From d5675b85cf9c0b2cddb438ec72a3d140af8feffb Mon Sep 17 00:00:00 2001
From: Ginger <ginger@gingershaped.computer>
Date: Fri, 27 Mar 2026 11:43:39 -0400
Subject: [PATCH] fix: Release session lock before sending threepid validation
 email

---
 src/service/threepid/mod.rs | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/service/threepid/mod.rs b/src/service/threepid/mod.rs
index 2e1375f80..2c074bcde 100644
--- a/src/service/threepid/mod.rs
+++ b/src/service/threepid/mod.rs
@@ -112,6 +112,9 @@ pub async fn send_validation_email<Template: MessageTemplate>(
 			| None => sessions.create_session(recipient.email.clone(), client_secret.to_owned()),
 		};
 
+		// Clone this so it can outlive the lock we're holding on `sessions`
+		let session_id = session.session_id.clone();
+
 		let ValidationState::Pending(token) = &session.validation_state else {
 			unreachable!("session should be pending")
 		};
@@ -125,14 +128,18 @@ pub async fn send_validation_email<Template: MessageTemplate>(
 
 		validation_url
 			.query_pairs_mut()
-			.append_pair("session", session.session_id.as_ref())
+			.append_pair("session", session_id.as_str())
 			.append_pair("token", &token.token);
 
+		// Once the validation URL is built, we don't need any data borrowed from
+		// `sessions` anymore and can release our lock
+		drop(sessions);
+
 		let message = prepare_body(validation_url.to_string());
 
 		mailer.send(recipient, message).await?;
 
-		Ok(session.session_id.clone())
+		Ok(session_id)
 	}
 
 	/// Attempt to mark a validation session as valid using a validation token.