Application Services are rate-limited by IP address on /login

[anoadragon453]

Since MSC2778's implementation application services are able to use /login to login as an interested user and create a device which aids them in performing end-to-end encryption.

However, /login has a ratelimit on it which is IP-based:

synapse/synapse/rest/client/v1/login.py

Lines 117 to 126 in 514a240

	async def on_POST(self, request: SynapseRequest):
	self._address_ratelimiter.ratelimit(request.getClientIP())
	login_submission = parse_json_object_from_request(request)
	try:
	if login_submission["type"] == LoginRestServlet.APPSERVICE_TYPE:
	appservice = self.auth.get_appservice_by_req(request)
	result = await self._do_appservice_login(login_submission, appservice)
	elif self.jwt_enabled and (

This is obviously quite bad news for application services that need to login to a lot of user accounts on startup or somesuch. Currently there is no way to override this ratelimit.

As a solution, I propose only calling upon the ratelimiter for non uk.half-shot.msc2778.login.application_service identifier types (aka non-AS requests). If the request cannot be authenticated via an access token, it will immediately be rejected.

We may also want to move this line:

synapse/synapse/rest/client/v1/login.py

Line 120 in 514a240

login_submission = parse_json_object_from_request(request)

as someone could technically supply a huge JSON body over and over and upset the server that way.

[anoadragon453]

@Half-Shot helpfully notes that application services have a rate limit option in their registration file, which we should probably respect here.