Skip to content

Commit

Permalink
fix: spec compliant token matching
Browse files Browse the repository at this point in the history
Signed-off-by: Debdut Chakraborty <[email protected]>
  • Loading branch information
debdutdeb committed Jun 30, 2024
1 parent 530de2a commit 44bf012
Showing 1 changed file with 17 additions and 7 deletions.
24 changes: 17 additions & 7 deletions src/bridge.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1652,13 +1652,23 @@ export class Bridge {
// Bridge isn't ready yet
return false;
}
if (
req.query.access_token !== this.registration.getHomeserverToken() &&
req.get("authorization") !== `Bearer ${this.registration.getHomeserverToken()}`
) {
return false;
}
return true;

const tokenFromQuery = req.query.access_token;

const tokenFromHeader = req.get("authorization").substring(7); // "Bearer ".length === 7

const tokenFromRegistration = this.registration.getHomeserverToken();

// https://github.com/matrix-org/matrix-spec/blob/7935a0728a12e768283dba0145fb95154d2f7f6b/content/application-service-api.md?plain=1#L149
// "Application services should ensure both match if both are provided."
if (tokenFromQuery && tokenFromHeader) {
return tokenFromQuery === tokenFromRegistration && tokenFromHeader === tokenFromRegistration;
}

// prefer header then query
// https://github.com/matrix-org/matrix-spec/blob/7935a0728a12e768283dba0145fb95154d2f7f6b/content/application-service-api.md?plain=1#L146-L147
// Spec does not enforce both to be sent. "encouraged" being the key word.
return tokenFromHeader === tokenFromRegistration || tokenFromQuery === tokenFromRegistration;
}

/**
Expand Down

0 comments on commit 44bf012

Please sign in to comment.