Skip to content

Commit

Permalink
Accept access_token instead of id_access_token on the IS, accept Auth…
Browse files Browse the repository at this point in the history
…orization header (#697)

Synapse PR: matrix-org/synapse#6013 which has context

We now accept `access_token` instead of `id_access_token` and do so using the `Authorization` header instead of in the JSON body, as [MSC2140](https://github.com/matrix-org/matrix-doc/pull/2140/files#diff-c03a26de5ac40fb532de19cb7fc2aaf7R80) states.
  • Loading branch information
anoadragon453 authored Sep 11, 2019
1 parent 2c04e47 commit e242f69
Showing 1 changed file with 15 additions and 23 deletions.
38 changes: 15 additions & 23 deletions lib/SyTest/Identity/Server.pm
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ my $next_token = 0;

# Perpetually correct access token for authenticating with v2 Identity Service API endpoints.
# v2 endpoint calls to this identity server should include this value for their
# `id_access_token` parameter
# `access_token` parameter
my $ID_ACCESS_TOKEN = "swordfish";

sub _init
Expand Down Expand Up @@ -121,7 +121,7 @@ sub on_request
elsif ( $path eq "/_matrix/identity/v2/3pid/bind" ) {
$self->check_v2( $req ) and $self->on_bind( $req );
}
elsif ( # v2 /unbind does not require an id_access_token param
elsif ( # v2 /unbind does not require an access_token param
$path eq "/_matrix/identity/v2/3pid/unbind" or
$path eq "/_matrix/identity/api/v1/3pid/unbind"
) {
Expand All @@ -137,47 +137,39 @@ sub on_request
$server->check_v2 ( $req ) and do_something_else();
A helper method that takes an HTTP request and checks if an C<id_access_token> parameter
matching C<$ID_ACCESS_TOKEN> is present in either the query parameters or the top-level JSON of
the request body.
A helper method that takes an HTTP request and checks if an C<access_token> parameter
matching C<$ID_ACCESS_TOKEN> is present in either the query parameters or the Authorization
header (after the Bearer declaration).
Returns C<0> or C<1> depending on whether a correct C<id_access_token> value was found.
Returns C<0> or C<1> depending on whether a correct C<access_token> value was found.
Responds to the HTTP request with an error message if no C<id_access_token> value was found.
Responds to the HTTP request with an error message if no C<access_token> value was found.
=cut

sub check_v2
{
# Check that either an id_access_token query parameter or JSON body key exists in the req
# Check that either an access_token query parameter or JSON body key exists in the req
my $self = shift;
my ( $req ) = @_;
my %resp;

if (
$req->query_param("id_access_token") and
$req->query_param("id_access_token") eq $ID_ACCESS_TOKEN
) {
my $query_param = $req->query_param("access_token");
if ( $query_param and $query_param eq $ID_ACCESS_TOKEN ) {
# We found it!
return 1;
}

# Check the JSON body for the token. This isn't required for all endpoints so only try if
# the request has a body.
# We use an eval in case this request doesn't have a JSON body
my $body = eval { $req->body_from_json };

if (
$body and
$body->{id_access_token} and
$body->{id_access_token} eq $ID_ACCESS_TOKEN
) {
# Check the Authorization header for the token
# Should be in the form Authorization: Bearer <access_token>
my $auth_header = $req->header("Authorization");
if ( $auth_header and $auth_header eq "Bearer " . $ID_ACCESS_TOKEN ) {
# We found it!
return 1;
}

# Couldn't find an access token
$resp{error} = "Missing id_access_token parameter";
$resp{error} = "Missing access_token parameter";
$resp{errcode} = "M_MISSING_PARAM";
$req->respond_json( \%resp, code => 400 );
return 0;
Expand Down

0 comments on commit e242f69

Please sign in to comment.