From cb272bcfe89974ba575841e31b45b9edba293887 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Thu, 25 Jun 2020 11:03:10 +0100
Subject: Explain why we rate-limit using a threepid

---
 synapse/rest/client/v1/login.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py
index 602785fe22..98a3365f05 100644
--- a/synapse/rest/client/v1/login.py
+++ b/synapse/rest/client/v1/login.py
@@ -161,7 +161,8 @@ class LoginRestServlet(RestServlet):
         if not username:
             if medium and address:
                 # The user attempted to login via threepid and failed
-                # Record this failed attempt
+                # Record this failed attempt using the threepid as a key, as otherwise
+                # the user could bypass the ratelimiter by not providing a username
                 self._failed_attempts_ratelimiter.can_do_action(
                     (medium, address.lower())
                 )
-- 
cgit 1.5.1