Merge pull request #2037 from matrix-org/travis/1.0/appservice-hs-token

turt2live · web-flow · commit 76829ad988a2 · 2019-05-28T12:56:28.000-06:00
Clarify how homeservers are meant to auth themselves to appservices
diff --git a/changelogs/application_service/newsfragments/2037.clarification b/changelogs/application_service/newsfragments/2037.clarification
@@ -0,0 +1 @@
+Add missing definition for how appservices verify requests came from a homeserver.
diff --git a/specification/application_service_api.rst b/specification/application_service_api.rst
@@ -187,6 +187,15 @@ An example registration file for an IRC-bridging application service is below:
 Homeserver -> Application Service API
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+Authorization
++++++++++++++
+
+Homeservers MUST include a query parameter named ``access_token`` containing the
+``hs_token`` from the application service's registration when making requests to
+the application service. Application services MUST verify the provided ``access_token``
+matches their known ``hs_token``, failing the request with a ``M_FORBIDDEN`` error
+if it does not match.
+
 Legacy routes
 +++++++++++++
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Add missing definition for how appservices verify requests came from a homeserver.`