Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Drop support for calling /_matrix/client/v3/account/3pid/bind without an id_access_token #13201

Closed
richvdh opened this issue Jul 6, 2022 · 3 comments · Fixed by #13239
Closed

Drop support for calling /_matrix/client/v3/account/3pid/bind without an id_access_token #13201

richvdh opened this issue Jul 6, 2022 · 3 comments · Fixed by #13239
Labels
A-Spec-Compliance places where synapse does not conform to the spec P3 (OBSOLETE: use S- labels.) Approved backlog: not yet scheduled, will accept patches T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. Z-Help-Wanted We know exactly how to fix this issue, and would be grateful for any contribution

Comments

@richvdh
Copy link
Member

richvdh commented Jul 6, 2022
edited
Loading

The spec has required an id_access_token param for /account/3pid/bind ever since it was introduced to the spec in matrix-org/matrix-spec-proposals#2328.

We currently accept requests without an id_access_token, and then call /_matrix/identity/api/v1/3pid/bind, which was removed from the spec over a year ago (msc2713).

Instead, we should simply reject any requests that do not pass an id_access_token.
@richvdh
Copy link
Member Author

richvdh commented Jul 6, 2022

I've been unable to find any outgoing requests to /_matrix/identity/api/v1/3pid/bind (other than as a fallback when /_matrix/identity/api/v2/3pid/bind 404s, see https://github.com/matrix-org/synapse/blob/v1.62.0/synapse/handlers/identity.py#L235-L238) on matrix.org in the last week, so I think we can assume this is unused.

@richvdh richvdh added Z-Help-Wanted We know exactly how to fix this issue, and would be grateful for any contribution A-Spec-Compliance places where synapse does not conform to the spec P3 (OBSOLETE: use S- labels.) Approved backlog: not yet scheduled, will accept patches T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. labels Jul 6, 2022
@richvdh
Copy link
Member Author

richvdh commented Jul 6, 2022

(while we're at it, we should remove that fallback to /_matrix/identity/api/v1/3pid/bind)

@richvdh
Copy link
Member Author

richvdh commented Jul 6, 2022

Part of #9677

@richvdh richvdh mentioned this issue Jul 6, 2022
Open
@Vetchu Vetchu mentioned this issue Jul 11, 2022
Merged
4 tasks
richvdh pushed a commit that referenced this issue Jul 12, 2022
@Vetchu
Drop support for calling /_matrix/client/v3/account/3pid/bind witho…
7218a0c 
…ut an `id_access_token` (#13239)

Fixes #13201

Signed-off-by: Jacek Kusnierz [email protected]
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-Spec-Compliance places where synapse does not conform to the spec P3 (OBSOLETE: use S- labels.) Approved backlog: not yet scheduled, will accept patches T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. Z-Help-Wanted We know exactly how to fix this issue, and would be grateful for any contribution
Projects
None yet
Milestone
No milestone
1 participant
@richvdh