fix: reject /register requests when there is no token and the type is appservice

Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-03-31 10:16:29 -04:00 · 2024-03-31 10:16:29 -04:00 · c61aee4f1c
commit c61aee4f1c
parent 7a1a271518
2 changed files with 7 additions and 6 deletions
--- a/src/api/client_server/account.rs
+++ b/src/api/client_server/account.rs
@ -2,7 +2,8 @@ use register::RegistrationKind;
 use ruma::{
 	api::client::{
 		account::{
-			change_password, deactivate, get_3pids, get_username_availability, register,
+			change_password, deactivate, get_3pids, get_username_availability,
+			register::{self, LoginType},
 			request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn, whoami,
 			ThirdPartyIdRemovalStatus,
 		},
@ -91,6 +92,10 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
 		return Err(Error::BadRequest(ErrorKind::Forbidden, "Registration has been disabled."));
 	}

+	if body.body.login_type == Some(LoginType::ApplicationService) && !body.from_appservice {
+		return Err(Error::BadRequest(ErrorKind::MissingToken, "Missing Appservice token."));
+	}
+
 	let is_guest = body.kind == RegistrationKind::Guest;

 	if is_guest
--- a/src/api/client_server/session.rs
+++ b/src/api/client_server/session.rs
@ -145,11 +145,7 @@ pub async fn login_route(body: Ruma<login::v3::Request>) -> Result<login::v3::Re
 		}) => {
 			debug!("Got appservice login type");
 			if !body.from_appservice {
-				info!(
-					"User tried logging in as an appservice, but request body is not from a known/registered \
-					 appservice"
-				);
-				return Err(Error::BadRequest(ErrorKind::Forbidden, "Forbidden login type."));
+				return Err(Error::BadRequest(ErrorKind::MissingToken, "Missing Appservice token."));
 			};
 			let username = if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
 				user_id.to_lowercase()