fix: reject /register requests when there is no token and the type is appservice

src/api/client_server/account.rs

@@ -3,7 +3,8 @@ use crate::{api::client_server, services, utils, Error, Result, Ruma};
 use ruma::{
     api::client::{
         account::{
-            change_password, deactivate, get_3pids, get_username_availability, register,
+            change_password, deactivate, get_3pids, get_username_availability,
+            register::{self, LoginType},
             request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn,
             whoami, ThirdPartyIdRemovalStatus,
         },
@@ -84,6 +85,13 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
         ));
     }
 
+    if body.body.login_type == Some(LoginType::ApplicationService) && !body.from_appservice {
+        return Err(Error::BadRequest(
+            ErrorKind::MissingToken,
+            "Missing appservice token.",
+        ));
+    }
+
     let is_guest = body.kind == RegistrationKind::Guest;
 
     let user_id = match (&body.username, is_guest) {

src/api/client_server/session.rs

@@ -118,8 +118,8 @@ pub async fn login_route(body: Ruma<login::v3::Request>) -> Result<login::v3::Re
         }) => {
             if !body.from_appservice {
                 return Err(Error::BadRequest(
-                    ErrorKind::Forbidden,
+                    ErrorKind::MissingToken,
-                    "Forbidden login type.",
+                    "Missing appservice token.",
                 ));
             };
             if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {