2026-01-07 Revert explicit `"device_keys": null` allowed by `KeyUploadServlet`

[anoadragon453]

Context: #19023

When rolling out the #17097 security fix, it was discovered some clients (Element Web) and bots (matrix-bot-sdk) would set "device_keys": null in the request body, instead of omitting the field. This is a violation of the spec, which only specifies that device_keys may be omitted or a dict (DeviceKeys object). Not null.

In the linked PR, Synapse allowed this field to be null and treated it as if the field were omitted. As per @richvdh's suggestion, we should wait 3 months for clients and bot SDKs to update to actually omit the field. The danger of not doing so is that these clients will not change their behaviour - and thus other homeserver implementations will need to violate the spec in order to not break in production.

The impact of this endpoint breaking is that a client cannot upload E2EE keys - leading to broken E2EE.

[richvdh]

When rolling out the #17097 security fix, it was discovered some clients (Element Web) and bots (matrix-bot-sdk) would set "device_keys": null in the request body, instead of omitting the field.

Turns out that EW is not affected: we have already addressed this problem in EW (matrix-org/matrix-sdk-crypto-wasm#72).

[richvdh]

I opened matrix-org/matrix-rust-sdk-crypto-nodejs#53 to track fixing this in matrix-rust-sdk-crypto-nodejs. (There will then be work to update matrix-bot-sdk to use the fixed nodejs bindings)