Add option to autobind user's email on registration (#51)

Adds an option, `bind_new_user_emails_to_sydent`, which uses Sydent's [internal bind api](https://github.com/matrix-org/sydent#internal-bind-and-unbind-api) to automatically bind email addresses of users immediately after they register.

This is quite enterprise-specific, but could be generally useful to multiple organizations. This aims to solve the problem of requiring users to verify their email twice when using the functionality of an identity server in a corporate deployment - where both the homeserver and identity server are controlled. It does with while eliminating the need for the `account_threepid_delegates.email` option, which historically has been a very complicated option to reason about.

2 files changed, 45 insertions, 24 deletions

diff --git a/synapse/handlers/identity.py b/synapse/handlers/identity.py
index 6039034c00..a77088e295 100644
--- a/synapse/handlers/identity.py
+++ b/synapse/handlers/identity.py
@@ -1033,6 +1033,30 @@ class IdentityHandler(BaseHandler):
         display_name = data["display_name"]
         return token, public_keys, fallback_public_key, display_name
 
+    async def bind_email_using_internal_sydent_api(
+        self, id_server_url: str, email: str, user_id: str,
+    ):
+        """Bind an email to a fully qualified user ID using the internal API of an
+        instance of Sydent.
+
+        Args:
+            id_server_url: The URL of the Sydent instance
+            email: The email address to bind
+            user_id: The user ID to bind the email to
+
+        Raises:
+            HTTPResponseException: On a non-2xx HTTP response.
+        """
+        # id_server_url is assumed to have no trailing slashes
+        url = id_server_url + "/_matrix/identity/internal/bind"
+        body = {
+            "address": email,
+            "medium": "email",
+            "mxid": user_id,
+        }
+
+        await self.http_client.post_json_get_json(url, body)
+
 
 def create_id_access_token_header(id_access_token):
     """Create an Authorization header for passing to SimpleHttpClient as the header value
diff --git a/synapse/handlers/register.py b/synapse/handlers/register.py
index d5d44de8d0..99c1a78fd0 100644
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@@ -636,6 +636,7 @@ class RegistrationHandler(BaseHandler):
 
         if auth_result and LoginType.EMAIL_IDENTITY in auth_result:
             threepid = auth_result[LoginType.EMAIL_IDENTITY]
+
             # Necessary due to auth checks prior to the threepid being
             # written to the db
             if is_threepid_reserved(
@@ -645,34 +646,30 @@ class RegistrationHandler(BaseHandler):
 
             await self.register_email_threepid(user_id, threepid, access_token)
 
-            if self.hs.config.account_threepid_delegate_email:
-                # Bind the 3PID to the identity server
+            if self.hs.config.bind_new_user_emails_to_sydent:
+                # Attempt to call Sydent's internal bind API on the given identity server
+                # to bind this threepid
+                id_server_url = self.hs.config.bind_new_user_emails_to_sydent
+
                 logger.debug(
-                    "Binding email to %s on id_server %s",
+                    "Attempting the bind email of %s to identity server: %s using "
+                    "internal Sydent bind API.",
                     user_id,
-                    self.hs.config.account_threepid_delegate_email,
+                    self.hs.config.bind_new_user_emails_to_sydent,
                 )
-                threepid_creds = threepid["threepid_creds"]
-
-                # Remove the protocol scheme before handling to `bind_threepid`
-                # `bind_threepid` will add https:// to it, so this restricts
-                # account_threepid_delegate.email to https:// addresses only
-                # We assume this is always the case for dinsic however.
-                if self.hs.config.account_threepid_delegate_email.startswith(
-                    "https://"
-                ):
-                    id_server = self.hs.config.account_threepid_delegate_email[8:]
-                else:
-                    # Must start with http:// instead
-                    id_server = self.hs.config.account_threepid_delegate_email[7:]
 
-                await self.identity_handler.bind_threepid(
-                    threepid_creds["client_secret"],
-                    threepid_creds["sid"],
-                    user_id,
-                    id_server,
-                    threepid_creds.get("id_access_token"),
-                )
+                try:
+                    await self.identity_handler.bind_email_using_internal_sydent_api(
+                        id_server_url, threepid["address"], user_id
+                    )
+                except Exception as e:
+                    logger.warning(
+                        "Failed to bind email of '%s' to Sydent instance '%s' ",
+                        "using Sydent internal bind API: %s",
+                        user_id,
+                        id_server_url,
+                        e,
+                    )
 
         if auth_result and LoginType.MSISDN in auth_result:
             threepid = auth_result[LoginType.MSISDN]