Merge pull request #395 from matrix-org/hs/auth-provisioner

Require auth on provisioning endpoints
matrix-org · Apr 17, 2020 · 340fabf · 340fabf
2 parents 95470fa + d6a1b43
commit 340fabf
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 30 deletions.
diff --git a/changelog.d/395.bugfix b/changelog.d/395.bugfix
@@ -0,0 +1 @@
+**SECURITY FIX** The bridge now requires authentication on the /_matrix/provision set of endpoints. It requires either an `access_token` query parameter or a `Authorization` header containing the `hs_token` provided in the registration file.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -35,7 +35,7 @@
     "chai": "^4.2.0",
     "escape-string-regexp": "^2.0.0",
     "matrix-appservice": "^0.4.1",
-    "matrix-appservice-bridge": "^1.11.1",
+    "matrix-appservice-bridge": "^1.12.1",
     "minimist": "^1.2.5",
     "nedb": "^1.8.0",
     "node-emoji": "^1.10.0",

diff --git a/src/Main.ts b/src/Main.ts
@@ -816,6 +816,7 @@ export class Main {
             handler: this.onHealth.bind(this.bridge),
             method: "GET",
             path: "/health",
+            checkToken: false,
         });
 
         const provisioningEnabled = this.config.provisioning?.enable;

diff --git a/src/Provisioning.ts b/src/Provisioning.ts
@@ -48,6 +48,7 @@ export class Provisioner {
                 await this.handleProvisioningRequest(verb as Verbs, req, res);
             },
             method: "POST",
+            checkToken: true,
             path: "/_matrix/provision/:verb",
         });
     }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		SECURITY FIX The bridge now requires authentication on the /_matrix/provision set of endpoints. It requires either an `access_token` query parameter or a `Authorization` header containing the `hs_token` provided in the registration file.