404 during UI authentication with matrix-synapse-shared-secret-auth

[matrixbot]

This issue has been migrated from #12282.

---

element-hq/element-web#20292 (comment) describes a custom user-interactive auth flow which a client did not understand. The client tried to request a HTML fallback to show to its user. The response from synapse was an error:

Start authentication link https://my_homeserver/_matrix/client/r0/auth/com.devture.shared_secret_auth/fallback/web?session=TpDJpMZAnnTXJHRGDQuQPlvs returns {"errcode":"M_UNKNOWN","error":"Unknown auth stage type"}

Judging by Synapse's source code, this probably came with a 404 status code. However, the spec says:

If a client does not know how to handle a given login type, it can direct the user to a web browser with the URL of a fallback page which will allow the user to complete that login step out-of-band in their web browser. The URL it should open is:

/_matrix/client/v3/auth/<auth type>/fallback/web?session=<session ID>

Where auth type is the type name of the stage it is attempting and session ID is the ID of the session given by the homeserver.

This MUST return an HTML page which can perform this authentication stage.

The JSON blob returned does not constitute an HTML page, so we are not spec compliant.

The report in that issue claimed to be running on Synapse 1.49 and using an unspecified version of devture/matrix-synapse-shared-secret-auth.

Original Description

Flows provided by _get_available_ui_auth_types are unordered, it causes element-hq/element-web#19605 and devture/matrix-synapse-shared-secret-auth#12.