Registration failure: M_MISSING_PARAM password_hash

[lampholder]

I fill the form and the confirmation email arrives. But when I click the link and the captcha, an error message appears briefly and I am stuck at the spinner in 'Create your account' page. The error is show in the console:

Background poll request failed doing UI auth: ignoring M_MISSING_PARAM: Missing params: ['password_hash']

[clokep]

This sounds like it might be a Synapse issue when email confirmations are required for registration? Or perhaps with the captcha being enabled. It'd be good to see the request logs to see what's going on here though.

[lampholder]

Email confirmations are required for registration on this homeserver - captcha is probably enabled. I can also confirm that this didn't affect every registration - 4 other registrations occurred successfully.

[Half-Shot]

(CC: @clokep)
Had a look at synapse logging and seeing a typical

Auth completed with creds: {'m.login.recaptcha': True, 'm.login.terms': True, 'm.login.email.identity': {'medium': 'email', 'address': '[email protected]', 'validated_at': 1591952929672, 'threepid_creds': {'sid': 'sadassd', 'client_secret': 'sdasdasd'}}}. Client dict has keys: []
2020-06-11 10:37:40,339 - synapse.http.server - 81 - INFO - - <XForwardedForRequest at 0x7fa71ab0a2d0 method='POST' uri='/_matrix/client/r0/register' clientproto='HTTP/1.1' site=8008> SynapseError: 400 - Missing params: ['password_hash']

There was also a Requested operation has changed during the UI authentication session. A future version of Synapse will remove this capability. warning message before this.

It should also be noted that these errors occurred on Monolith hosts, not workerized ones.

[clokep]

Thanks for the info! I was able to reproduce this locally! 👍

[Half-Shot]

Huzzah! Do you need to do anything special to cause this?

[clokep]

I've been able to reproduce this with the following:

1. Fill in the registration form (name, password, email).
2. Click on the email link.
3. Accept the ToS.
4. See the error reported.

Still investigating, but it seems that when clicking on the link a new UIAuth session ID gets generated (so we don't have access to the password provided during registration).

[clokep]

What I'm seeing when I test this locally is the following happen:

1. GET to /register to load the form and such.
2. POST to /register with user, password, email and initial device display name. This returns a 401 with the flows and the session ID for user interactive authentication (UI Auth) (OOiUhjxjcOltfqrSdDlklcrw in this case).
3. POST to /requestToken with email, client_secret, send_attempt. This returns a 200 with a sid (note that this also stands for "session ID", but is for a 3PID validation session not UI Auth).
4. (At this point Synapse sends an email with a link to click.)
5. (At this point Riot Web starts polling /register with the same info from step 2, but including the session ID: OOiUhjxjcOltfqrSdDlklcrw, each response is a 401.)
6. Click on the link to validate the email.
7. (Not sure if this is important, but a new tab gets opened.)
8. GET to /registration/email/submit_token with the token, client secret, and sid as query parameters. Returns a 302 redirect to https://riot.im/app/#/register?client_secret=<redacted>&hs_url=http%3A%2F%2Flocalhost%3A8080&is_url=https%3A%2F%2Fvector.im&session_id=OOiUhjxjcOltfqrSdDlklcrw&sid=LcvDOlMazhWrmcyb.
9. POST to /register is made with initial device display name. This returns a 401 with the flows and a new session ID for UI Auth (zvfkhNlwjSbZLSPZaDrZdMEJ in this case).

So it looks like Riot web isn't using the session_id from the redirect URL to continue the same authentication session. I don't know if something changed in Riot Web to cause this or if behavior in Synapse is being "stricter" in some sense.

[clokep]

I reproduced this by using the Synapse demo scripts and modifying the config a bit:

On a checkout of Synapse:

1. ./demo/start.sh
2. ./demo/stop.sh
3. Modify demo/etc/8080.config:
   1. Enable the user_consent block, I used a config like:

   user_consent:
     template_dir: res/templates/privacy
     version: 1.0
     require_at_registration: true
     policy_name: Privacy Policy

   2. mkdir -p demo/8080/res/templates/privacy/en
   3. echo "Privacy Policy" > demo/8080/res/templates/privacy/en/1.0.html
   4. echo "Success" > demo/8080/res/templates/privacy/en/success.html
   5. Enable the email block:

   email:
     smtp_host: 127.0.0.1
     smtp_port: 1025
     require_transport_security: false
     notif_from: "Your Friendly %(app)s homeserver <[email protected]>"

4. I patched Synapse so that I didn't need to set-up SMTP:

diff --git a/synapse/push/mailer.py b/synapse/push/mailer.py
--- a/synapse/push/mailer.py
+++ b/synapse/push/mailer.py
@@ -309,6 +309,9 @@ class Mailer(object):
 
         logger.info("Sending email to %s" % email_address)
 
+        logger.info(plain_text)
+        return
+
         await make_deferred_yieldable(
             self.sendmail(
                 self.hs.config.email_smtp_host,

5. Finally, rerun the server: ./demo/start.sh
6. Go to Riot Web and use http://localhost:8080 as your homeserver.
7. Logs are available at tail -f demo/8080/homeserver.log