Appservice API requires access_token to be in the query parameters
#923
Labels
A-Application-Services
Issues affecting the AS API
security
wart
A point where the protocol is inconsistent or inelegant
Comments
Half-Shot
added
wart
|
Duplicate of #679 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It's generally agreed upon that headers are a better place for tokens, to reduce accidental publishing of tokens in the logs. It would be nicer to support headers instead of insecure query parameters, but would require bridges and homeservers to both start using the new header.
Perhaps the best approach is for homeservers to start publishing it in both places, and deprecate query parameters. Once enough time has passed, we could drop query parameters entirely.
Unfortunately this does get into the weeds of versioning, as this would be a globally breaking change.
The text was updated successfully, but these errors were encountered: