diff options
author | Brendan Abolivier <babolivier@matrix.org> | 2020-04-21 16:33:01 +0200 |
---|---|---|
committer | Brendan Abolivier <babolivier@matrix.org> | 2020-04-22 23:38:42 +0200 |
commit | 69ad7cc13bf2e2499c39daa4a2707421ad999762 (patch) | |
tree | af87771e54e4a52db8a04dc60216f19d8a90ad99 /synapse/config/server.py | |
parent | matrix.org was fine (diff) | |
download | synapse-69ad7cc13bf2e2499c39daa4a2707421ad999762.tar.xz |
Config option to inhibit 3PID errors on /requestToken
Adds a request_token_inhibit_errors configuration flag (disabled by default) which, if enabled, change the behaviour of all /requestToken endpoints so that they return a 200 and a fake sid if the 3PID was/was not found associated with an account (depending on the endpoint), instead of an error. Co-Authored-By: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Diffstat (limited to 'synapse/config/server.py')
-rw-r--r-- | synapse/config/server.py | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/synapse/config/server.py b/synapse/config/server.py index 7525765fee..8acf3946eb 100644 --- a/synapse/config/server.py +++ b/synapse/config/server.py @@ -507,6 +507,17 @@ class ServerConfig(Config): self.enable_ephemeral_messages = config.get("enable_ephemeral_messages", False) + # Inhibits the /requestToken endpoints from returning an error that might leak + # information about whether an e-mail address is in use or not on this + # homeserver, and instead return a 200 with a fake sid if this kind of error is + # met, without sending anything. + # This is a compromise between sending an email, which could be a spam vector, + # and letting the client know which email address is bound to an account and + # which one isn't. + self.request_token_inhibit_3pid_errors = config.get( + "request_token_inhibit_3pid_errors", False, + ) + def has_tls_listener(self) -> bool: return any(l["tls"] for l in self.listeners) @@ -967,6 +978,16 @@ class ServerConfig(Config): # - shortest_max_lifetime: 3d # longest_max_lifetime: 1y # interval: 1d + + # Inhibits the /requestToken endpoints from returning an error that might leak + # information about whether an e-mail address is in use or not on this + # homeserver. + # Note that for some endpoints the error situation is the e-mail already being + # used, and for others the error is entering the e-mail being unused. + # If this option is enabled, instead of returning an error, these endpoints will + # act as if no error happened and return a fake session ID ('sid') to clients. + # + #request_token_inhibit_3pid_errors: true """ % locals() ) |