Review comments and test fix

2025-12-20 21:33:19 -06:00 · 2020-06-16 13:51:34 +01:00 · 2020-06-16 13:51:34 +01:00 · 88aadedc59
parent 61e34d0184
commit 88aadedc59
3 changed files with 24 additions and 7 deletions
--- a/clientapi/auth/auth.go
+++ b/clientapi/auth/auth.go
@ -71,6 +71,14 @@ func VerifyUserFromRequest(
 		jsonErr := jsonerror.InternalServerError()
 		return nil, &jsonErr
 	}
+	if res.Err != nil {
+		if forbidden, ok := res.Err.(*api.ErrorForbidden); ok {
+			return nil, &util.JSONResponse{
+				Code: http.StatusForbidden,
+				JSON: jsonerror.Forbidden(forbidden.Message),
+			}
+		}
+	}
 	if res.Device == nil {
 		return nil, &util.JSONResponse{
 			Code: http.StatusUnauthorized,
--- a/userapi/api/api.go
+++ b/userapi/api/api.go
@ -25,13 +25,15 @@ type UserInternalAPI interface {
 // QueryAccessTokenRequest is the request for QueryAccessToken
 type QueryAccessTokenRequest struct {
 	AccessToken string
-	// optional user ID, valid only if the token is an appservice
+	// optional user ID, valid only if the token is an appservice.
+	// https://matrix.org/docs/spec/application_service/r0.1.2#using-sync-and-events
 	AppServiceUserID string
 }

 // QueryAccessTokenResponse is the response for QueryAccessToken
 type QueryAccessTokenResponse struct {
 	Device *Device
+	Err    error // e.g ErrorForbidden
 }

 // QueryProfileRequest is the request for QueryProfile
@ -64,3 +66,12 @@ type Device struct {
 	// TODO: display name, last used timestamp, keys, etc
 	DisplayName string
 }
+
+// ErrorForbidden is an error indicating that the supplied access token is forbidden
+type ErrorForbidden struct {
+	Message string
+}
+
+func (e *ErrorForbidden) Error() string {
+	return "Forbidden: " + e.Message
+}
--- a/userapi/internal/api.go
+++ b/userapi/internal/api.go
@ -58,12 +58,10 @@ func (a *UserInternalAPI) QueryProfile(ctx context.Context, req *api.QueryProfil
 }

 func (a *UserInternalAPI) QueryAccessToken(ctx context.Context, req *api.QueryAccessTokenRequest, res *api.QueryAccessTokenResponse) error {
-	appServiceDevice, err := a.queryAppServiceToken(ctx, req.AccessToken, req.AppServiceUserID)
-	if err != nil {
-		return err
-	}
-	if appServiceDevice != nil {
+	if req.AppServiceUserID != "" {
+		appServiceDevice, err := a.queryAppServiceToken(ctx, req.AccessToken, req.AppServiceUserID)
 		res.Device = appServiceDevice
+		res.Err = err
 		return nil
 	}
 	device, err := a.DeviceDB.GetDeviceByAccessToken(ctx, req.AccessToken)
@ -114,7 +112,7 @@ func (a *UserInternalAPI) queryAppServiceToken(ctx context.Context, token, appSe
 			dev.UserID = appServiceUserID
 			return &dev, nil
 		}
-		return nil, fmt.Errorf("appservice has not registered this user")
+		return nil, &api.ErrorForbidden{Message: "appservice has not registered this user"}
 	}

 	// AS is not masquerading as any user, so use AS's sender_localpart