src/api/router/auth.rs

use std::any::{Any, TypeId};

use conduwuit::{Err, Result, err};
use ruma::{
	DeviceId, OwnedDeviceId, OwnedServerName, OwnedUserId, UserId,
	api::{
		IncomingRequest,
		auth_scheme::{
			AccessToken, AccessTokenOptional, AppserviceToken, AppserviceTokenOptional,
			AuthScheme, NoAccessToken, NoAuthentication,
		},
		client,
		federation::authentication::ServerSignatures,
	},
};
use service::{
	Services,
	server_keys::{PubKeyMap, PubKeys},
};

use crate::{router::args::AuthQueryParams, service::appservice::RegistrationInfo};

pub(crate) enum ClientIdentity {
	User {
		sender_user: OwnedUserId,
		sender_device: OwnedDeviceId,
	},
	Appservice {
		sender_user: OwnedUserId,
		sender_device: Option<OwnedDeviceId>,
		appservice_info: RegistrationInfo,
	},
}

impl ClientIdentity {
	pub(crate) fn sender_user(&self) -> &UserId {
		match self {
			| Self::User { sender_user, .. } | Self::Appservice { sender_user, .. } =>
				sender_user,
		}
	}

	pub(crate) fn sender_device(&self) -> Option<&DeviceId> {
		match self {
			| Self::User { sender_device, .. } => Some(sender_device),
			| Self::Appservice { sender_device, .. } => sender_device.as_deref(),
		}
	}

	pub(crate) fn expect_sender_device(&self) -> Result<&DeviceId> {
		self.sender_device().ok_or_else(|| {
			err!(Request(Forbidden("Appservices must masquerade to use this endpoint")))
		})
	}

	pub(crate) fn appservice_info(&self) -> Option<&RegistrationInfo> {
		match self {
			| Self::User { .. } => None,
			| Self::Appservice { appservice_info, .. } => Some(appservice_info),
		}
	}

	pub(crate) fn is_appservice(&self) -> bool { matches!(self, Self::Appservice { .. }) }
}

pub(crate) trait CheckAuth: AuthScheme {
	type Identity: Send;

	fn authenticate<R: IncomingRequest + Any, B: AsRef<[u8]> + Sync>(
		services: &Services,
		incoming_request: &hyper::Request<B>,
		query: AuthQueryParams,
	) -> impl Future<Output = Result<Self::Identity>> + Send {
		async move {
			let route = TypeId::of::<R>();

			let output = Self::extract_authentication(incoming_request).map_err(|err| {
				err!(Request(Unauthorized(warn!(
					"Failed to extract authorization: {}",
					err.into()
				))))
			})?;

			Self::verify(services, output, incoming_request, query, route).await
		}
	}

	fn verify<B: AsRef<[u8]> + Sync>(
		services: &Services,
		output: Self::Output,
		request: &hyper::Request<B>,
		query: AuthQueryParams,
		route: TypeId,
	) -> impl Future<Output = Result<Self::Identity>> + Send;
}

impl CheckAuth for ServerSignatures {
	type Identity = OwnedServerName;

	async fn verify<B: AsRef<[u8]> + Sync>(
		services: &Services,
		output: Self::Output,
		request: &hyper::Request<B>,
		_query: AuthQueryParams,
		_route: TypeId,
	) -> Result<Self::Identity> {
		let destination = services.globals.server_name();
		if output
			.destination
			.as_ref()
			.is_some_and(|supplied_destination| supplied_destination != destination)
		{
			return Err!(Request(Unauthorized("Destination mismatch.")));
		}

		let key = services
			.server_keys
			.get_verify_key(&output.origin, &output.key)
			.await
			.map_err(|e| {
				err!(Request(Unauthorized(warn!("Failed to fetch signing keys: {e}"))))
			})?;

		let keys: PubKeys = [(output.key.to_string(), key.key)].into();
		let keys: PubKeyMap = [(output.origin.as_str().into(), keys)].into();

		match output.verify_request(request, destination, &keys) {
			| Ok(()) => {
				if services
					.moderation
					.is_remote_server_forbidden(&output.origin)
				{
					return Err!(Request(Forbidden(
						"You are blocked from federating with this server."
					)));
				}

				Ok(output.origin)
			},
			| Err(err) =>
				Err!(Request(Unauthorized(warn!("Failed to verify X-Matrix header: {err}")))),
		}
	}
}

impl CheckAuth for AccessToken {
	type Identity = ClientIdentity;

	async fn verify<B: AsRef<[u8]> + Sync>(
		services: &Services,
		output: Self::Output,
		_request: &hyper::Request<B>,
		query: AuthQueryParams,
		route: TypeId,
	) -> Result<Self::Identity> {
		if let Ok((sender_user, sender_device)) = services.users.find_from_token(&output).await {
			// Locked users can only use /logout and /logout/all
			if services
				.users
				.is_locked(&sender_user)
				.await
				.is_ok_and(std::convert::identity)
			{
				if !(route == TypeId::of::<client::session::logout::v3::Request>()
					|| route == TypeId::of::<client::session::logout_all::v3::Request>())
				{
					return Err!(Request(Unauthorized("Your account is locked.")));
				}
			}

