Make userapi responsible for checking access tokens (#1133)

* Make userapi responsible for checking access tokens There's still plenty of dependencies on account/device DBs, but this is a start. This is a breaking change as it adds a required config value `listen.user_api`. * Cleanup * Review comments and test fix
2025-08-01 22:02:46 +00:00 · 2020-06-16 14:10:55 +01:00 · 2020-06-16 14:10:55 +01:00 · 9c77022513
commit 9c77022513
parent 57b7fa3db8
66 changed files with 421 additions and 400 deletions
--- a/userapi/api/api.go
+++ b/userapi/api/api.go
@ -19,6 +19,21 @@ import "context"
 // UserInternalAPI is the internal API for information about users and devices.
 type UserInternalAPI interface {
 	QueryProfile(ctx context.Context, req *QueryProfileRequest, res *QueryProfileResponse) error
+	QueryAccessToken(ctx context.Context, req *QueryAccessTokenRequest, res *QueryAccessTokenResponse) error
+}
+
+// QueryAccessTokenRequest is the request for QueryAccessToken
+type QueryAccessTokenRequest struct {
+	AccessToken string
+	// optional user ID, valid only if the token is an appservice.
+	// https://matrix.org/docs/spec/application_service/r0.1.2#using-sync-and-events
+	AppServiceUserID string
+}
+
+// QueryAccessTokenResponse is the response for QueryAccessToken
+type QueryAccessTokenResponse struct {
+	Device *Device
+	Err    error // e.g ErrorForbidden
 }

 // QueryProfileRequest is the request for QueryProfile
@ -29,10 +44,34 @@ type QueryProfileRequest struct {

 // QueryProfileResponse is the response for QueryProfile
 type QueryProfileResponse struct {
-	// True if the user has been created. Querying for a profile does not create them.
+	// True if the user exists. Querying for a profile does not create them.
 	UserExists bool
 	// The current display name if set.
 	DisplayName string
 	// The current avatar URL if set.
 	AvatarURL string
 }
+
+// Device represents a client's device (mobile, web, etc)
+type Device struct {
+	ID     string
+	UserID string
+	// The access_token granted to this device.
+	// This uniquely identifies the device from all other devices and clients.
+	AccessToken string
+	// The unique ID of the session identified by the access token.
+	// Can be used as a secure substitution in places where data needs to be
+	// associated with access tokens.
+	SessionID int64
+	// TODO: display name, last used timestamp, keys, etc
+	DisplayName string
+}
+
+// ErrorForbidden is an error indicating that the supplied access token is forbidden
+type ErrorForbidden struct {
+	Message string
+}
+
+func (e *ErrorForbidden) Error() string {
+	return "Forbidden: " + e.Message
+}