From 1f8da07c416b4b97d1ca259ea3eb1605aca1f96c Mon Sep 17 00:00:00 2001
From: Kegan Dougal <kegan@matrix.org>
Date: Tue, 30 May 2017 17:47:24 +0100
Subject: [PATCH] Comment

---
 src/github.com/matrix-org/dendrite/clientapi/auth/auth.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/github.com/matrix-org/dendrite/clientapi/auth/auth.go b/src/github.com/matrix-org/dendrite/clientapi/auth/auth.go
index 9670bc2a2..9f350b4b0 100644
--- a/src/github.com/matrix-org/dendrite/clientapi/auth/auth.go
+++ b/src/github.com/matrix-org/dendrite/clientapi/auth/auth.go
@@ -30,6 +30,10 @@ import (
 )
 
 // UnknownDeviceID is the default device id if one is not specified.
+// This deviates from Synapse which generates a new device ID if one is not specified.
+// It's preferable to not amass a huge list of valid access tokens for an account,
+// so limiting it to 1 unknown device for now limits the number of valid tokens.
+// Clients should be giving us device IDs.
 var UnknownDeviceID = "unknown-device"
 
 // OWASP recommends at least 128 bits of entropy for tokens: https://www.owasp.org/index.php/Insufficient_Session-ID_Length