diff --git a/synapse/__init__.py b/synapse/__init__.py
index 6cd16a820b..977e26a048 100644
--- a/synapse/__init__.py
+++ b/synapse/__init__.py
@@ -36,7 +36,7 @@ try:
except ImportError:
pass
-__version__ = "1.13.0rc1"
+__version__ = "1.13.0rc2"
if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
# We import here so that we don't have to install a bunch of deps when
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 65c66a00b1..524281d2f1 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -252,7 +252,6 @@ class AuthHandler(BaseHandler):
clientdict: Dict[str, Any],
clientip: str,
description: str,
- validate_clientdict: bool = True,
) -> Tuple[dict, dict, str]:
"""
Takes a dictionary sent by the client in the login / registration
@@ -278,10 +277,6 @@ class AuthHandler(BaseHandler):
description: A human readable string to be displayed to the user that
describes the operation happening on their account.
- validate_clientdict: Whether to validate that the operation happening
- on the account has not changed. If this is false,
- the client dict is persisted instead of validated.
-
Returns:
A tuple of (creds, params, session_id).
@@ -346,26 +341,30 @@ class AuthHandler(BaseHandler):
# Ensure that the queried operation does not vary between stages of
# the UI authentication session. This is done by generating a stable
- # comparator based on the URI, method, and client dict (minus the
- # auth dict) and storing it during the initial query. Subsequent
+ # comparator and storing it during the initial query. Subsequent
# queries ensure that this comparator has not changed.
- if validate_clientdict:
- session_comparator = (session.uri, session.method, session.clientdict)
- comparator = (uri, method, clientdict)
- else:
- session_comparator = (session.uri, session.method) # type: ignore
- comparator = (uri, method) # type: ignore
-
- if session_comparator != comparator:
+ #
+ # The comparator is based on the requested URI and HTTP method. The
+ # client dict (minus the auth dict) should also be checked, but some
+ # clients are not spec compliant, just warn for now if the client
+ # dict changes.
+ if (session.uri, session.method) != (uri, method):
raise SynapseError(
403,
"Requested operation has changed during the UI authentication session.",
)
- # For backwards compatibility the registration endpoint persists
- # changes to the client dict instead of validating them.
- if not validate_clientdict:
- await self.store.set_ui_auth_clientdict(sid, clientdict)
+ if session.clientdict != clientdict:
+ logger.warning(
+ "Requested operation has changed during the UI "
+ "authentication session. A future version of Synapse "
+ "will remove this capability."
+ )
+
+ # For backwards compatibility, changes to the client dict are
+ # persisted as clients modify them throughout their user interactive
+ # authentication flow.
+ await self.store.set_ui_auth_clientdict(sid, clientdict)
if not authdict:
raise InteractiveAuthIncompleteError(
diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py
index e77dd6bf92..af08cc6cce 100644
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@@ -516,7 +516,6 @@ class RegisterRestServlet(RestServlet):
body,
self.hs.get_ip_from_request(request),
"register a new account",
- validate_clientdict=False,
)
# Check that we're not trying to register a denied 3pid.
diff --git a/synapse/storage/data_stores/main/roommember.py b/synapse/storage/data_stores/main/roommember.py
index 04ffdcf934..48810a3e91 100644
--- a/synapse/storage/data_stores/main/roommember.py
+++ b/synapse/storage/data_stores/main/roommember.py
@@ -566,7 +566,8 @@ class RoomMemberWorkerStore(EventsWorkerStore):
if key[0] == EventTypes.Member
]
for etype, state_key in context.delta_ids:
- users_in_room.pop(state_key, None)
+ if etype == EventTypes.Member:
+ users_in_room.pop(state_key, None)
# We check if we have any of the member event ids in the event cache
# before we ask the DB
|
