UIA stages can be completed out-of-order

[Sorunome]

Description

User-Interactive auth stages can be completed out-of-order, which is not spec-conform.

Steps to reproduce

• POST to /register to get a session id
• POST to /register, completing the m.login.dummy auth, even though taht is out of order

sorunome@sorunome-desktop ~ $ curl -X POST -H "Content-Type: application/json" -d '{}' https://matrix.org/_matrix/client/r0/register
{
    "flows": [
        {
            "stages": [
                "m.login.recaptcha",
                "m.login.terms",
                "m.login.dummy"
            ]
        },
        {
            "stages": [
                "m.login.recaptcha",
                "m.login.terms",
                "m.login.email.identity"
            ]
        }
    ],
    "params": {
        "m.login.recaptcha": {
            "public_key": "6LcgI54UAAAAABGdGmruw6DdOocFpYVdjYBRe4zb"
        },
        "m.login.terms": {
            "policies": {
                "privacy_policy": {
                    "en": {
                        "name": "Terms and Conditions",
                        "url": "https://matrix-client.matrix.org/_matrix/consent?v=1.0"
                    },
                    "version": "1.0"
                }
            }
        }
    },
    "session": "EhIvEQDoTuGsTKhslrPQJMpE"
}
sorunome@sorunome-desktop ~ $ curl -X POST -H "Content-Type: application/json" -d '{"auth": {"type": "m.login.dummy", "session": "EhIvEQDoTuGsTKhslrPQJMpE"}}' https://matrix.org/_matrix/client/r0/register
{
    "completed": [
        "m.login.dummy"
    ],
    "flows": [
        {
            "stages": [
                "m.login.recaptcha",
                "m.login.terms",
                "m.login.dummy"
            ]
        },
        {
            "stages": [
                "m.login.recaptcha",
                "m.login.terms",
                "m.login.email.identity"
            ]
        }
    ],
    "params": {
        "m.login.recaptcha": {
            "public_key": "6LcgI54UAAAAABGdGmruw6DdOocFpYVdjYBRe4zb"
        },
        "m.login.terms": {
            "policies": {
                "privacy_policy": {
                    "en": {
                        "name": "Terms and Conditions",
                        "url": "https://matrix-client.matrix.org/_matrix/consent?v=1.0"
                    },
                    "version": "1.0"
                }
            }
        }
    },
    "session": "EhIvEQDoTuGsTKhslrPQJMpE"
}

Version information

current live matrix.org instance

sorunome@sorunome-desktop ~ $ curl https://matrix.org/_matrix/federation/v1/version
{
    "server": {
        "name": "Synapse",
        "version": "1.8.0 (b=matrix-org-hotfixes,a099ab7d3)"
    }
}

[agraven]

From what I've heard several clients rely on arbitrary stage order being allowed for UIA stages. I'm wondering if it wouldn't make more sense to change the spec to align with how UIA is commonly used in practice.