Remove ultimately unused feature of saving params from the first call in the session: it's probably too open to abuse.

author: David Baker <dave@matrix.org> 2015-04-23 14:44:12 +0100
committer: David Baker <dave@matrix.org> 2015-04-23 14:44:12 +0100
commit: 0eb61a3d16bffa83b0963418fa17a8cf6c760631 (patch)
tree: e7578a30df2784f8cddfa8ea798baced2e924a42 /synapse/handlers/auth.py
parent: Add an error code to 'missing token' response. (diff)
download: synapse-0eb61a3d16bffa83b0963418fa17a8cf6c760631.tar.xz
1 files changed, 10 insertions, 2 deletions
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 7b0ab4829b..ac07add2f7 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -78,8 +78,16 @@ class AuthHandler(BaseHandler):
         sess = self._get_session_info(sid)
 
         if len(clientdict) > 0:
-            sess['clientdict'] = clientdict
-            self._save_session(sess)
+            # This was designed to allow the client to omit the parameters
+            # and just supply the session in subsequent calls so it split
+            # auth between devices by just sharing the session, (eg. so you
+            # could continue registration from your phone having clicked the
+            # email auth link on there). It's probably too open to abuse
+            # because it lets unauthenticated clients store arbitrary objects
+            # on a home server.
+            #sess['clientdict'] = clientdict
+            #self._save_session(sess)
+            pass
         elif 'clientdict' in sess:
             clientdict = sess['clientdict']
author	David Baker <dave@matrix.org>	2015-04-23 14:44:12 +0100
committer	David Baker <dave@matrix.org>	2015-04-23 14:44:12 +0100
commit	0eb61a3d16bffa83b0963418fa17a8cf6c760631 (patch)
tree	e7578a30df2784f8cddfa8ea798baced2e924a42 /synapse/handlers/auth.py
parent	Add an error code to 'missing token' response. (diff)
download	synapse-0eb61a3d16bffa83b0963418fa17a8cf6c760631.tar.xz