Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

Prevent M_USER_IN_USE from being raised by registration methods until after email has been verified #48

Merged
merged 9 commits into from
Jun 22, 2020
Merged

Prevent M_USER_IN_USE from being raised by registration methods until after email has been verified #48

merged 9 commits into from
Jun 22, 2020

Conversation

anoadragon453
Copy link
Member

Prevents M_USER_IN_USE from being returned to the client before they're verified an associated email.

@anoadragon453 anoadragon453 requested a review from a team June 17, 2020 18:27
@giomfo
Copy link
Member

giomfo commented Jun 17, 2020

@anoadragon453 I had a look on your PR. I'm sorry but I think you took a wrong way.

We should not abort the register request because the provided username is already used.
We should just ignore it (not check whether the potential username already exists) on DINUM synapse because we will ignore it anyway.

I'm available to sync with you in order to expose my point of view

@anoadragon453
Copy link
Member Author

@giomfo OK, let's sync tomorrow

@giomfo
Copy link
Member

giomfo commented Jun 17, 2020

About /register/available, this is a good catch. But I think this API should just fail on DINUM synapse with an error like M_FORBIDDEN or not supported ...

@giomfo
Copy link
Member

giomfo commented Jun 19, 2020

@anoadragon453 I don't know if I'm right, but don't you think you should pass user_in_use_exception=False here?

Perhaps this change is useless in case of Tchap. I don't know

anoadragon453
anoadragon453 commented Jun 19, 2020
View reviewed changes
tests/rest/client/v2_alpha/test_register.py

self.assertEquals(channel.result["code"], b"400", channel.result)
self.assertEquals(channel.json_body["error"], "Invalid username")

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test is no longer relevant.

@anoadragon453
Copy link
Member Author

@giomfo Have updated to:

  • Have /register/available always return True. I didn't want to have it return an error as that would probably break Riot which may be useful to use sometimes (especially to find issues like this one!)
  • Just ignore the user provided username

giomfo
giomfo reviewed Jun 19, 2020
View reviewed changes
synapse/rest/client/v2_alpha/register.py
@@ -357,15 +357,9 @@ async def on_GET(self, request):
403, "Registration has been disabled", errcode=Codes.FORBIDDEN
)

ip = self.hs.get_ip_from_request(request)
with self.ratelimiter.ratelimit(ip) as wait_deferred:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do you remove the ratelimiter check here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that this endpoint just always returns {"available": True} I don't think there's much point in ratelimiting it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you're right, I agree
I forgot it was change about /register/available

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, hard to notice in the diff :)

synapse/handlers/register.py Outdated Show resolved Hide resolved
giomfo
giomfo approved these changes Jun 22, 2020
View reviewed changes
Copy link
Member

@giomfo giomfo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

@anoadragon453 anoadragon453 merged commit 7da71b7 into dinsic Jun 22, 2020
@anoadragon453 anoadragon453 deleted the anoa/register_user_in_use branch June 22, 2020 11:47
@babolivier babolivier mentioned this pull request Jan 13, 2022
Merged
babolivier added a commit to matrix-org/synapse that referenced this pull request Jan 26, 2022
@babolivier
Add a config flag to inhibit M_USER_IN_USE during registration (#11743
95b3f95 
)

This is mostly motivated by the tchap use case, where usernames are automatically generated from the user's email address (in a way that allows figuring out the email address from the username). Therefore, it's an issue if we respond to requests on /register and /register/available with M_USER_IN_USE, because it can potentially leak email addresses (which include the user's real name and place of work).

This commit adds a flag to inhibit the M_USER_IN_USE errors that are raised both by /register/available, and when providing a username early into the registration process. This error will still be raised if the user completes the registration process but the username conflicts. This is particularly useful when using modules (#11790 adds a module callback to set the username of users at registration) or SSO, since they can ensure the username is unique.

More context is available in the PR that introduced this behaviour to synapse-dinsic: matrix-org/synapse-dinsic#48 - as well as the issue in the matrix-dinsic repo: matrix-org/matrix-dinsic#476
babolivier added a commit that referenced this pull request Jan 26, 2022
@babolivier
Add a config flag to inhibit M_USER_IN_USE during registration (#11…
c54f5f4 
…743)

This is mostly motivated by the tchap use case, where usernames are automatically generated from the user's email address (in a way that allows figuring out the email address from the username). Therefore, it's an issue if we respond to requests on /register and /register/available with M_USER_IN_USE, because it can potentially leak email addresses (which include the user's real name and place of work).

This commit adds a flag to inhibit the M_USER_IN_USE errors that are raised both by /register/available, and when providing a username early into the registration process. This error will still be raised if the user completes the registration process but the username conflicts. This is particularly useful when using modules (matrix-org/synapse#11790 adds a module callback to set the username of users at registration) or SSO, since they can ensure the username is unique.

More context is available in the PR that introduced this behaviour to synapse-dinsic: #48 - as well as the issue in the matrix-dinsic repo: matrix-org/matrix-dinsic#476
babolivier added a commit to matrix-org/synapse that referenced this pull request Jan 26, 2022
@babolivier
Add a config flag to inhibit M_USER_IN_USE during registration (#11743
42905ed 
)

This is mostly motivated by the tchap use case, where usernames are automatically generated from the user's email address (in a way that allows figuring out the email address from the username). Therefore, it's an issue if we respond to requests on /register and /register/available with M_USER_IN_USE, because it can potentially leak email addresses (which include the user's real name and place of work).

This commit adds a flag to inhibit the M_USER_IN_USE errors that are raised both by /register/available, and when providing a username early into the registration process. This error will still be raised if the user completes the registration process but the username conflicts. This is particularly useful when using modules (#11790 adds a module callback to set the username of users at registration) or SSO, since they can ensure the username is unique.

More context is available in the PR that introduced this behaviour to synapse-dinsic: matrix-org/synapse-dinsic#48 - as well as the issue in the matrix-dinsic repo: matrix-org/matrix-dinsic#476
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@giomfo giomfo giomfo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@anoadragon453 @giomfo