Add restrictions by default to open registration in Synapse (#12091)

2 files changed, 15 insertions, 1 deletions

diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index 9c2359ed8e..a21b48ab2e 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -1218,10 +1218,18 @@ oembed:
 # Registration can be rate-limited using the parameters in the "Ratelimiting"
 # section of this file.
 
-# Enable registration for new users.
+# Enable registration for new users. Defaults to 'false'. It is highly recommended that if you enable registration,
+# you use either captcha, email, or token-based verification to verify that new users are not bots. In order to enable registration
+# without any verification, you must also set `enable_registration_without_verification`, found below.
 #
 #enable_registration: false
 
+# Enable registration without email or captcha verification. Note: this option is *not* recommended,
+# as registration without verification is a known vector for spam and abuse. Defaults to false. Has no effect
+# unless `enable_registration` is also enabled.
+#
+#enable_registration_without_verification: true
+
 # Time that a user's session remains valid for, after they log in.
 #
 # Note that this is not currently compatible with guest logins.
diff --git a/docs/upgrade.md b/docs/upgrade.md
index f039710520..062e823333 100644
--- a/docs/upgrade.md
+++ b/docs/upgrade.md
@@ -108,6 +108,12 @@ for more information and instructions on how to fix a database with incorrect va
 
 # Upgrading to v1.55.0
 
+## Open registration without verification is now disabled by default
+
+Synapse will refuse to start if registration is enabled without email, captcha, or token-based verification unless the new config 
+flag `enable_registration_without_verification` is set to "true".
+
+
 ## `synctl` script has been moved
 
 The `synctl` script