Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Empty 'access_token' parameter passed to /_matrix/client/r0/register #31

Closed
anoadragon453 opened this issue Nov 4, 2020 · 1 comment · Fixed by #33
Closed

Empty 'access_token' parameter passed to /_matrix/client/r0/register #31

anoadragon453 opened this issue Nov 4, 2020 · 1 comment · Fixed by #33

Comments

@anoadragon453
Copy link
Member

Complement calls /_matrix/client/r0/register with an empty access_token query parameter, which causes Synapse to fail the request. It is valid to call /register with an access token if you're an application service registering a user in your namespace.

=== CONT  TestRegistration/parallel/POST_/register_returns_the_same_device_id_as_that_in_the_request
    client.go:196: Making POST request to http://localhost:32857/_matrix/client/r0/register?access_token=
    client.go:196: Request body: {"auth":{"type":"m.login.dummy"},"username":"user-device","password":"sUp3rs3kr1t","device_id":"my_device_id"}
=== CONT  TestRegistration
    client.go:262: POST /_matrix/client/r0/register => 401 Unauthorized (1.981009ms)
=== CONT  TestRegistration/parallel/POST_/register_returns_the_same_device_id_as_that_in_the_request
    client.go:196: HTTP/1.1 401 Unauthorized
        Transfer-Encoding: chunked
        Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
        Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
        Access-Control-Allow-Origin: *
        Cache-Control: no-cache, no-store, must-revalidate
        Content-Type: application/json
        Date: Wed, 04 Nov 2020 16:53:03 GMT
        Server: Synapse/1.22.1
        
        55
        {"errcode":"M_UNKNOWN_TOKEN","error":"Unrecognised access token","soft_logout":false}
        0
        
    apidoc_register_test.go:92: CSAPI.MustDo POST http://localhost:32857/_matrix/client/r0/register?access_token= returned HTTP 401

The question of whether Synapse should just ignore an empty access_token query parameter is a good one. The spec doesn't really say one way or the other, so it's probably not good to fail a homeserver for this. Though I'm not sure where using an empty access_token would even be valid either.

Just wanted to get your thoughts on whether you think this should be solved Synapse-side or Complement-side.
@anoadragon453 anoadragon453 mentioned this issue Nov 4, 2020
Closed
13 tasks
@kegsay
Copy link
Member

kegsay commented Nov 4, 2020

Complement side, we shouldn't send empty access tokens.

oliverpool added a commit to oliverpool/complement that referenced this issue Nov 8, 2020
@oliverpool
Prevent empty access_token (matrix-org#31)
eee00c6
@oliverpool oliverpool mentioned this issue Nov 8, 2020
Merged
@kegsay kegsay closed this as completed in #33 Nov 8, 2020
kegsay pushed a commit that referenced this issue Nov 8, 2020
@oliverpool
Prevent empty access_token (#31) (#33)
ca2ed0e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent empty access_token (#31) oliverpool/complement
2 participants
@anoadragon453 @kegsay