exclude submittoken too

pull/977/head
David Baker 5 years ago
parent f02e4c2e9c
commit d00dfb7822

@ -62,20 +62,21 @@ be dropped from all endpoints.
Any request to any endpoint within `/_matrix/identity/v2`, with the exception Any request to any endpoint within `/_matrix/identity/v2`, with the exception
of: of:
* `/_matrix/identity/v2` * `/_matrix/identity/v2`
* any `requestToken` endpoint * any `requestToken` or `submitToken` endpoint
* The new `$prefix/account/register` endpoint * The new `$prefix/account/register` endpoint
* The new `GET /_matrix/identity/v2/terms` * The new `GET /_matrix/identity/v2/terms`
* `$prefix/logout`
...may return an error with `M_UNAUTHORIZED` errcode with HTTP status code 401. ...may return an error with `M_UNAUTHORIZED` errcode with HTTP status code 401.
This indicates that the user must authenticate with OpenID and supply a valid This indicates that the user must authenticate with OpenID and supply a valid
`access_token`. `access_token`.
`requestToken` endpoints are excluded from the auth check because they are used `requestToken` and `submitToken` endpoints are excluded from the auth check
in the registration process before the user has an MXID and therefore cannot because they are used in the registration process before the user has an MXID
log in with OpenID. It is up to the IS to manage its privacy obligations and therefore cannot log in with OpenID. It is up to the IS to manage its
appropriately when fulfilling these requests, bearing in mind that the user has privacy obligations appropriately when fulfilling these requests, bearing in
not explicitly indicated their agreement to any documents, and may abort the mind that the user has not explicitly indicated their agreement to any
registration process without doing so. documents, and may abort the registration process without doing so.
All other endpoints require authentication by the client supplying an access token All other endpoints require authentication by the client supplying an access token
either via an `Authorization` header with a `Bearer` token or an `access_token` either via an `Authorization` header with a `Bearer` token or an `access_token`

Loading…
Cancel
Save