Application service API sends both access_token and an authorization header with an empty key #358
Labels
No labels
Android
CS::needs customer feedback
CS::needs follow up
CS::needs on prem installation
CS::waiting
Chrome
Design:: Ready
Design:: in progress
Design::UX
E2EE
Edge
Firefox
GDPR
Iteration 13 IM
Linux
MacOS
Need::Discussion
Need::Steps to reproduce
Need::Upstream fix
Needs:: Planning
Needs::Dev-Team
Needs::More information
Needs::Priority
Needs::Product
Needs::Refinement
Needs::Severity
Priority::1-Critical
Priority::2-Max
Priority::3-Impending
Priority::4-High
Priority::5-Medium
Priority::6-Low
Priority::7-None
Progress::Backlog
Progress::Review
Progress::Started
Progress::Testing
Progress::Triage
Progress::Waiting
Reporter::Sentry
Safari
Target::Community
Target::Customer
Target::Internal
Target::PoC
Target::Security
Team:Customer-Success
Team:Design
Team:Infrastructure
Team:Instant-Messaging
Team:Product
Team:Workflows
Type::Bug
Type::Design
Type::Documentation
Type::Feature
Type::Improvement
Type::Support
Type::Tests
Windows
blocked
blocked-by-spec
cla-signed
conduit
contribution::advanced
contribution::easy
contribution::help needed
from::review
iOS
p::ti-tenant
performance
product::triage
proposal
refactor
release-blocker
s: dart_openapi_codegen
s::Famedly-Patient
s::Org-Directory
s::Passport-Generator
s::Requeuest
s:CRM
s:Famedly-App
s:Famedly-Web
s:Fhiroxide
s:Fhiroxide-cli
s:Fhiroxide-client
s:Fhirs
s:Hedwig
s:LISA
s:Matrix-Dart-SDK
s:Role-Manager
s:Synapse
s:User-Directory
s:WFS-Matrix
s:Workflow Engine
s:dtls
s:famedly-error
s:fcm-shared-isolate
s:matrix-api-lite
s:multiple-tab-detector
s:native-imaging
severity::1
severity::2
severity::3
severity::4
technical-debt
voip
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Matthias/conduit#358
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Background
I am no means an expert on this, but I think there is a discrepancy here.
I was having a difficulty with integrating the matrix-hookshot bridge to conduit.
I realized that although the two docker containers can communicate, the bridge bot user was unresponsive, the bridge returned 401, Not authorized.
Therefore after a lot of elaboration I decided to eavesdrop the packets with tcpdump.
Crux of the issue
So I took a look at what the request is (I redacted things. Conduit is 172.21.0.2 Hookshot is 172.21.0.3, I listened on hookshot side.)
So the request has the access_token on the URI:
PUT /_matrix/app/v1/transactions/6CydR2%5FNNwEKP5DaSFAG6A00KZyHmMVX2gY7eHJcxCU?access_token=REDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTED HTTP/1.1\r\n
and an authorization header with empty Bearer string:
authorization: Bearer \r\n
The matrix_bot_sdk from Element checks implementation as:
https://github.com/vector-im/matrix-bot-sdk/blob/element-main/src/appservice/Appservice.ts#L647-L656
It seems that the sdk expects either the access_token or the authorization header, but not both.
changed the description
mentioned in merge request !486
mentioned in commit
63cbaedb79
Let me know if this works
Wow, thanks! Would it work on the docker installation? Or what should I do to try it out on one?
The CI is currently failing, but you the docker next image will be built as soon as it works again