Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Make UIA grace period only apply to cross-signing requests #9754

Closed
richvdh opened this issue Apr 6, 2021 · 2 comments · Fixed by #10184
Closed

Make UIA grace period only apply to cross-signing requests #9754

richvdh opened this issue Apr 6, 2021 · 2 comments · Fixed by #10184
Labels
P3 (OBSOLETE: use S- labels.) Approved backlog: not yet scheduled, will accept patches T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.

Comments

@richvdh
Copy link
Member

richvdh commented Apr 6, 2021

Matrix.org's Synapse now applies a grace period to user-interactive-authenticated requests (the logic is that you do not need to confirm that you are the legitimate owner of an access token if you have literally just been given that access token).

However, various people have angrily reported that it is now too easy to deactivate your account by accident, since clients incorrectly assume that there will be a UIA step before the deactivation takes place.

As a workaround, it is suggested that the UIA grace period should only apply to E2E key uploads.
@erikjohnston erikjohnston added the T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. label Apr 6, 2021
@erikjohnston erikjohnston mentioned this issue Apr 6, 2021
Closed
@turt2live
Copy link
Member

Related: matrix-org/matrix-spec-proposals#3105

@callahad callahad added the P3 (OBSOLETE: use S- labels.) Approved backlog: not yet scheduled, will accept patches label May 13, 2021
@turt2live turt2live mentioned this issue May 20, 2021
Closed
@ara4n
Copy link
Member

ara4n commented Jun 16, 2021

Hi, me and my friend encountered an issue with element. Basically we lost our accounts due to a bug on elements frontend client. I have demonstrated this issue twice on the web client. My friend encountered this issue on the mobile application. https://youtu.be/Hq2LEBjHz48
Due to this bug it is now impossible to recover our accounts or get our names back

cc @callahad to get this prioritised

@clokep clokep mentioned this issue Jun 16, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
P3 (OBSOLETE: use S- labels.) Approved backlog: not yet scheduled, will accept patches T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Only allow skipping UI auth for certain actions. matrix-org/synapse
5 participants
@callahad @turt2live @ara4n @richvdh @erikjohnston