diff --git a/changelog.d/12577.misc b/changelog.d/12577.misc new file mode 100644 index 000000000..8c4c47ad5 --- /dev/null +++ b/changelog.d/12577.misc @@ -0,0 +1 @@ +Improve comments and error messages around access tokens. \ No newline at end of file diff --git a/synapse/api/auth.py b/synapse/api/auth.py index f6202ef7a..931750668 100644 --- a/synapse/api/auth.py +++ b/synapse/api/auth.py @@ -417,7 +417,8 @@ class Auth: """ if rights == "access": - # first look in the database + # First look in the database to see if the access token is present + # as an opaque token. r = await self.store.get_user_by_access_token(token) if r: valid_until_ms = r.valid_until_ms @@ -434,7 +435,8 @@ class Auth: return r - # otherwise it needs to be a valid macaroon + # If the token isn't found in the database, then it could still be a + # macaroon, so we check that here. try: user_id, guest = self._parse_and_validate_macaroon(token, rights) @@ -482,8 +484,12 @@ class Auth: TypeError, ValueError, ) as e: - logger.warning("Invalid macaroon in auth: %s %s", type(e), e) - raise InvalidClientTokenError("Invalid macaroon passed.") + logger.warning( + "Invalid access token in auth: %s %s.", + type(e), + e, + ) + raise InvalidClientTokenError("Invalid access token passed.") def _parse_and_validate_macaroon( self, token: str, rights: str = "access" @@ -504,10 +510,7 @@ class Auth: try: macaroon = pymacaroons.Macaroon.deserialize(token) except Exception: # deserialize can throw more-or-less anything - # doesn't look like a macaroon: treat it as an opaque token which - # must be in the database. - # TODO: it would be nice to get rid of this, but apparently some - # people use access tokens which aren't macaroons + # The access token doesn't look like a macaroon. raise _InvalidMacaroonException() try: