Open charlespick opened 1 year ago
Can confirm, mail sent before registration complete.
I think there is issues on these lines synapse/rest/client/register.py
For every flow there are inserting at position 0 , so registration_requires_token and enable_registration_captcha are conflicting.
Any maintainer pls review and share whether i am right or there is some other issue!
Description: When a new user registers through a client like Element with 3pid email and recaptcha turned on, the email verification gets sent immediately, before the user (or bot) has solved the captcha. This opens up the email infrastructure backing the synapse instance to abuse. Lots of smtp relays have monthly limits as well as monitoring of bounced emails and complaints. If you run your own mail system then you can get your ip blocked or a nasty email from your ISP. There is no reason to send the verification email before verifying that the user is a human and presenting both of these tasks to the user at the same time is a sloppy user experience too.