Add restrictions by default to open registration in Synapse (#12091)

2025-06-01 15:15:32 -04:00 · 2022-03-25 10:11:01 -07:00 · 2022-03-25 10:11:01 -07:00 · 3c41d87b67
commit 3c41d87b67
parent 7ca8ee67a5
7 changed files with 67 additions and 4 deletions
--- a/synapse/app/homeserver.py
+++ b/synapse/app/homeserver.py
@ -351,6 +351,23 @@ def setup(config_options: List[str]) -> SynapseHomeServer:
    if config.server.gc_seconds:
        synapse.metrics.MIN_TIME_BETWEEN_GCS = config.server.gc_seconds

+    if (
+        config.registration.enable_registration
+        and not config.registration.enable_registration_without_verification
+    ):
+        if (
+            not config.captcha.enable_registration_captcha
+            and not config.registration.registrations_require_3pid
+            and not config.registration.registration_requires_token
+        ):
+
+            raise ConfigError(
+                "You have enabled open registration without any verification. This is a known vector for "
+                "spam and abuse. If you would like to allow public registration, please consider adding email, "
+                "captcha, or token-based verification. Otherwise this check can be removed by setting the "
+                "`enable_registration_without_verification` config option to `true`."
+            )
+
    hs = SynapseHomeServer(
        config.server.server_name,
        config=config,
--- a/synapse/config/registration.py
+++ b/synapse/config/registration.py
@ -33,6 +33,10 @@ class RegistrationConfig(Config):
                str(config["disable_registration"])
            )

+        self.enable_registration_without_verification = strtobool(
+            str(config.get("enable_registration_without_verification", False))
+        )
+
        self.registrations_require_3pid = config.get("registrations_require_3pid", [])
        self.allowed_local_3pids = config.get("allowed_local_3pids", [])
        self.enable_3pid_lookup = config.get("enable_3pid_lookup", True)
@ -207,10 +211,18 @@ class RegistrationConfig(Config):
        # Registration can be rate-limited using the parameters in the "Ratelimiting"
        # section of this file.

-        # Enable registration for new users.
+        # Enable registration for new users. Defaults to 'false'. It is highly recommended that if you enable registration,
+        # you use either captcha, email, or token-based verification to verify that new users are not bots. In order to enable registration
+        # without any verification, you must also set `enable_registration_without_verification`, found below.
        #
        #enable_registration: false

+        # Enable registration without email or captcha verification. Note: this option is *not* recommended,
+        # as registration without verification is a known vector for spam and abuse. Defaults to false. Has no effect
+        # unless `enable_registration` is also enabled.
+        #
+        #enable_registration_without_verification: true
+
        # Time that a user's session remains valid for, after they log in.
        #
        # Note that this is not currently compatible with guest logins.