Always require users to re-authenticate for dangerous operations. (#10184)

Dangerous actions means deactivating an account, modifying an account password, or adding a 3PID. Other actions (deleting devices, uploading keys) can re-use the same UI auth session if ui_auth.session_timeout is configured.
author: Patrick Cloke <clokep@users.noreply.github.com> 2021-06-16 11:07:28 -0400
committer: GitHub <noreply@github.com> 2021-06-16 11:07:28 -0400
commit: 76f9c701c3920d83c0fe8f08b9197e2e92e12dad (patch)
tree: eea41aae32a58a9484d27b975982143b41d65231 /synapse/rest/client/v2_alpha/keys.py
parent: A guide to the request log lines format. (#8436) (diff)
download: synapse-76f9c701c3920d83c0fe8f08b9197e2e92e12dad.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/synapse/rest/client/v2_alpha/keys.py b/synapse/rest/client/v2_alpha/keys.py
index 4a28f2c072..33cf8de186 100644
--- a/synapse/rest/client/v2_alpha/keys.py
+++ b/synapse/rest/client/v2_alpha/keys.py
@@ -277,6 +277,9 @@ class SigningKeyUploadServlet(RestServlet):
             request,
             body,
             "add a device signing key to your account",
+            # Allow skipping of UI auth since this is frequently called directly
+            # after login and it is silly to ask users to re-auth immediately.
+            can_skip_ui_auth=True,
         )
 
         result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)
author	Patrick Cloke <clokep@users.noreply.github.com>	2021-06-16 11:07:28 -0400
committer	GitHub <noreply@github.com>	2021-06-16 11:07:28 -0400
commit	76f9c701c3920d83c0fe8f08b9197e2e92e12dad (patch)
tree	eea41aae32a58a9484d27b975982143b41d65231 /synapse/rest/client/v2_alpha/keys.py
parent	A guide to the request log lines format. (#8436) (diff)
download	synapse-76f9c701c3920d83c0fe8f08b9197e2e92e12dad.tar.xz