Return a different error from Invalid Password when a user is deactivated (#5674)

anoadragon453 · web-flow · commit 18c516698e78 · 2019-07-15T11:45:29.000+01:00
Return `This account has been deactivated` instead of `Invalid password` when a user is deactivated.
diff --git a/changelog.d/5674.feature b/changelog.d/5674.feature
@@ -0,0 +1 @@
+Return "This account has been deactivated" when a deactivated user tries to login.
diff --git a/synapse/api/errors.py b/synapse/api/errors.py
@@ -139,6 +139,22 @@ def error_dict(self):
         return cs_error(self.msg, self.errcode, consent_uri=self._consent_uri)
 
 
+class UserDeactivatedError(SynapseError):
+    """The error returned to the client when the user attempted to access an
+    authenticated endpoint, but the account has been deactivated.
+    """
+
+    def __init__(self, msg):
+        """Constructs a UserDeactivatedError
+
+        Args:
+            msg (str): The human-readable error message
+        """
+        super(UserDeactivatedError, self).__init__(
+            code=http_client.FORBIDDEN, msg=msg, errcode=Codes.UNKNOWN
+        )
+
+
 class RegistrationError(SynapseError):
     """An error raised when a registration event fails."""
 
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
@@ -35,6 +35,7 @@
     LoginError,
     StoreError,
     SynapseError,
+    UserDeactivatedError,
 )
 from synapse.api.ratelimiting import Ratelimiter
 from synapse.logging.context import defer_to_thread
@@ -623,6 +624,7 @@ def check_user_exists(self, user_id):
         Raises:
             LimitExceededError if the ratelimiter's login requests count for this
                 user is too high too proceed.
+            UserDeactivatedError if a user is found but is deactivated.
         """
         self.ratelimit_login_per_account(user_id)
         res = yield self._find_user_id_and_pwd_hash(user_id)
@@ -838,6 +840,13 @@ def _check_local_password(self, user_id, password):
         if not lookupres:
             defer.returnValue(None)
         (user_id, password_hash) = lookupres
+
+        # If the password hash is None, the account has likely been deactivated
+        if not password_hash:
+            deactivated = yield self.store.get_user_deactivated_status(user_id)
+            if deactivated:
+                raise UserDeactivatedError("This account has been deactivated")
+
         result = yield self.validate_hash(password, password_hash)
         if not result:
             logger.warn("Failed password login for user %s", user_id)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Return "This account has been deactivated" when a deactivated user tries to login.`