Send the appservice access token as a header. (#13996)

Implements MSC2832 by sending application service access tokens in the Authorization header. The access token is also still sent as a query parameter until the application service ecosystem has fully migrated to using headers. In the future this could be made opt-in, or removed completely.
2025-06-20 05:34:09 -04:00 · 2022-10-04 07:06:41 -04:00 · 2022-10-04 07:06:41 -04:00 · 27fa0fa698
commit 27fa0fa698
parent 1613857b90
3 changed files with 26 additions and 6 deletions
--- a/synapse/appservice/api.py
+++ b/synapse/appservice/api.py
@ -120,7 +120,11 @@ class ApplicationServiceApi(SimpleHttpClient):

        uri = service.url + ("/users/%s" % urllib.parse.quote(user_id))
        try:
-            response = await self.get_json(uri, {"access_token": service.hs_token})
+            response = await self.get_json(
+                uri,
+                {"access_token": service.hs_token},
+                headers={"Authorization": f"Bearer {service.hs_token}"},
+            )
            if response is not None:  # just an empty json object
                return True
        except CodeMessageException as e:
@ -140,7 +144,11 @@ class ApplicationServiceApi(SimpleHttpClient):

        uri = service.url + ("/rooms/%s" % urllib.parse.quote(alias))
        try:
-            response = await self.get_json(uri, {"access_token": service.hs_token})
+            response = await self.get_json(
+                uri,
+                {"access_token": service.hs_token},
+                headers={"Authorization": f"Bearer {service.hs_token}"},
+            )
            if response is not None:  # just an empty json object
                return True
        except CodeMessageException as e:
@ -181,7 +189,9 @@ class ApplicationServiceApi(SimpleHttpClient):
                **fields,
                b"access_token": service.hs_token,
            }
-            response = await self.get_json(uri, args=args)
+            response = await self.get_json(
+                uri, args=args, headers={"Authorization": f"Bearer {service.hs_token}"}
+            )
            if not isinstance(response, list):
                logger.warning(
                    "query_3pe to %s returned an invalid response %r", uri, response
@ -217,7 +227,11 @@ class ApplicationServiceApi(SimpleHttpClient):
                urllib.parse.quote(protocol),
            )
            try:
-                info = await self.get_json(uri, {"access_token": service.hs_token})
+                info = await self.get_json(
+                    uri,
+                    {"access_token": service.hs_token},
+                    headers={"Authorization": f"Bearer {service.hs_token}"},
+                )

                if not _is_valid_3pe_metadata(info):
                    logger.warning(
@ -313,6 +327,7 @@ class ApplicationServiceApi(SimpleHttpClient):
                uri=uri,
                json_body=body,
                args={"access_token": service.hs_token},
+                headers={"Authorization": f"Bearer {service.hs_token}"},
            )
            if logger.isEnabledFor(logging.DEBUG):
                logger.debug(