require_auth_for_profile_requests not spec compliant

[afranke]

In the spec, GET on /profile doesn’t require auth.
Synapse may in some configurations. There are several problems with that.

“Requires auth” is a binary thing in the spec, as far as I can see. That means that you should either require it or not, but you can’t depend on a server configuration option for that. Anyway I don’t see how a client could guess whether a given server has the option enabled or not, so effectively having the option means client should consider it is enabled and auth is required in all cases, even when that’s not the case.

There is also a comment for that configuration option that states that “this setting is of limited value if federation is enabled on the server” because “profile data is also available via the federation API”.

Considering all of the above, I suggest to remove the configuration option. If the behaviour of it enabled is actually desired, and I don’t think it is, then please make it consistently behave that way and not depend on an option, and get the spec changed to match that as well.

[kescherCode]

Some homeserver admins don't want to expose profile information to unauthenticated clients, others don't care. A client does not have to guess whether it's enabled or not, it can simply check. If it's unauthorized, tough luck, no profile information for you.

But yes, the spec should be adjusted to account for that.

[tulir]

matrix-org/matrix-spec-proposals#2949 is a proposal to make the current behavior spec compliant