Require refresh_token on refresh token endpoint #1323
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
At API endpoint POST /_matrix/client/v3/refresh, the
refresh_token
field is not marked as required. This implies that the client is allowed to refresh an access token without specifying a refresh token - which doesn't really make any sense.Implications
It is not specified how the server should behave if the client sends an empty object as the request body, and the idea of sending an empty object is quite nonsensical for this endpoint. To solve this issue, this pull request specifies that the
refresh_token
is required on the given API endpoint.Implementations
refresh_token
field.Potential issues
Since the field has been specified as optional for a while, it is possible that a client has implemented a script that refreshes a long list of access tokens and then sends an empty object if no refresh token is available or supported. With the implementation of this bug fix, the expected response from a homeserver might change.
A given implementation might suggest smelly code if they intentionally send nonsensical requests to a homeserver, however, and I do not think that that is an issue worth considering.
Sign off
Signed-off-by: Bram van den Heuvel matrix-spec@noordstar.me
Preview: https://pr1323--matrix-spec-previews.netlify.app