synapse requires unspecified `user` for m.login.password UI auth
The spec says that the client should submit a dict including an identifier object. In practice, synapse requires you to instead to just submit a user field, so the dict looks like:
{
"type": "m.login.password",
"user": "<user_id or user localpart>",
"password": "<password>",
"session": "<session ID>"
}
richvdh
All 14 comments
Note that riot-web currently relies on the broken impl working (https://github.com/vector-im/riot-web/issues/10312)
richvdh
on 11 Jul 2019
Also applies to threepidCreds on MSISDN (see https://github.com/matrix-org/matrix-react-sdk/pull/3211)
turt2live
on 11 Jul 2019
Note that riot-web currently relies on the broken impl working (vector-im/riot-web#10312)
This is no longer true: riot-web submits both formats, and should continue to work when we fix this.
richvdh
on 28 Aug 2019
FTR RiotX uses the identifier object
bmarty
on 21 Nov 2019
It's obviously easy to do so, but I'm having to work around this in riot web now.
dbkr
on 21 Jan 2020
So, riot-web has been sending both user and identifier for a while. Can the user parameter be removed as a requirement and just be optional, so that clients correctly implementing the spec can work with synapse?
jcgruenhage
on 4 May 2020
(Making this optional will not break clients)
jcgruenhage
on 4 May 2020
Also, riot-web is still broken with password changes: https://github.com/matrix-org/matrix-react-sdk/blob/0fcbe40becf8f2c3d0bc684728cf1f4646986e44/src/components/views/settings/ChangePassword.js#L144
jcgruenhage
on 4 May 2020
https://github.com/matrix-org/synapse/pull/8182 is one part of this and is currently in review.
anoadragon453
on 27 Aug 2020
Also applies to
threepidCredson MSISDN (see matrix-org/matrix-react-sdk#3211)
@turt2live: please can you help me out here: I can't figure out which endpoint is being called with what parameters, and what the correct behaviour is. (it sounds like a separate problem: better to open a separate issue?)
richvdh
on 27 Nov 2020
Between that PR and the others (https://github.com/matrix-org/matrix-react-sdk/pull/4667 and company) there's a fairly wide range of endpoints. The threepidCreds thing is most apparent on password resets or anything having UIA and email addresses as a flow. The user thing is most obvious on account deactivation, but can also be a case for changing passwords in the app (not reset, changing) as well.
turt2live
on 27 Nov 2020
The undocumented user object is more or less at the wrong place compared to the spec, so Synapse just needs to change its lookup. The threepidCreds problem is similar in that it's just spelled wrong between the spec and synapse's expectations.
turt2live
on 27 Nov 2020
@turt2live: ok, to save readers of this issue (including myself) trying to reverse-engineer the problem from react-sdk PRs, please can you try to give some specific examples. The spec says threepidCreds in some places and three_pid_creds in others. What is synapse expecting, and what should it be expecting?
Again I think this is orthogonal to user so I'd encourage you to open a new issue.
richvdh
on 27 Nov 2020
I don't have the context to be able to write up that issue anymore, sorry.
turt2live
on 27 Nov 2020
Related issues
ukcb
路
4Comments
richvdh
路
3Comments
williamkray
路
3Comments
alexrashed
路
4Comments
brainscar
路
3Comments
Most helpful comment
So, riot-web has been sending both user and identifier for a while. Can the user parameter be removed as a requirement and just be optional, so that clients correctly implementing the spec can work with synapse?