summary refs log tree commit diff
path: root/synapse/config
diff options
context:
space:
mode:
authorBrendan Abolivier <babolivier@matrix.org>2020-04-23 10:38:57 +0200
committerGitHub <noreply@github.com>2020-04-23 10:38:57 +0200
commit6f4319368b3afab661c55367b9348f9b77bc04a5 (patch)
tree5e009c19cceb24b38471762ecc63520ab154decd /synapse/config
parentImprove example TURN configuration in documentation (#7284) (diff)
parentConfig option to inhibit 3PID errors on /requestToken (diff)
downloadsynapse-6f4319368b3afab661c55367b9348f9b77bc04a5.tar.xz
Merge pull request #7315 from matrix-org/babolivier/request_token
Config option to inhibit 3PID errors on /requestToken
Diffstat (limited to 'synapse/config')
-rw-r--r--synapse/config/server.py21
1 files changed, 21 insertions, 0 deletions
diff --git a/synapse/config/server.py b/synapse/config/server.py
index 7525765fee..8acf3946eb 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -507,6 +507,17 @@ class ServerConfig(Config):
 
         self.enable_ephemeral_messages = config.get("enable_ephemeral_messages", False)
 
+        # Inhibits the /requestToken endpoints from returning an error that might leak
+        # information about whether an e-mail address is in use or not on this
+        # homeserver, and instead return a 200 with a fake sid if this kind of error is
+        # met, without sending anything.
+        # This is a compromise between sending an email, which could be a spam vector,
+        # and letting the client know which email address is bound to an account and
+        # which one isn't.
+        self.request_token_inhibit_3pid_errors = config.get(
+            "request_token_inhibit_3pid_errors", False,
+        )
+
     def has_tls_listener(self) -> bool:
         return any(l["tls"] for l in self.listeners)
 
@@ -967,6 +978,16 @@ class ServerConfig(Config):
           #  - shortest_max_lifetime: 3d
           #    longest_max_lifetime: 1y
           #    interval: 1d
+
+        # Inhibits the /requestToken endpoints from returning an error that might leak
+        # information about whether an e-mail address is in use or not on this
+        # homeserver.
+        # Note that for some endpoints the error situation is the e-mail already being
+        # used, and for others the error is entering the e-mail being unused.
+        # If this option is enabled, instead of returning an error, these endpoints will
+        # act as if no error happened and return a fake session ID ('sid') to clients.
+        #
+        #request_token_inhibit_3pid_errors: true
         """
             % locals()
         )