Interactive auth chooses the first flow it sees, not the one it supports #19605
Description
Steps to reproduce
- Add at least one password provider module to Synapse which supports a custom login type (an example is matrix-synapse-shared-secret-auth, which defines a
com.devture.shared_secret_authlogin type meant to be used like this). You don't even need to use the custom password provider - it just needs to be registered with Synapse. You can also register a custom module providing amy.login_typelike this example in the Synapse docs - Use Element and try to delete one of your existing devices from the Security & Privacy dialog
- An Authentication popup appears with a Start authentication button
- Clicking Start authentication leads to
https://matrix.DOMAIN/_matrix/client/r0/auth/com.devture.shared_secret_auth/fallback/web?session=....(note thecom.devture.shared_secret_authpart of the URL) - This page renders:
{"errcode":"M_UNKNOWN","error":"Unknown auth stage type"}and you can't proceed
Outcome
What did you expect?
I expect interactive auth to work using a supported authentication method (m.login.password, etc.), despite various password provider modules advertising other (unknown to Element) login methods.
What happened instead?
Upon pressing the Delete devices button in Element, a Request to POST /_matrix/client/r0/delete_devices got sent, which received a response like this:
{
"session":"...",
"flows":[
{"stages":["com.devture.shared_secret_auth"]},
{"stages":["m.login.password"]}
],
"params":{}
}It seems like Element picked the first flow it saw (com.devture.shared_secret_auth in this case), instead of the flow it understands.
Operating system
No response
Browser information
No response
URL for webapp
No response
Application version
1.9.3
Homeserver
No response
Will you send logs?
No