Synapse doesn't require new_password on every call to /account/password, contrary to the spec. (But maybe this is a spec oversight?)

[matrixbot]

This issue has been migrated from #13187.

---

Link to problem area:

• https://spec.matrix.org/v1.3/client-server-api/#post_matrixclientv3accountpassword
• https://github.com/matrix-org/synapse/blob/3ea5f1cb24c34e6104aa747d206f3148e10d789e/synapse/rest/client/account.py#L184 and nearby

The spec says that new_password is a required field.

new_password	string	Required: The new password for the account.

However, this endpoint is part of the user-interactive auth stuff, and Synapse only requires you to have provided new_password at least once during a sequence of calls to /account/password. If you've provided a new_password as part of the user-interactive auth, you don't have to provide it with later requests.

This is against the letter of the law as mandated by the spec (but perhaps not the spirit). This might also fall under the category of "user-interactive auth is weird; give us matrix-org/matrix-spec#636 please).

Noticed in #13183.