summary refs log tree commit diff
path: root/synapse/config
diff options
context:
space:
mode:
authorAndrew Morgan <1342360+anoadragon453@users.noreply.github.com>2020-07-02 11:01:02 +0100
committerGitHub <noreply@github.com>2020-07-02 11:01:02 +0100
commit21821c076a9335efbdc13a5875fe548f3726b8bc (patch)
treeb4407227e3614580c484b74470c81144e0898a2a /synapse/config
parentMerge pull request #50 from matrix-org/dinsic-release-v1.15.x (diff)
downloadsynapse-21821c076a9335efbdc13a5875fe548f3726b8bc.tar.xz
Add option to autobind user's email on registration (#51)
Adds an option, `bind_new_user_emails_to_sydent`, which uses Sydent's [internal bind api](https://github.com/matrix-org/sydent#internal-bind-and-unbind-api) to automatically bind email addresses of users immediately after they register.

This is quite enterprise-specific, but could be generally useful to multiple organizations. This aims to solve the problem of requiring users to verify their email twice when using the functionality of an identity server in a corporate deployment - where both the homeserver and identity server are controlled. It does with while eliminating the need for the `account_threepid_delegates.email` option, which historically has been a very complicated option to reason about.
Diffstat (limited to 'synapse/config')
-rw-r--r--synapse/config/registration.py35
1 files changed, 35 insertions, 0 deletions
diff --git a/synapse/config/registration.py b/synapse/config/registration.py

index a46b3ef53e..43b87e9a70 100644
--- a/synapse/config/registration.py
+++ b/synapse/config/registration.py
@@ -177,6 +177,23 @@ class RegistrationConfig(Config):
             session_lifetime = self.parse_duration(session_lifetime)
         self.session_lifetime = session_lifetime
 
+        self.bind_new_user_emails_to_sydent = config.get(
+            "bind_new_user_emails_to_sydent"
+        )
+
+        if self.bind_new_user_emails_to_sydent:
+            if not isinstance(
+                self.bind_new_user_emails_to_sydent, str
+            ) or not self.bind_new_user_emails_to_sydent.startswith("http"):
+                raise ConfigError(
+                    "Option bind_new_user_emails_to_sydent has invalid value"
+                )
+
+            # Remove trailing slashes
+            self.bind_new_user_emails_to_sydent = self.bind_new_user_emails_to_sydent.strip(
+                "/"
+            )
+
     def generate_config_section(self, generate_secrets=False, **kwargs):
         if generate_secrets:
             registration_shared_secret = 'registration_shared_secret: "%s"' % (
@@ -469,6 +486,24 @@ class RegistrationConfig(Config):
         #
         #rewrite_identity_server_urls:
         #   "https://somewhere.example.com": "https://somewhereelse.example.com"
+
+        # When a user registers an account with an email address, it can be useful to
+        # bind that email address to their mxid on an identity server. Typically, this
+        # requires the user to validate their email address with the identity server.
+        # However if Synapse itself is handling email validation on registration, the
+        # user ends up needing to validate their email twice, which leads to poor UX.
+        #
+        # It is possible to force Sydent, one identity server implementation, to bind
+        # threepids using its internal, unauthenticated bind API:
+        # https://github.com/matrix-org/sydent/#internal-bind-and-unbind-api
+        #
+        # Configure the address of a Sydent server here to have Synapse attempt
+        # to automatically bind users' emails following registration. The
+        # internal bind API must be reachable from Synapse, but should NOT be
+        # exposed to any third party, as it allows the creation of bindings
+        # without validation.
+        #
+        #bind_new_user_emails_to_sydent: https://example.com:8091
         """
             % locals()
         )
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-08-02 03:05:16 +0000