polling /register to check if email verification is complete is CPU intensive #7956
Comments
ara4n
changed the title
anoadragon453
added
z-p2
|
The benefit for the client sending the password here is that once the email is verified, the check call will result in complete account registration. There's no "ok, the email's finally verified. Let's make the final call to finish account registration". It all just happens in one call once the email is verified - so it makes sense for the client to be doing this. Thus I think this should be on us to fix server-side, and from discussion surrounding it on matrix doesn't seem impossible for any reason. |
|
I poked a little bit and it should be doable. The code there is already a bit confusing so not sure it'll make it worse. 😉 |
clokep
changed the title
I think this is the real solution, FWIW. If you're only polling to see if it is complete yet, passing the session ID should be enough. Anyway, having looked at the code this is all a bit complicated since we seem to have a lot of backwards compatibility hacks:
Note that it is a bit unclear whether the no-auth parameters need to be passed each time or if they should only be passed once. I think we've had past conversation about this, but I don't remember where they landed. I'm not seeing a great way to know whether or not the password is "new" (and thus needs to be hashed vs. discarded), but I'll look again after clearing my head. |
Element polls /register to see whether your email verification link has been clicked or not. Apparently we submit the password every time we do so, and /register hashes that with bcrypt every time, meaning you can easily use >100% CPU with people just trying to sign up. Surely we should not re-hash every time, and/or not submit a password every time, given we're just polling to check if the link has been clicked...
The text was updated successfully, but these errors were encountered: