* Ability to send password reset emails
This changes the default behaviour of Synapse to send password reset
emails itself rather than through an identity server. The reasoning
behind the change is to prevent a malicious identity server from
being able to initiate a password reset attempt and then answering
it, successfully resetting their password, all without the user's
knowledge. This also aides in decentralisation by putting less
trust on the identity server itself, which traditionally is quite
centralised.
If users wish to continue with the old behaviour of proxying
password reset requests through the user's configured identity
server, they can do so by setting
email.enable_password_reset_from_is to True in Synapse's config.
Users should be able that with that option disabled (the default),
password resets will now no longer work unless email sending has
been enabled and set up correctly.
* Fix validation token lifetime email_ prefix
* Add changelog
* Update manifest to include txt/html template files
* Update db
* mark jinja2 and bleach as required dependencies
* Add email settings to default unit test config
* Update unit test template dir
* gen sample config
* Add html5lib as a required dep
* Modify check for smtp settings to be kinder to CI
* silly linting rules
* Correct html5lib dep version number
* one more time
* Change template_dir to originate from synapse root dir
* Revert "Modify check for smtp settings to be kinder to CI"
This reverts commit 6d2d3c9fd3.
* Move templates. New option to disable password resets
* Update templates and make password reset option work
* Change jinja2 and bleach back to opt deps
* Update email condition requirement
* Only import jinja2/bleach if we need it
* Update sample config
* Revert manifest changes for new res directory
* Remove public_baseurl from unittest config
* infer ability to reset password from email config
* Address review comments
* regen sample config
* test for ci
* Remove CI test
* fix bug?
* Run bg update on the master process
This PR creates an endpoint GET/POST /_matrix/identity/api/v1/validate/email/submitToken
which mirrors the same endpoint on the identity server used for submitting tokens
used for validating 3PID addresses.
When the token is submitted, it is checked along with the client_secret and session_id in
the db and if it matches and isn't expired, we mark the session as validated. Then, when
the user attempts to change their password, we check if the session is valid, and if so
allow it. We also delete the session at this point, as as far as I can tell there's no
further use for it.
Database component of new behaviour of sending password reset emails from Synapse instead of Sydent.
Allows one to store threepid validation sessions along with password reset token attempts and retrieve them again.
