Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

org.matrix.login.jwt login succeeded even if user is deactivated #12274

Closed
laurent-treeb opened this issue Mar 23, 2022 · 4 comments · Fixed by #15624
Closed

org.matrix.login.jwt login succeeded even if user is deactivated #12274

laurent-treeb opened this issue Mar 23, 2022 · 4 comments · Fixed by #15624
Assignees
@clokep
Labels
A-Account-Deactivation "Deleting"/"Removing" a user, GDPR erasure (erased) S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.

Comments

@laurent-treeb
Copy link

laurent-treeb commented Mar 23, 2022
edited by MadLittleMods
Loading

Version: 1.46 to 1.54

  1. Server configured with jwt_config.enabled=true
  2. Login a test user with type=org.matrix.login.jwt and token
  3. With admin user, deactivate the test user /_synapse/admin/v1/deactivate/{userid}
  4. Relogin the test user with type=org.matrix.login.jwt and token
    • -> here the login is success
    • => should be refused with 403 M_USER_DEACTIVATED
@laurent-treeb
Copy link
Author

laurent-treeb commented Mar 23, 2022
edited
Loading

Pull request related : #12276

@laurent-treeb
Copy link
Author

The pull request doesn't manage the reactivation of the user.
When a user is reactivate via
/_synapse/admin/v2/users/{userid} and "deactivated": false
a password value is required.

But in case of org.matrix.login.jwt, there is no password, so maybe the password should be optional on reactivation, but i don't evaluate the impact on others features.

@anoadragon453 anoadragon453 added S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. labels Mar 28, 2022
@anoadragon453 anoadragon453 linked a pull request Mar 28, 2022 that will close this issue
#12274 org.matrix.login.jwt login succeeded even if user is deactivated #12276
Closed
4 tasks
@anoadragon453
Copy link
Member

Thank you for filing this and for providing a PR that aims to fix it! I agree that a JWT user should be unable to log in when their account is deactivated.

When a user is reactivate via /_synapse/admin/v2/users/{userid} and "deactivated": false a password value is required.

The inability to reactivate users without a local password is tracked at #10397.

@bradjones1
Copy link
Contributor

Is this not a security issue?

@MadLittleMods MadLittleMods added the A-Account-Deactivation "Deleting"/"Removing" a user, GDPR erasure (erased) label Apr 25, 2023
@clokep clokep mentioned this issue May 18, 2023
Merged
@clokep clokep self-assigned this May 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@clokep clokep

Labels
A-Account-Deactivation "Deleting"/"Removing" a user, GDPR erasure (erased) S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Projects
None yet
Milestone
No milestone
5 participants
@clokep @MadLittleMods @bradjones1 @anoadragon453 @laurent-treeb