From c8e9998e7f73bfbb633ff689cc08689c43b0bfd8 Mon Sep 17 00:00:00 2001
From: Tulir Asokan <tulir@maunium.net>
Date: Mon, 15 Jan 2024 17:09:13 +0200
Subject: [PATCH] Drop support for legacy query param auth for appservices

---
 CHANGELOG.md       |  3 +++
 appservice/http.go | 25 +++++++++----------------
 bridge/bridge.go   |  2 +-
 3 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4c89c495..c17e5b16 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 * *(appservice)* Dropped support for legacy non-prefixed appservice paths
   (e.g. `/transactions` instead of `/_matrix/app/v1/transactions`).
+* *(appservice)* Dropped support for legacy `access_token` authorization in
+  appservice endpoints.
+* *(bridge)* Bumped minimum Matrix spec version to v1.4.
 
 ## v0.17.0 (2024-01-16)
 
diff --git a/appservice/http.go b/appservice/http.go
index 1d4c7f22..38bcecf8 100644
--- a/appservice/http.go
+++ b/appservice/http.go
@@ -82,27 +82,20 @@ func (as *AppService) Stop() {
 // CheckServerToken checks if the given request originated from the Matrix homeserver.
 func (as *AppService) CheckServerToken(w http.ResponseWriter, r *http.Request) (isValid bool) {
 	authHeader := r.Header.Get("Authorization")
-	if len(authHeader) > 0 && strings.HasPrefix(authHeader, "Bearer ") {
-		isValid = authHeader[len("Bearer "):] == as.Registration.ServerToken
-	} else {
-		queryToken := r.URL.Query().Get("access_token")
-		if len(queryToken) > 0 {
-			isValid = queryToken == as.Registration.ServerToken
-		} else {
-			Error{
-				ErrorCode:  ErrUnknownToken,
-				HTTPStatus: http.StatusForbidden,
-				Message:    "Missing access token",
-			}.Write(w)
-			return
-		}
-	}
-	if !isValid {
+	if !strings.HasPrefix(authHeader, "Bearer ") {
+		Error{
+			ErrorCode:  ErrUnknownToken,
+			HTTPStatus: http.StatusForbidden,
+			Message:    "Missing access token",
+		}.Write(w)
+	} else if authHeader[len("Bearer "):] != as.Registration.ServerToken {
 		Error{
 			ErrorCode:  ErrUnknownToken,
 			HTTPStatus: http.StatusForbidden,
 			Message:    "Incorrect access token",
 		}.Write(w)
+	} else {
+		isValid = true
 	}
 	return
 }
diff --git a/bridge/bridge.go b/bridge/bridge.go
index c41fba27..134582a2 100644
--- a/bridge/bridge.go
+++ b/bridge/bridge.go
@@ -291,7 +291,7 @@ func (br *Bridge) InitVersion(tag, commit, buildTime string) {
 	br.BuildTime = buildTime
 }
 
-var MinSpecVersion = mautrix.SpecV11
+var MinSpecVersion = mautrix.SpecV14
 
 func (br *Bridge) ensureConnection(ctx context.Context) {
 	for {