wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

UIAA on /account/3pid/add

Browse source
This commit is contained in:
Andrew Morgan 2019-09-26 17:16:44 +01:00
parent 40420d9633
commit 1a51a24768
1 changed files with 9 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

11
proposals/2290-separate-threepid-bind-hs.md
View file

@ -45,8 +45,15 @@ will validate threepids being bound to themselves.
## Proposal ## Proposal
To solve this problem, two new endpoints will be added to the Client Server To solve this problem, two new endpoints will be added to the Client Server
API: `POST /account/3pid/bind` and `POST /account/3pid/add`. Both will API: `POST /account/3pid/bind` and `POST /account/3pid/add`. Binding to an
require authentication and be rate-limited. The request parameters of `POST identity server will require standard authentication, whereas adding a 3pid
to a user account will require [User-Interactive
Authentication](https://matrix.org/docs/spec/client_server/r0.5.0#user-interactive-authentication-api).
The latter is to prevent someone from adding a 3pid (which can be used to
reset passwords) to someone who's left their account open on a public
computer, without needing their password to do so.
Both endpoints will be rate-limited. The request parameters of `POST
/account/3pid/bind` are the same as [POST /account/3pid/bind` are the same as [POST
/account/3pid](https://matrix.org/docs/spec/client_server/r0.5.0#post-matrix-client-r0-account-3pid), /account/3pid](https://matrix.org/docs/spec/client_server/r0.5.0#post-matrix-client-r0-account-3pid),
minus the `bind` flag, and the contents of `three_pid_creds` have been minus the `bind` flag, and the contents of `three_pid_creds` have been