Synapse doesn't require new_password on every call to /account/password, contrary to the spec. (But maybe this is a spec oversight?)

[DMRobertson]

Link to problem area:

• https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpassword

• synapse/synapse/rest/client/account.py

  Line 184 in 3ea5f1c

  new_password = body.pop("new_password", None)

  and nearby

The spec says that new_password is a required field.

new_password	string	Required: The new password for the account.

However, this endpoint is part of the user-interactive auth stuff, and Synapse only requires you to have provided new_password at least once during a sequence of calls to /account/password. If you've provided a new_password as part of the user-interactive auth, you don't have to provide it with later requests.

This is against the letter of the law as mandated by the spec (but perhaps not the spirit). This might also fall under the category of "user-interactive auth is weird; give us matrix-org/matrix-spec#636 please).

Noticed in #13183.

[richvdh]

This might also fall under the category of "user-interactive auth is weird; give us matrix-org/matrix-spec#636 please.

This, I think. I might be lacking context, but given password management in particular is going to be replaced by OIDC, it's not obviously a thing particularly worth worrying about right now.

[DMRobertson]

it's not obviously a thing particularly worth worrying about right now.

Agreed; just getting it written down somewhere for completeness (though the right place might be a spec issue).