From d0fd20fdb4b412c9bb596cfc2b06915d46c631a3 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 27 May 2019 22:40:07 -0600 Subject: [PATCH 1/2] Clarify how homeservers are meant to auth themselves to appservices Fixes https://github.com/matrix-org/matrix-doc/issues/1765 Note that the swagger definitions already say that authorization is required. It just wasn't mentioned in the spec. --- .../application_service/newsfragments/2037.clarification | 1 + specification/application_service_api.rst | 8 ++++++++ 2 files changed, 9 insertions(+) create mode 100644 changelogs/application_service/newsfragments/2037.clarification diff --git a/changelogs/application_service/newsfragments/2037.clarification b/changelogs/application_service/newsfragments/2037.clarification new file mode 100644 index 000000000..f425b1c19 --- /dev/null +++ b/changelogs/application_service/newsfragments/2037.clarification @@ -0,0 +1 @@ +Add missing definition for how appservices verify requests came from a homeserver. diff --git a/specification/application_service_api.rst b/specification/application_service_api.rst index 865544dd0..81077bcf1 100644 --- a/specification/application_service_api.rst +++ b/specification/application_service_api.rst @@ -187,6 +187,14 @@ An example registration file for an IRC-bridging application service is below: Homeserver -> Application Service API ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Authorization ++++++++++++++ + +Homeservers MUST include a query parameter named ``access_token`` containing the +``hs_token`` from the application service's registration when making requests to +the application service. Application services MUST verify the provided ``access_token`` +matches their known ``hs_token``, failing the request with a ``M_FORBIDDEN`` error. + Legacy routes +++++++++++++ From e2da3728a0631f95bae08f7ceb4a18b695841d3b Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Tue, 28 May 2019 12:53:48 -0600 Subject: [PATCH 2/2] Only error if the token doesn't match --- specification/application_service_api.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/specification/application_service_api.rst b/specification/application_service_api.rst index 81077bcf1..3220df2d4 100644 --- a/specification/application_service_api.rst +++ b/specification/application_service_api.rst @@ -193,7 +193,8 @@ Authorization Homeservers MUST include a query parameter named ``access_token`` containing the ``hs_token`` from the application service's registration when making requests to the application service. Application services MUST verify the provided ``access_token`` -matches their known ``hs_token``, failing the request with a ``M_FORBIDDEN`` error. +matches their known ``hs_token``, failing the request with a ``M_FORBIDDEN`` error +if it does not match. Legacy routes +++++++++++++