Add restrictions by default to open registration in Synapse (#12091)

2025-05-02 08:46:04 -04:00 · 2022-03-25 10:11:01 -07:00 · 2022-03-25 10:11:01 -07:00 · 3c41d87b67
commit 3c41d87b67
parent 7ca8ee67a5
7 changed files with 67 additions and 4 deletions
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@ -1218,10 +1218,18 @@ oembed:
 # Registration can be rate-limited using the parameters in the "Ratelimiting"
 # section of this file.

-# Enable registration for new users.
+# Enable registration for new users. Defaults to 'false'. It is highly recommended that if you enable registration,
+# you use either captcha, email, or token-based verification to verify that new users are not bots. In order to enable registration
+# without any verification, you must also set `enable_registration_without_verification`, found below.
 #
 #enable_registration: false

+# Enable registration without email or captcha verification. Note: this option is *not* recommended,
+# as registration without verification is a known vector for spam and abuse. Defaults to false. Has no effect
+# unless `enable_registration` is also enabled.
+#
+#enable_registration_without_verification: true
+
 # Time that a user's session remains valid for, after they log in.
 #
 # Note that this is not currently compatible with guest logins.
--- a/docs/upgrade.md
+++ b/docs/upgrade.md
@ -108,6 +108,12 @@ for more information and instructions on how to fix a database with incorrect va

 # Upgrading to v1.55.0

+## Open registration without verification is now disabled by default
+
+Synapse will refuse to start if registration is enabled without email, captcha, or token-based verification unless the new config 
+flag `enable_registration_without_verification` is set to "true".
+
+
 ## `synctl` script has been moved

 The `synctl` script