MSC2918: disable refresh tokens when session_lifetime is set

sandhose · sandhose · commit 8f8f3690e091 · 2021-06-03T18:51:02.000+02:00
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
@@ -1176,10 +1176,6 @@ url_preview_accept_language:
 #
 #session_lifetime: 24h
 
-# MSC2918
-# TODO: docs
-#access_token_lifetime: 5m
-
 # The user must provide all of the below types of 3PID when registering.
 #
 #registrations_require_3pid:
diff --git a/synapse/config/registration.py b/synapse/config/registration.py
@@ -119,10 +119,21 @@ def read_config(self, config, **kwargs):
             session_lifetime = self.parse_duration(session_lifetime)
         self.session_lifetime = session_lifetime
 
-        access_token_lifetime = config.get("access_token_lifetime", "5m")
-        access_token_lifetime = self.parse_duration(access_token_lifetime)
+        access_token_lifetime = config.get(
+            "access_token_lifetime", "5m" if session_lifetime is None else None
+        )
+        if access_token_lifetime is not None:
+            access_token_lifetime = self.parse_duration(access_token_lifetime)
         self.access_token_lifetime = access_token_lifetime
 
+        if session_lifetime is not None and access_token_lifetime is not None:
+            raise ConfigError(
+                "The refresh token mechanism is incompatible with the "
+                "`session_lifetime` option. Consider disabling the "
+                "`session_lifetime` option or disabling the refresh token "
+                "mechanism by removing the `access_token_lifetime` option."
+            )
+
         # The success template used during fallback auth.
         self.fallback_success_template = self.read_template("auth_success.html")
 
@@ -156,10 +167,6 @@ def generate_config_section(self, generate_secrets=False, **kwargs):
         #
         #session_lifetime: 24h
 
-        # MSC2918
-        # TODO: docs
-        #access_token_lifetime: 5m
-
         # The user must provide all of the below types of 3PID when registering.
         #
         #registrations_require_3pid:
diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py
@@ -84,6 +84,7 @@ def __init__(self, hs: "HomeServer"):
         self.cas_enabled = hs.config.cas_enabled
         self.oidc_enabled = hs.config.oidc_enabled
         self._msc2858_enabled = hs.config.experimental.msc2858_enabled
+        self._msc2918_enabled = hs.config.access_token_lifetime is not None
 
         self.auth = hs.get_auth()
 
@@ -159,10 +160,14 @@ def on_GET(self, request: SynapseRequest):
     async def on_POST(self, request: SynapseRequest):
         login_submission = parse_json_object_from_request(request)
 
-        # Check if this login should also issue a refresh token, as per MSC2918
-        should_issue_refresh_token = parse_boolean(
-            request, name=LoginRestServlet.REFRESH_TOKEN_PARAM, default=False
-        )
+        if self._msc2918_enabled:
+            # Check if this login should also issue a refresh token, as per
+            # MSC2918
+            should_issue_refresh_token = parse_boolean(
+                request, name=LoginRestServlet.REFRESH_TOKEN_PARAM, default=False
+            )
+        else:
+            should_issue_refresh_token = False
 
         try:
             if login_submission["type"] == LoginRestServlet.APPSERVICE_TYPE:
@@ -595,7 +600,8 @@ async def on_GET(self, request: SynapseRequest) -> None:
 
 def register_servlets(hs, http_server):
     LoginRestServlet(hs).register(http_server)
-    RefreshTokenServlet(hs).register(http_server)
+    if hs.config.access_token_lifetime is not None:
+        RefreshTokenServlet(hs).register(http_server)
     SsoRedirectServlet(hs).register(http_server)
     if hs.config.cas_enabled:
         CasTicketServlet(hs).register(http_server)
diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py
@@ -400,6 +400,7 @@ def __init__(self, hs):
         self.password_policy_handler = hs.get_password_policy_handler()
         self.clock = hs.get_clock()
         self._registration_enabled = self.hs.config.enable_registration
+        self._msc2918_enabled = hs.config.access_token_lifetime is not None
 
         self._registration_flows = _calculate_registration_flows(
             hs.config, self.auth_handler
@@ -425,11 +426,14 @@ async def on_POST(self, request):
                 "Do not understand membership kind: %s" % (kind.decode("utf8"),)
             )
 
-        # Check if this registration should also issue a refresh token, as per
-        # MSC2918
-        should_issue_refresh_token = parse_boolean(
-            request, name="org.matrix.msc2918.refresh_token", default=False
-        )
+        if self._msc2918_enabled:
+            # Check if this registration should also issue a refresh token, as
+            # per MSC2918
+            should_issue_refresh_token = parse_boolean(
+                request, name="org.matrix.msc2918.refresh_token", default=False
+            )
+        else:
+            should_issue_refresh_token = False
 
         # Pull out the provided username and do basic sanity checks early since
         # the auth layer will store these in sessions.

Original file line number	Diff line number	Diff line change
`@@ -1176,10 +1176,6 @@ url_preview_accept_language:`
`1176`	`1176`	`#`
`1177`	`1177`	`#session_lifetime: 24h`
`1178`	`1178`
`1179`		`-# MSC2918`
`1180`		`-# TODO: docs`
`1181`		`-#access_token_lifetime: 5m`
`1182`		`-`
`1183`	`1179`	`# The user must provide all of the below types of 3PID when registering.`
`1184`	`1180`	`#`
`1185`	`1181`	`#registrations_require_3pid:`