diff --git a/changelog.d/12577.misc b/changelog.d/12577.misc
new file mode 100644
index 0000000000..8c4c47ad52
--- /dev/null
+++ b/changelog.d/12577.misc
@@ -0,0 +1 @@
+Improve comments and error messages around access tokens.
\ No newline at end of file
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index f6202ef7a5..931750668e 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -417,7 +417,8 @@ class Auth:
"""
if rights == "access":
- # first look in the database
+ # First look in the database to see if the access token is present
+ # as an opaque token.
r = await self.store.get_user_by_access_token(token)
if r:
valid_until_ms = r.valid_until_ms
@@ -434,7 +435,8 @@ class Auth:
return r
- # otherwise it needs to be a valid macaroon
+ # If the token isn't found in the database, then it could still be a
+ # macaroon, so we check that here.
try:
user_id, guest = self._parse_and_validate_macaroon(token, rights)
@@ -482,8 +484,12 @@ class Auth:
TypeError,
ValueError,
) as e:
- logger.warning("Invalid macaroon in auth: %s %s", type(e), e)
- raise InvalidClientTokenError("Invalid macaroon passed.")
+ logger.warning(
+ "Invalid access token in auth: %s %s.",
+ type(e),
+ e,
+ )
+ raise InvalidClientTokenError("Invalid access token passed.")
def _parse_and_validate_macaroon(
self, token: str, rights: str = "access"
@@ -504,10 +510,7 @@ class Auth:
try:
macaroon = pymacaroons.Macaroon.deserialize(token)
except Exception: # deserialize can throw more-or-less anything
- # doesn't look like a macaroon: treat it as an opaque token which
- # must be in the database.
- # TODO: it would be nice to get rid of this, but apparently some
- # people use access tokens which aren't macaroons
+ # The access token doesn't look like a macaroon.
raise _InvalidMacaroonException()
try:
|
