Always require users to re-authenticate for dangerous operations. (#10184)

Dangerous actions means deactivating an account, modifying an account password, or adding a 3PID. Other actions (deleting devices, uploading keys) can re-use the same UI auth session if ui_auth.session_timeout is configured.
2025-05-05 02:14:59 -04:00 · 2021-06-16 11:07:28 -04:00 · 2021-06-16 11:07:28 -04:00 · 76f9c701c3
commit 76f9c701c3
parent b8b282aa32
6 changed files with 24 additions and 1 deletions
--- a/synapse/rest/client/v2_alpha/devices.py
+++ b/synapse/rest/client/v2_alpha/devices.py
@ -86,6 +86,9 @@ class DeleteDevicesRestServlet(RestServlet):
            request,
            body,
            "remove device(s) from your account",
+            # Users might call this multiple times in a row while cleaning up
+            # devices, allow a single UI auth session to be re-used.
+            can_skip_ui_auth=True,
        )

        await self.device_handler.delete_devices(
@ -135,6 +138,9 @@ class DeviceRestServlet(RestServlet):
            request,
            body,
            "remove a device from your account",
+            # Users might call this multiple times in a row while cleaning up
+            # devices, allow a single UI auth session to be re-used.
+            can_skip_ui_auth=True,
        )

        await self.device_handler.delete_device(requester.user.to_string(), device_id)