diff --git a/synapse/handlers/register.py b/synapse/handlers/register.py
index 5b808beac1..157ebaf251 100644
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@@ -15,6 +15,7 @@
"""Contains functions for registering clients."""
import logging
+import re
from twisted.internet import defer
@@ -293,7 +294,7 @@ class RegistrationHandler(BaseHandler):
"""
for c in threepidCreds:
- logger.info("validating theeepidcred sid %s on id server %s",
+ logger.info("validating threepidcred sid %s on id server %s",
c['sid'], c['idServer'])
try:
identity_handler = self.hs.get_handlers().identity_handler
@@ -307,6 +308,16 @@ class RegistrationHandler(BaseHandler):
logger.info("got threepid with medium '%s' and address '%s'",
threepid['medium'], threepid['address'])
+ for constraint in self.hs.config.registrations_require_3pid:
+ if (
+ constraint['medium'] == 'email' and
+ threepid['medium'] == 'email' and
+ re.match(constraint['pattern'], threepid['address'])
+ ):
+ raise RegistrationError(
+ 403, "Third party identifier is not allowed"
+ )
+
@defer.inlineCallbacks
def bind_emails(self, user_id, threepidCreds):
"""Links emails with a user ID and informs an identity server.
diff --git a/synapse/rest/client/v1/register.py b/synapse/rest/client/v1/register.py
index 32ed1d3ab2..f793542ad6 100644
--- a/synapse/rest/client/v1/register.py
+++ b/synapse/rest/client/v1/register.py
@@ -70,10 +70,24 @@ class RegisterRestServlet(ClientV1RestServlet):
self.handlers = hs.get_handlers()
def on_GET(self, request):
+
+ require_email = False
+ require_msisdn = False
+ for constraint in self.hs.config.registrations_require_3pid:
+ if constraint['medium'] == 'email':
+ require_email = True
+ elif constraint['medium'] == 'msisdn':
+ require_msisdn = True
+ else:
+ logger.warn(
+ "Unrecognised 3PID medium %s in registrations_require_3pid" %
+ constraint['medium']
+ )
+
+ flows = []
if self.hs.config.enable_registration_captcha:
- return (
- 200,
- {"flows": [
+ if require_email or not require_msisdn:
+ flows.extend([
{
"type": LoginType.RECAPTCHA,
"stages": [
@@ -82,27 +96,31 @@ class RegisterRestServlet(ClientV1RestServlet):
LoginType.PASSWORD
]
},
+ ])
+ if not require_email and not require_msisdn:
+ flows.extend([
{
"type": LoginType.RECAPTCHA,
"stages": [LoginType.RECAPTCHA, LoginType.PASSWORD]
}
- ]}
- )
+ ])
else:
- return (
- 200,
- {"flows": [
+ if require_email or not require_msisdn:
+ flows.extend([
{
"type": LoginType.EMAIL_IDENTITY,
"stages": [
LoginType.EMAIL_IDENTITY, LoginType.PASSWORD
]
- },
+ }
+ ])
+ if not require_email and not require_msisdn:
+ flows.extend([
{
"type": LoginType.PASSWORD
}
- ]}
- )
+ ])
+ return (200, {"flows": flows})
@defer.inlineCallbacks
def on_POST(self, request):
diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py
index 66221e8f00..2977ad439f 100644
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@@ -48,7 +48,9 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
])
if not check_3pid_allowed(self.hs, "email", body['email']):
- raise SynapseError(403, "3PID denied", Codes.THREEPID_DENIED)
+ raise SynapseError(
+ 403, "Third party identifier is not allowed", Codes.THREEPID_DENIED
+ )
existingUid = yield self.hs.get_datastore().get_user_id_by_threepid(
'email', body['email']
@@ -82,7 +84,9 @@ class MsisdnPasswordRequestTokenRestServlet(RestServlet):
msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])
if not check_3pid_allowed(self.hs, "msisdn", msisdn):
- raise SynapseError(403, "3PID denied", Codes.THREEPID_DENIED)
+ raise SynapseError(
+ 403, "Third party identifier is not allowed", Codes.THREEPID_DENIED
+ )
existingUid = yield self.datastore.get_user_id_by_threepid(
'msisdn', msisdn
@@ -224,7 +228,9 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
raise SynapseError(400, "Missing params: %r" % absent, Codes.MISSING_PARAM)
if not check_3pid_allowed(self.hs, "email", body['email']):
- raise SynapseError(403, "3PID denied", Codes.THREEPID_DENIED)
+ raise SynapseError(
+ 403, "Third party identifier is not allowed", Codes.THREEPID_DENIED
+ )
existingUid = yield self.datastore.get_user_id_by_threepid(
'email', body['email']
@@ -265,7 +271,9 @@ class MsisdnThreepidRequestTokenRestServlet(RestServlet):
msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])
if not check_3pid_allowed(self.hs, "msisdn", msisdn):
- raise SynapseError(403, "3PID denied", Codes.THREEPID_DENIED)
+ raise SynapseError(
+ 403, "Third party identifier is not allowed", Codes.THREEPID_DENIED
+ )
existingUid = yield self.datastore.get_user_id_by_threepid(
'msisdn', msisdn
diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py
index 762782c1f0..898d8b133a 100644
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@@ -72,7 +72,9 @@ class EmailRegisterRequestTokenRestServlet(RestServlet):
])
if not check_3pid_allowed(self.hs, "email", body['email']):
- raise SynapseError(403, "3PID denied", Codes.THREEPID_DENIED)
+ raise SynapseError(
+ 403, "Third party identifier is not allowed", Codes.THREEPID_DENIED
+ )
existingUid = yield self.hs.get_datastore().get_user_id_by_threepid(
'email', body['email']
@@ -110,7 +112,9 @@ class MsisdnRegisterRequestTokenRestServlet(RestServlet):
msisdn = phone_number_to_msisdn(body['country'], body['phone_number'])
if not check_3pid_allowed(self.hs, "msisdn", msisdn):
- raise SynapseError(403, "3PID denied", Codes.THREEPID_DENIED)
+ raise SynapseError(
+ 403, "Third party identifier is not allowed", Codes.THREEPID_DENIED
+ )
existingUid = yield self.hs.get_datastore().get_user_id_by_threepid(
'msisdn', msisdn
@@ -368,7 +372,9 @@ class RegisterRestServlet(RestServlet):
auth_result[LoginType.EMAIL_IDENTITY].threepid.address
)
):
- raise SynapseError(403, "3PID denied", Codes.THREEPID_DENIED)
+ raise SynapseError(
+ 403, "Third party identifier is not allowed", Codes.THREEPID_DENIED
+ )
elif (
constraint['medium'] == 'msisdn' and
auth_result and LoginType.MSISDN in auth_result and
@@ -377,7 +383,9 @@ class RegisterRestServlet(RestServlet):
auth_result[LoginType.MSISDN].threepid.address
)
):
- raise SynapseError(403, "3PID denied", Codes.THREEPID_DENIED)
+ raise SynapseError(
+ 403, "Third party identifier is not allowed", Codes.THREEPID_DENIED
+ )
if registered_user_id is not None:
logger.info(
|
