summary refs log tree commit diff
path: root/synapse/api/auth.py
diff options
context:
space:
mode:
authorreivilibre <oliverw@matrix.org>2022-05-05 13:39:59 +0100
committerGitHub <noreply@github.com>2022-05-05 13:39:59 +0100
commit07fa53ec40106b97ba2c12a2dcc5446325e5fb61 (patch)
treedca43eaa3fb5e735617730c94cb0f6f9c51d15a1 /synapse/api/auth.py
parentUse `docker/metadata-action` to generate docker image tags (#12573) (diff)
downloadsynapse-07fa53ec40106b97ba2c12a2dcc5446325e5fb61.tar.xz
Improve comments and error messages around access tokens. (#12577)
Diffstat (limited to 'synapse/api/auth.py')
-rw-r--r--synapse/api/auth.py19
1 files changed, 11 insertions, 8 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index f6202ef7a5..931750668e 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -417,7 +417,8 @@ class Auth:
         """
 
         if rights == "access":
-            # first look in the database
+            # First look in the database to see if the access token is present
+            # as an opaque token.
             r = await self.store.get_user_by_access_token(token)
             if r:
                 valid_until_ms = r.valid_until_ms
@@ -434,7 +435,8 @@ class Auth:
 
                 return r
 
-        # otherwise it needs to be a valid macaroon
+        # If the token isn't found in the database, then it could still be a
+        # macaroon, so we check that here.
         try:
             user_id, guest = self._parse_and_validate_macaroon(token, rights)
 
@@ -482,8 +484,12 @@ class Auth:
             TypeError,
             ValueError,
         ) as e:
-            logger.warning("Invalid macaroon in auth: %s %s", type(e), e)
-            raise InvalidClientTokenError("Invalid macaroon passed.")
+            logger.warning(
+                "Invalid access token in auth: %s %s.",
+                type(e),
+                e,
+            )
+            raise InvalidClientTokenError("Invalid access token passed.")
 
     def _parse_and_validate_macaroon(
         self, token: str, rights: str = "access"
@@ -504,10 +510,7 @@ class Auth:
         try:
             macaroon = pymacaroons.Macaroon.deserialize(token)
         except Exception:  # deserialize can throw more-or-less anything
-            # doesn't look like a macaroon: treat it as an opaque token which
-            # must be in the database.
-            # TODO: it would be nice to get rid of this, but apparently some
-            # people use access tokens which aren't macaroons
+            # The access token doesn't look like a macaroon.
             raise _InvalidMacaroonException()
 
         try: