From 76fd98486dbd695c7b64297f00b756a42d44aa6e Mon Sep 17 00:00:00 2001
From: Daniel Hoffend <dh@dotlan.net>
Date: Tue, 23 Apr 2019 00:00:27 +0200
Subject: [PATCH] disable password change api, when password providers are used

---
 roles/matrix-nginx-proxy/defaults/main.yml                  | 3 +++
 .../templates/nginx/conf.d/matrix-synapse.conf.j2           | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml
index 674757f93..46e8f4017 100644
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -76,6 +76,9 @@ matrix_nginx_proxy_proxy_synapse_metrics: false
 matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
 matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
 
+# if you want to disable password change (when using external password providers)
+matrix_nginx_proxy_proxy_matrix_password_change_disabled: false
+
 # The addresses where the Matrix Client API is.
 # Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
 matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008"
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
index 00e7a1beb..f683006f0 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@@ -102,6 +102,12 @@ server {
 	}
 	{% endif %}
 
+	{% if matrix_nginx_proxy_proxy_matrix_password_change_disabled %}
+	location /_matrix/client/r0/account/password {
+		deny all;
+	}
+	{% endif %}
+
 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}