Allow using Matrix for Account verification

[DraconicNEO]

Requirements

• Is this a feature request? For questions or discussions use https://lemmy.ml/c/lemmy_support
• Did you check to see if this issue already exists?
• Is this only a feature request? Do not put multiple feature requests in one issue.
• Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.
• Do you agree to follow the rules in our Code of Conduct?

Is your proposal related to a problem?

Email verification is great but it would also be nice if we could use Matrix to verify accounts at signup, as well as for account recovery.

Describe the solution you'd like.

Add the ability for Lemmy to use matrix to send verification messages in addition to the built-in email verification, allowing people to use their matrix handle to sign-up to Lemmy, the same way they may use an Email to do so now. Of course servers can still choose between making one of the other mandatory. They could also choose to make them optional, just like it is with Email verification now.

Describe alternatives you've considered.

N/A

Additional context

If a server allows both email and matrix to be used as verification and a user inputs both an email and a matrix, it would send verification methods to both and they could use either to verify their account. In the case of email or Matrix being required, the one they use to verify would be added to their account, the other would have to be verified afterwards to be added.

The different states of it could be:

• Matrix or Email Required
• Matrix required, Email optional
• Email Required, Matrix optional
• Email and/or Matrix Optional

A nice side effect is that on servers that require verification and have verification by matrix enabled you'd have to verify your matrix before adding it, you couldn't just add it instantly, which prevents people from using your Matrix handle on their profile to impersonate you.

Also I think a good idea would be to allow for servers to choose between hosting their own matrix server for the bot account or using a Matrix account on another server like matrix.org self-hosting would be the best, most secure solution though.

[dessalines]

I like this idea, but probably don't have time to work on it myself. Anyone else is free to tho.

It would entail:

• Altering the registration forms to also take in the matrix id.
• Adding settings for a site matrix login, to be able to send messages.
• Using a (hopefully rust) API to create those.
• Adding require_matrix_verification in addition to the already existing require_email_verification on the local site table, or combining the options you listed above into an enum.
• Doing all the same flow operations as the email verification.

[DraconicNEO]

Something else I did think of just recently is that such an option could make spam more difficult since with email there are temporary email services but on Matrix there is no such service, and likely won't be for a while. Matrix account verification could be a major deterrent, especially if it is possible to make the bot require message encryption to send the user a verification message (that would exclude most bridges and Matrix bots that a user could use to circumvent the process).