diff --git a/include/ircd/m/resource.h b/include/ircd/m/resource.h index 6cbb034e5..ba2eef526 100644 --- a/include/ircd/m/resource.h +++ b/include/ircd/m/resource.h @@ -44,10 +44,12 @@ struct ircd::m::resource::request { template struct object; - string_view origin; - string_view node_id; - string_view access_token; - m::user::id::buf user_id; + pair authorization; // proffering any + string_view access_token; // proffering user + m::request::x_matrix x_matrix; // proferring server + string_view node_id; // authenticated server + string_view origin; // authenticated server + m::user::id::buf user_id; // authenticated user request(const method &, const client &, ircd::resource::request &r); request() = default; diff --git a/matrix/resource.cc b/matrix/resource.cc index 35cb6a2be..633a27fd3 100644 --- a/matrix/resource.cc +++ b/matrix/resource.cc @@ -137,11 +137,27 @@ ircd::m::resource::request::request(const method &method, { r } -,origin +,authorization { - //NOTE: may be assigned by authenticate_user() + split(head.authorization, ' ') +} +,access_token +{ + iequals(authorization.first, "Bearer"_sv)? + authorization.second: + query["access_token"] +} +,x_matrix +{ + !access_token && iequals(authorization.first, "X-Matrix"_sv)? + m::request::x_matrix{authorization.first, authorization.second}: + m::request::x_matrix{} } ,node_id +{ + //NOTE: may be assigned by authenticate_node() +} +,origin { // Server X-Matrix header verified here. Similar to client auth, origin // which has been authed is referenced in the client.request. If the method @@ -151,10 +167,6 @@ ircd::m::resource::request::request(const method &method, // apropos for this request (i.e a client request rather than federation). authenticate_node(method, client, *this) } -,access_token -{ - //NOTE: may be assigned by authenticate_user() -} ,user_id { // Client access token verified here. On success, user_id owning the token @@ -175,39 +187,23 @@ ircd::m::authenticate_user(const resource::method &method, const client &client, resource::request &request) { - request.access_token = - { - request.query["access_token"] - }; - - if(empty(request.access_token)) - { - const auto authorization - { - split(request.head.authorization, ' ') - }; - - if(iequals(authorization.first, "bearer"_sv)) - request.access_token = authorization.second; - } - assert(method.opts); const auto requires_auth { method.opts->flags & resource::method::REQUIRES_AUTH }; - if(!request.access_token && requires_auth) + m::user::id::buf ret; + if(!request.access_token && !requires_auth) + return ret; + + if(!request.access_token) throw m::error { http::UNAUTHORIZED, "M_MISSING_TOKEN", "Credentials for this method are required but missing." }; - m::user::id::buf ret; - if(!request.access_token) - return ret; - static const m::event::fetch::opts fopts { m::event::keys::include {"sender"} @@ -252,14 +248,9 @@ try method.opts->flags & resource::method::VERIFY_ORIGIN }; - const auto authorization - { - split(request.head.authorization, ' ') - }; - const bool supplied { - iequals(authorization.first, "X-Matrix"_sv) + !empty(x_matrix.origin) }; if(!required && !supplied) @@ -280,14 +271,13 @@ try request.head.host }; - const m::request::x_matrix x_matrix - { - request.head.authorization - }; - const m::request object { - x_matrix.origin, request.head.host, method.name, request.head.uri, request.content + x_matrix.origin, + request.head.host, + method.name, + request.head.uri, + request.content }; if(x_matrix_verify_origin && !object.verify(x_matrix.key, x_matrix.sig)) @@ -297,9 +287,8 @@ try "The X-Matrix Authorization is invalid." }; - request.origin = x_matrix.origin; request.node_id = request.origin; //TODO: remove request.node_id. - return request.origin; + return x_matrix.origin; } catch(const m::error &) {