Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

submit_url authentication unclear #2298

Closed
jryans opened this issue Sep 20, 2019 · 1 comment · Fixed by #2341
Closed

submit_url authentication unclear #2298

jryans opened this issue Sep 20, 2019 · 1 comment · Fixed by #2341
Assignees
@turt2live
Labels
clarification An area where the spec could do with being more explicit client-server Client-Server API
Milestone
r0.6.0 final clar...

Comments

@jryans
Copy link
Contributor

jryans commented Sep 20, 2019

For requestToken APIs, the spec says they may return submit_url "with identical parameters to the Identity Service API's POST /validate/email/submitToken endpoint".

That was likely clear when written, but now with MSC2140 having added a v2 IS API that also layers on auth, it has become less clear.

(I would assume this intention is for such URLs to be called as if they were a v1 IS API, so no authentication.)
@jryans jryans added clarification An area where the spec could do with being more explicit client-server Client-Server API labels Sep 20, 2019
@turt2live turt2live added this to the r0.6.0 final clarifications milestone Nov 4, 2019
@turt2live turt2live self-assigned this Nov 4, 2019
@turt2live
Copy link
Member

it is indeed not authenticated because the other parameters identify the requester.

turt2live added a commit that referenced this issue Nov 4, 2019
@turt2live
Clarify that submit_url is without authentication
e95eafb 
The request is authorized by its parameters, not by an additional access token.

Fixes #2298
@turt2live turt2live mentioned this issue Nov 4, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@turt2live turt2live

Labels
clarification An area where the spec could do with being more explicit client-server Client-Server API
Projects
None yet
Milestone
r0.6.0 final clarifications
Development

Successfully merging a pull request may close this issue.

Clarify that submit_url is without authentication matrix-org/matrix-spec-proposals
2 participants
@jryans @turt2live