This repository was archived by the owner on Apr 26, 2024. It is now read-only.
This repository was archived by the owner on Apr 26, 2024. It is now read-only.
Spec compliance: Logging in multiple times with same device ID does not invalidate old access tokens #6616
Description
https://matrix.org/docs/spec/client_server/r0.6.0#relationship-between-access-tokens-and-devices says
[When logging in] If the client sets the device_id, the server will invalidate any access token previously assigned to that device. There is therefore at most one active access token assigned to each device at any one time.
You can reproduce with:
curl -XPOST -d '{"type":"m.login.password", "user":"xxx", "password":"yyy", "device_id":"MYDEVICE"}' "https://server.com/_matrix/client/r0/login"
curl -XPOST -d '{"type":"m.login.password", "user":"xxx", "password":"yyy", "device_id":"MYDEVICE"}' "https://server.com/_matrix/client/r0/login"
Two rows are created in the access_tokens table with the same device ID but different access tokens, both of which are valid.