Remove ultimately unused feature of saving params from the first call in the session: it's probably too open to abuse.

10 years ago · 0eb61a3d16
parent a2c10d37d7
commit 0eb61a3d16
1 changed files with 10 additions and 2 deletions
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@ -78,8 +78,16 @@ class AuthHandler(BaseHandler):
        sess = self._get_session_info(sid)
        if len(clientdict) > 0:
-            sess['clientdict'] = clientdict
+            # This was designed to allow the client to omit the parameters
-            self._save_session(sess)
+            # and just supply the session in subsequent calls so it split
            # auth between devices by just sharing the session, (eg. so you
            # could continue registration from your phone having clicked the
            # email auth link on there). It's probably too open to abuse
            # because it lets unauthenticated clients store arbitrary objects
            # on a home server.
            #sess['clientdict'] = clientdict
            #self._save_session(sess)
            pass
        elif 'clientdict' in sess:
            clientdict = sess['clientdict']