Accept access_token instead of id_access_token on the IS, accept Authorization header (#697)

anoadragon453 · web-flow · commit e242f69f3a9e · 2019-09-11T12:09:16.000+01:00
Synapse PR: matrix-org/synapse#6013 which has context We now accept `access_token` instead of `id_access_token` and do so using the `Authorization` header instead of in the JSON body, as [MSC2140](https://github.com/matrix-org/matrix-doc/pull/2140/files#diff-c03a26de5ac40fb532de19cb7fc2aaf7R80) states.
diff --git a/lib/SyTest/Identity/Server.pm b/lib/SyTest/Identity/Server.pm
@@ -19,7 +19,7 @@ my $next_token = 0;
 
 # Perpetually correct access token for authenticating with v2 Identity Service API endpoints.
 # v2 endpoint calls to this identity server should include this value for their
-# `id_access_token` parameter
+# `access_token` parameter
 my $ID_ACCESS_TOKEN = "swordfish";
 
 sub _init
@@ -121,7 +121,7 @@ sub on_request
    elsif ( $path eq "/_matrix/identity/v2/3pid/bind" ) {
       $self->check_v2( $req ) and $self->on_bind( $req );
    }
-   elsif (  # v2 /unbind does not require an id_access_token param
+   elsif (  # v2 /unbind does not require an access_token param
       $path eq "/_matrix/identity/v2/3pid/unbind" or
       $path eq "/_matrix/identity/api/v1/3pid/unbind"
    ) {
@@ -137,47 +137,39 @@ sub on_request
 
    $server->check_v2 ( $req ) and do_something_else();
 
-A helper method that takes an HTTP request and checks if an C<id_access_token> parameter
-matching C<$ID_ACCESS_TOKEN> is present in either the query parameters or the top-level JSON of
-the request body.
+A helper method that takes an HTTP request and checks if an C<access_token> parameter
+matching C<$ID_ACCESS_TOKEN> is present in either the query parameters or the Authorization
+header (after the Bearer declaration).
 
-Returns C<0> or C<1> depending on whether a correct C<id_access_token> value was found.
+Returns C<0> or C<1> depending on whether a correct C<access_token> value was found.
 
-Responds to the HTTP request with an error message if no C<id_access_token> value was found.
+Responds to the HTTP request with an error message if no C<access_token> value was found.
 
 =cut
 
 sub check_v2
 {
-   # Check that either an id_access_token query parameter or JSON body key exists in the req
+   # Check that either an access_token query parameter or JSON body key exists in the req
    my $self = shift;
    my ( $req ) = @_;
    my %resp;
 
-   if (
-      $req->query_param("id_access_token") and
-      $req->query_param("id_access_token") eq $ID_ACCESS_TOKEN
-   ) {
+   my $query_param = $req->query_param("access_token");
+   if ( $query_param and $query_param eq $ID_ACCESS_TOKEN ) {
       # We found it!
       return 1;
    }
 
-   # Check the JSON body for the token. This isn't required for all endpoints so only try if
-   # the request has a body.
-   # We use an eval in case this request doesn't have a JSON body
-   my $body = eval { $req->body_from_json };
-
-   if (
-      $body and
-      $body->{id_access_token} and
-      $body->{id_access_token} eq $ID_ACCESS_TOKEN
-   ) {
+   # Check the Authorization header for the token
+   # Should be in the form Authorization: Bearer <access_token>
+   my $auth_header = $req->header("Authorization");
+   if ( $auth_header and $auth_header eq "Bearer " . $ID_ACCESS_TOKEN ) {
       # We found it!
       return 1;
    }
 
    # Couldn't find an access token
-   $resp{error} = "Missing id_access_token parameter";
+   $resp{error} = "Missing access_token parameter";
    $resp{errcode} = "M_MISSING_PARAM";
    $req->respond_json( \%resp, code => 400 );
    return 0;
