From 34d0a50271f3e6e6e823602fb1e4e070e861e3c2 Mon Sep 17 00:00:00 2001
From: Jason Robinson <mail@jasonrobinson.me>
Date: Sun, 3 Jan 2021 01:21:55 +0200
Subject: [PATCH] Also allow appservice itself to auth with user_id

Appservice user_id + access token check needs to work both when user_id is the appservice and when appservice has the user in their user namespace.

Signed-off-by: Jason Robinson <mail@jasonrobinson.me>
---
 userapi/internal/api.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/userapi/internal/api.go b/userapi/internal/api.go
index 1b647a0df..cf588a40c 100644
--- a/userapi/internal/api.go
+++ b/userapi/internal/api.go
@@ -389,9 +389,10 @@ func (a *UserInternalAPI) queryAppServiceToken(ctx context.Context, token, appSe
 
 	if localpart != "" { // AS is masquerading as another user
 		// Verify that the user is registered
-		_, err := a.AccountDB.GetAccountByLocalpart(ctx, localpart)
-		// Verify that the account belongs to the appservice user namespaces
-		if err == nil && appService.IsInterestedInUserID(appServiceUserID) {
+		account, err := a.AccountDB.GetAccountByLocalpart(ctx, localpart)
+		// Verify that the account exists and either appServiceID matches or
+		// it belongs to the appservice user namespaces
+		if err == nil && (account.AppServiceID == appService.ID || appService.IsInterestedInUserID(appServiceUserID)) {
 			// Set the userID of dummy device
 			dev.UserID = appServiceUserID
 			return &dev, nil