fix: reject /register requests when there is no token and the type is appservice

2024-03-30 12:40:58 +00:00 · 2024-03-30 12:40:58 +00:00 · 8d70f69e62
commit 8d70f69e62
parent 9176474513
2 changed files with 11 additions and 3 deletions
--- a/src/api/client_server/account.rs
+++ b/src/api/client_server/account.rs
@ -3,7 +3,8 @@ use crate::{api::client_server, services, utils, Error, Result, Ruma};
 use ruma::{
    api::client::{
        account::{
-            change_password, deactivate, get_3pids, get_username_availability, register,
+            change_password, deactivate, get_3pids, get_username_availability,
+            register::{self, LoginType},
            request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn,
            whoami, ThirdPartyIdRemovalStatus,
        },
@ -84,6 +85,13 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
        ));
    }

+    if body.body.login_type == Some(LoginType::ApplicationService) && !body.from_appservice {
+        return Err(Error::BadRequest(
+            ErrorKind::MissingToken,
+            "Missing appservice token.",
+        ));
+    }
+
    let is_guest = body.kind == RegistrationKind::Guest;

    let user_id = match (&body.username, is_guest) {
--- a/src/api/client_server/session.rs
+++ b/src/api/client_server/session.rs
@ -118,8 +118,8 @@ pub async fn login_route(body: Ruma<login::v3::Request>) -> Result<login::v3::Re
        }) => {
            if !body.from_appservice {
                return Err(Error::BadRequest(
-                    ErrorKind::Forbidden,
-                    "Forbidden login type.",
+                    ErrorKind::MissingToken,
+                    "Missing appservice token.",
                ));
            };
            if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {