPI, device *api.Device,
deviceID string,
) util.JSONResponse {
defer req.Body.Close() // nolint: errcheck
payload := deviceUpdateJSON{}
if resErr := httputil.UnmarshalJSONRequest(req, &payload); resErr != nil {
return *resErr
}
var performRes api.PerformDeviceUpdateResponse
err := userAPI.PerformDeviceUpdate(req.Context(), &api.PerformDeviceUpdateRequest{
RequestingUserID: device.UserID,
DeviceID: deviceID,
DisplayName: payload.DisplayName,
}, &performRes)
if err != nil {
util.GetLogger(req.Context()).WithError(err).Error("PerformDeviceUpdate failed")
return spec.InternalServerError()
}
if !performRes.DeviceExists {
return util.JSONResponse{
Code: http.StatusNotFound,
JSON: spec.Forbidden("device does not exist"),
}
}
return util.JSONResponse{
Code: http.StatusOK,
JSON: struct{}{},
}
}
// DeleteDeviceById handles DELETE requests to /devices/{deviceId}
func DeleteDeviceById(
req *http.Request, userInteractiveAuth *auth.UserInteractive, userAPI api.ClientUserAPI, device *api.Device,
deviceID string,
) util.JSONResponse {
var (
deleteOK bool
sessionID string
)
defer func() {
if deleteOK {
sessions.deleteSession(sessionID)
}
}()
ctx := req.Context()
defer req.Body.Close() // nolint:errcheck
bodyBytes, err := io.ReadAll(req.Body)
if err != nil {
return util.JSONResponse{
Code: http.StatusBadRequest,
JSON: spec.BadJSON("The request body could not be read: " + err.Error()),
}
}
// check that we know this session, and it matches with the device to delete
s := gjson.GetBytes(bodyBytes, "auth.session").Str
if dev, ok := sessions.getDeviceToDelete(s); ok {
if dev != deviceID {
return util.JSONResponse{
Code: http.StatusForbidden,
JSON: spec.Forbidden("session and device mismatch"),
}
}
}
if s != "" {
sessionID = s
}
login, errRes := userInteractiveAuth.Verify(ctx, bodyBytes, device)
if errRes != nil {
switch data := errRes.JSON.(type) {
case auth.Challenge:
sessions.addDeviceToDelete(data.Session, deviceID)
default:
}
return *errRes
}
localpart, _, err := gomatrixserverlib.SplitID('@', device.UserID)
if err != nil {
util.GetLogger(ctx).WithError(err).Error("gomatrixserverlib.SplitID failed")
return spec.InternalServerError()
}
// make sure that the access token being used matches the login creds used for user interactive auth, else
// 1 compromised access token could be used to logout all devices.
if login.Username() != localpart && login.Username() != device.UserID {
return util.JSONResponse{
Code: 403,
JSON: spec.Forbidden("Cannot delete another user's device"),
}
}
var res api.PerformDeviceDeletionResponse
if err := userAPI.PerformDeviceDeletion(ctx, &api.PerformDeviceDeletionRequest{
UserID: device.UserID,
DeviceIDs: []string{deviceID},
}, &res); err != nil {
util.GetLogger(ctx).WithError(err).Error("userAPI.PerformDeviceDeletion failed")
return spec.InternalServerError()
}
deleteOK = true
return util.JSONResponse{
Code: http.StatusOK,
JSON: struct{}{},
}
}
// DeleteDevices handles POST requests to /delete_devices
func DeleteDevices(
req *http.Request, userInteractiveAuth *auth.UserInteractive, userAPI api.ClientUserAPI, device *api.Device,
) util.JSONResponse {
ctx := req.Context()
bodyBytes, err := io.ReadAll(req.Body)
if err != nil {
return util.JSONResponse{
Code: http.StatusBadRequest,
JSON: spec.BadJSON("The request body could not be read: " + err.Error()),
}
}
defer req.Body.Close() // nolint:errcheck
// initiate UIA
login, errRes := userInteractiveAuth.Verify(ctx, bodyBytes, device)
if errRes != nil {
return *errRes
}
if login.Username() != device.UserID {
return util.JSONResponse{
Code: http.StatusForbidden,
JSON: spec.Forbidden("unable to delete devices for other user"),
}
}
payload := devicesDeleteJSON{}
if err = json.Unmarshal(bodyBytes, &payload); err != nil {
util.GetLogger(ctx).WithError(err).Error("unable to unmarshal device deletion request")
return spec.InternalServerError()
}
var res api.PerformDeviceDeletionResponse
if err := userAPI.PerformDeviceDeletion(ctx, &api.PerformDeviceDeletionRequest{
UserID: device.UserID,
DeviceIDs: payload.Devices,
}, &res); err != nil {
util.GetLogger(ctx).WithError(err).Error("userAPI.PerformDeviceDeletion failed")
return spec.InternalServerError()
}
return util.JSONResponse{
Code: http.StatusOK,
JSON: struct{}{},
}
}
// stripIPPort converts strings like "[::1]:12345" to "::1"
func stripIPPort(addr string) string {
ip := net.ParseIP(addr)
if ip != nil {
return addr
}
host, _, err := net.SplitHostPort(addr)
if err != nil {
return ""
}
ip = net.ParseIP(host)
if ip != nil {
return host
}
return ""
}