Add option to enable token registration without requiring 3pids

changelog.d/12526.feature

@@ -0,0 +1 @@
+Add new `registration_token_without_3pids` configuration option to allow registrations via token without needing to verify a 3pid.

docs/sample_config.yaml

@@ -1323,6 +1323,16 @@ oembed:
 #
 #registration_requires_token: true
 
+# Allow users to submit a token during registration without requiring them to complete any
+# 3pid steps.
+# Tokens can be managed using the admin API:
+# https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/registration_tokens.html
+# Note that `enable_registration` must be set to `true`.
+# Disabling this option will not delete any tokens previously generated.
+# Defaults to false. Uncomment the following to require tokens:
+#
+#registration_token_without_3pid: false
+
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
 #

synapse/config/registration.py

@@ -43,6 +43,9 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
         self.registration_requires_token = config.get(
             "registration_requires_token", False
         )
+        self.registration_token_without_3pids = config.get(
+            "registration_token_without_3pids", False
+        )
         self.registration_shared_secret = config.get("registration_shared_secret")
 
         self.bcrypt_rounds = config.get("bcrypt_rounds", 12)
@@ -309,6 +312,16 @@ def generate_config_section(
         #
         #registration_requires_token: true
 
+        # Allow users to submit a token during registration without requiring them to complete any
+        # 3pid steps.
+        # Tokens can be managed using the admin API:
+        # https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/registration_tokens.html
+        # Note that `enable_registration` must be set to `true`.
+        # Disabling this option will not delete any tokens previously generated.
+        # Defaults to false. Uncomment the following to require tokens:
+        #
+        #registration_token_without_3pid: false
+
         # If set, allows registration of standard or admin accounts by anyone who
         # has the shared secret, even if registration is otherwise disabled.
         #

synapse/handlers/ui_auth/checkers.py

@@ -256,7 +256,9 @@ class RegistrationTokenAuthChecker(UserInteractiveAuthChecker):
     def __init__(self, hs: "HomeServer"):
         super().__init__(hs)
         self.hs = hs
-        self._enabled = bool(hs.config.registration.registration_requires_token)
+        self._enabled = bool(
+            hs.config.registration.registration_requires_token
+        ) or bool(hs.config.registration.registration_token_without_3pids)
         self.store = hs.get_datastores().main
 
     def is_enabled(self) -> bool:

synapse/rest/client/register.py

@@ -929,6 +929,15 @@ def _calculate_registration_flows(
         # always let users provide both MSISDN & email
         flows.append([LoginType.MSISDN, LoginType.EMAIL_IDENTITY])
 
+    # Prepend registration token to all flows if we're requiring a token
+    if config.registration.registration_requires_token:
+        for flow in flows:
+            flow.insert(0, LoginType.REGISTRATION_TOKEN)
+
+    # Add a flow that doesn't require any 3pids, if the config requests it.
+    if config.registration.registration_token_without_3pids:
+        flows.append([LoginType.REGISTRATION_TOKEN])
+
     # Prepend m.login.terms to all flows if we're requiring consent
     if config.consent.user_consent_at_registration:
         for flow in flows:
@@ -939,11 +948,6 @@ def _calculate_registration_flows(
         for flow in flows:
             flow.insert(0, LoginType.RECAPTCHA)
 
-    # Prepend registration token to all flows if we're requiring a token
-    if config.registration.registration_requires_token:
-        for flow in flows:
-            flow.insert(0, LoginType.REGISTRATION_TOKEN)
-
     return flows