From 532ec258a2618786a220cbc753f901ed2230f13f Mon Sep 17 00:00:00 2001
From: Patrick Cloke <clokep@users.noreply.github.com>
Date: Thu, 13 Jul 2023 07:23:56 -0400
Subject: [PATCH] Stop accepting 'user' parameter for application service
 registration. (#15928)

This is unspecced, but has existed for a very long time.
---
 changelog.d/15928.removal       |  1 +
 docs/upgrade.md                 | 10 ++++++++++
 synapse/rest/client/register.py | 12 ++++--------
 3 files changed, 15 insertions(+), 8 deletions(-)
 create mode 100644 changelog.d/15928.removal

diff --git a/changelog.d/15928.removal b/changelog.d/15928.removal
new file mode 100644
index 000000000000..5563213d319b
--- /dev/null
+++ b/changelog.d/15928.removal
@@ -0,0 +1 @@
+Remove support for calling the `/register` endpoint with an unspecced `user` property for application services.
diff --git a/docs/upgrade.md b/docs/upgrade.md
index b94d13c4daac..5dde6c769e85 100644
--- a/docs/upgrade.md
+++ b/docs/upgrade.md
@@ -88,6 +88,16 @@ process, for example:
     dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
     ```
 
+# Upgrading to v1.89.0
+
+## Removal of unspecced `user` property for `/register`
+
+Application services can no longer call `/register` with a `user` property to create new users.
+The standard `username` property should be used instead. See the
+[Application Service specification](https://spec.matrix.org/v1.7/application-service-api/#server-admin-style-permissions)
+for more information.
+
+
 # Upgrading to v1.88.0
 
 ## Minimum supported Python version
diff --git a/synapse/rest/client/register.py b/synapse/rest/client/register.py
index 29ba33c8eb1a..fcad7d54b7bf 100644
--- a/synapse/rest/client/register.py
+++ b/synapse/rest/client/register.py
@@ -463,9 +463,9 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
         # the auth layer will store these in sessions.
         desired_username = None
         if "username" in body:
-            if not isinstance(body["username"], str) or len(body["username"]) > 512:
-                raise SynapseError(400, "Invalid username")
             desired_username = body["username"]
+            if not isinstance(desired_username, str) or len(desired_username) > 512:
+                raise SynapseError(400, "Invalid username")
 
         # fork off as soon as possible for ASes which have completely
         # different registration flows to normal users
@@ -478,11 +478,6 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
                     "Appservice token must be provided when using a type of m.login.application_service",
                 )
 
-            # Set the desired user according to the AS API (which uses the
-            # 'user' key not 'username'). Since this is a new addition, we'll
-            # fallback to 'username' if they gave one.
-            desired_username = body.get("user", desired_username)
-
             # XXX we should check that desired_username is valid. Currently
             # we give appservices carte blanche for any insanity in mxids,
             # because the IRC bridges rely on being able to register stupid
@@ -490,7 +485,8 @@ async def on_POST(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
 
             access_token = self.auth.get_access_token_from_request(request)
 
-            if not isinstance(desired_username, str):
+            # Desired username is either a string or None.
+            if desired_username is None:
                 raise SynapseError(400, "Desired Username is missing or not a string")
 
             result = await self._do_appservice_registration(