diff options
author | David Baker <dave@matrix.org> | 2015-04-23 14:44:12 +0100 |
---|---|---|
committer | David Baker <dave@matrix.org> | 2015-04-23 14:44:12 +0100 |
commit | 0eb61a3d16bffa83b0963418fa17a8cf6c760631 (patch) | |
tree | e7578a30df2784f8cddfa8ea798baced2e924a42 /synapse | |
parent | Add an error code to 'missing token' response. (diff) | |
download | synapse-0eb61a3d16bffa83b0963418fa17a8cf6c760631.tar.xz |
Remove ultimately unused feature of saving params from the first call in the session: it's probably too open to abuse.
Diffstat (limited to 'synapse')
-rw-r--r-- | synapse/handlers/auth.py | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index 7b0ab4829b..ac07add2f7 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -78,8 +78,16 @@ class AuthHandler(BaseHandler): sess = self._get_session_info(sid) if len(clientdict) > 0: - sess['clientdict'] = clientdict - self._save_session(sess) + # This was designed to allow the client to omit the parameters + # and just supply the session in subsequent calls so it split + # auth between devices by just sharing the session, (eg. so you + # could continue registration from your phone having clicked the + # email auth link on there). It's probably too open to abuse + # because it lets unauthenticated clients store arbitrary objects + # on a home server. + #sess['clientdict'] = clientdict + #self._save_session(sess) + pass elif 'clientdict' in sess: clientdict = sess['clientdict'] |