From 5a9fbcb98e452a53b4853a37f3fdca0d6be6f48f Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Fri, 21 Nov 2025 19:36:04 +0100
Subject: [PATCH] Don't error out if there is no email associated to the
 registration

In case an email is required for password auth, we create a user
authentication which we force the user to complete. We used to
double-check that the email is required before completing the
registration, which was only really useful when the config flipped from
not being required to being required, in the 1h window in which running
registrations were still valid. We think this is a fine trade-off.
---
 .../src/views/register/steps/finish.rs        | 90 +++++++++----------
 1 file changed, 42 insertions(+), 48 deletions(-)

diff --git a/crates/handlers/src/views/register/steps/finish.rs b/crates/handlers/src/views/register/steps/finish.rs
index e1ed8a3f0..4663bdde9 100644
--- a/crates/handlers/src/views/register/steps/finish.rs
+++ b/crates/handlers/src/views/register/steps/finish.rs
@@ -154,59 +154,53 @@ pub(crate) async fn get(
     // If there is an email authentication, we need to check that the email
     // address was verified. If there is no email authentication attached, we
     // need to make sure the server doesn't require it
-    let email_authentication = if let Some(email_authentication_id) =
-        registration.email_authentication_id
-    {
-        let email_authentication = repo
-            .user_email()
-            .lookup_authentication(email_authentication_id)
-            .await?
-            .context("Could not load the email authentication")
-            .map_err(InternalError::from_anyhow)?;
+    let email_authentication =
+        if let Some(email_authentication_id) = registration.email_authentication_id {
+            let email_authentication = repo
+                .user_email()
+                .lookup_authentication(email_authentication_id)
+                .await?
+                .context("Could not load the email authentication")
+                .map_err(InternalError::from_anyhow)?;
 
-        // Check that the email authentication has been completed
-        if email_authentication.completed_at.is_none() {
-            return Ok((
-                cookie_jar,
-                url_builder.redirect(&mas_router::RegisterVerifyEmail::new(id)),
-            )
-                .into_response());
-        }
+            // Check that the email authentication has been completed
+            if email_authentication.completed_at.is_none() {
+                return Ok((
+                    cookie_jar,
+                    url_builder.redirect(&mas_router::RegisterVerifyEmail::new(id)),
+                )
+                    .into_response());
+            }
 
-        // Check that the email address isn't already used
-        // It is important to do that here, as we we're not checking during the
-        // registration, because we don't want to disclose whether an email is
-        // already being used or not before we verified it
-        if repo
-            .user_email()
-            .count(UserEmailFilter::new().for_email(&email_authentication.email))
-            .await?
-            > 0
-        {
-            let action = registration
-                .post_auth_action
-                .map(serde_json::from_value)
-                .transpose()?;
+            // Check that the email address isn't already used
+            // It is important to do that here, as we we're not checking during the
+            // registration, because we don't want to disclose whether an email is
+            // already being used or not before we verified it
+            if repo
+                .user_email()
+                .count(UserEmailFilter::new().for_email(&email_authentication.email))
+                .await?
+                > 0
+            {
+                let action = registration
+                    .post_auth_action
+                    .map(serde_json::from_value)
+                    .transpose()?;
 
-            let ctx = RegisterStepsEmailInUseContext::new(email_authentication.email, action)
-                .with_language(lang);
+                let ctx = RegisterStepsEmailInUseContext::new(email_authentication.email, action)
+                    .with_language(lang);
 
-            return Ok((
-                cookie_jar,
-                Html(templates.render_register_steps_email_in_use(&ctx)?),
-            )
-                .into_response());
-        }
+                return Ok((
+                    cookie_jar,
+                    Html(templates.render_register_steps_email_in_use(&ctx)?),
+                )
+                    .into_response());
+            }
 
-        Some(email_authentication)
-    } else if site_config.password_registration_email_required {
-        // This could only happen in theory during a configuration change
-        return Err(InternalError::from_anyhow(anyhow::anyhow!(
-            "Server requires an email address to complete the registration, but no email authentication was attached to the user registration"
-        )));
-    } else {
-        None
-    };
+            Some(email_authentication)
+        } else {
+            None
+        };
 
     // Check that the display name is set
     if registration.display_name.is_none() {