Clarify guest accounts and auth usage on /register
#2055
Conversation
| @@ -194,6 +198,18 @@ paths: | |||
| The homeserver requires additional authentication information. | |||
| schema: | |||
| "$ref": "definitions/auth_response.yaml" | |||
| 403: | |||
There was a problem hiding this comment.
grim that this is 403, but if it's what synapse does then it's what the spec needs to say. :(
There was a problem hiding this comment.
sadly, it is what synapse does.
There was a problem hiding this comment.
what do you think it should be?
I don't necessarily think that, just because synapse does it, that the spec needs to say so. Any client currently relying on it being a 403 is prone to being broken anyway due to relying on unspecified behaviour, so we have the option of making the spec right and fixing synapse later.
There was a problem hiding this comment.
speaking of clients which rely on unspecified behaviour:
if (e.httpStatus === 403 && e.errcode === "M_UNKNOWN") {
this.setState({
errorText: _t("Registration has been disabled on this homeserver."),
});
}
thanks, react-sdk.
I've also spent a fair amount of time re-reading the http spec, and 403 seems like the most correct answer. It doesn't feel right, but a different error code seems more wrong.
|
asking for server-side review |
| @@ -194,6 +198,18 @@ paths: | |||
| The homeserver requires additional authentication information. | |||
| schema: | |||
| "$ref": "definitions/auth_response.yaml" | |||
| 403: | |||
There was a problem hiding this comment.
what do you think it should be?
I don't necessarily think that, just because synapse does it, that the spec needs to say so. Any client currently relying on it being a 403 is prone to being broken anyway due to relying on unspecified behaviour, so we have the option of making the spec right and fixing synapse later.
| @@ -29,7 +29,8 @@ paths: | |||
| post: | |||
| summary: Register for an account on this homeserver. | |||
| description: |- | |||
| This API endpoint uses the `User-Interactive Authentication API`_. | |||
| This API endpoint uses the `User-Interactive Authentication API`_, except in | |||
There was a problem hiding this comment.
I'm not entirely convinced that we should be forbidding UIA for guest registration. Why would we not want to allow servers to present a captcha for guest registration?
There was a problem hiding this comment.
only that synapse doesn't permit it, and clients expect to be able to get a guest account without login UX (see: riot registering one in the background for the last N years).
There was a problem hiding this comment.
I'm still a bit unconvinced, but ok.
Fixes #1980
Fixes #1984