			Ok(ClientIdentity::User { sender_user, sender_device })
		} else if let Ok(appservice_info) = services.appservice.find_from_token(&output).await {
			let Ok(sender_user) = query.user_id.clone().map_or_else(
				|| {
					UserId::parse_with_server_name(
						appservice_info.registration.sender_localpart.as_str(),
						services.globals.server_name(),
					)
				},
				UserId::parse,
			) else {
				return Err!(Request(InvalidUsername("Username is invalid.")));
			};

			if !appservice_info.is_user_match(&sender_user) {
				return Err!(Request(Exclusive("User is not in namespace.")));
			}

			// MSC3202/MSC4190: Handle device_id masquerading for appservices.
			// The device_id can be provided via `device_id` or
			// `org.matrix.msc3202.device_id` query parameter.
			let sender_device =
				if let Some(device_id) = query.device_id.as_deref().map(Into::into) {
					// Verify the device exists for this user
					if services
						.users
						.get_device_metadata(&sender_user, device_id)
						.await
						.is_err()
					{
						return Err!(Request(Forbidden(
							"Device does not exist for user or appservice cannot masquerade as \
							 this device."
						)));
					}

					Some(device_id.to_owned())
				} else {
					None
				};

			Ok(ClientIdentity::Appservice {
				sender_user,
				sender_device,
				appservice_info,
			})
		} else {
			return Err!(Request(Unauthorized("Invalid access token.")));
		}
	}
}

impl CheckAuth for AccessTokenOptional {
	type Identity = Option<ClientIdentity>;

	async fn verify<B: AsRef<[u8]> + Sync>(
		services: &Services,
		output: Self::Output,
		request: &hyper::Request<B>,
		query: AuthQueryParams,
		route: TypeId,
	) -> Result<Self::Identity> {
		match output {
			| Some(token) =>
				<AccessToken as CheckAuth>::verify(services, token, request, query, route)
					.await
					.map(Some),
			| None => Ok(None),
		}
	}
}

impl CheckAuth for AppserviceToken {
	type Identity = RegistrationInfo;

	async fn verify<B: AsRef<[u8]> + Sync>(
		services: &Services,
		output: Self::Output,
		_request: &hyper::Request<B>,
		_query: AuthQueryParams,
		_route: TypeId,
	) -> Result<Self::Identity> {
		let Ok(appservice_info) = services.appservice.find_from_token(&output).await else {
			return Err!(Request(Unauthorized("Invalid appservice token.")));
		};

		Ok(appservice_info)
	}
}

impl CheckAuth for AppserviceTokenOptional {
	type Identity = Option<RegistrationInfo>;

	async fn verify<B: AsRef<[u8]> + Sync>(
		services: &Services,
		output: Self::Output,
		request: &hyper::Request<B>,
		query: AuthQueryParams,
		route: TypeId,
	) -> Result<Self::Identity> {
		match output {
			| Some(token) =>
				<AppserviceToken as CheckAuth>::verify(services, token, request, query, route)
					.await
					.map(Some),
			| None => Ok(None),
		}
	}
}

impl CheckAuth for NoAuthentication {
	type Identity = ();

	async fn verify<B: AsRef<[u8]> + Sync>(
		_services: &Services,
		_output: Self::Output,
		_request: &hyper::Request<B>,
		_query: AuthQueryParams,
		_route: TypeId,
	) -> Result<Self::Identity> {
		Ok(())
	}
}

impl CheckAuth for NoAccessToken {
	type Identity = Option<ClientIdentity>;

	async fn verify<B: AsRef<[u8]> + Sync>(
		services: &Services,
		_output: Self::Output,
		request: &hyper::Request<B>,
		query: AuthQueryParams,
		route: TypeId,
	) -> Result<Self::Identity> {
		// We handle these the same as AccessTokenOptional
		let token = AccessTokenOptional::extract_authentication(request).map_err(|err| {
			err!(Request(Unauthorized(warn!("Failed to extract authorization: {}", err))))
		})?;

		// Check special access restrictions
		if (route == TypeId::of::<client::profile::get_avatar_url::v3::Request>()
			|| route == TypeId::of::<client::profile::get_display_name::v3::Request>()
			|| route == TypeId::of::<client::profile::get_profile_field::v3::Request>()
			|| route == TypeId::of::<client::profile::get_profile::v3::Request>())
			&& services.config.require_auth_for_profile_requests
			&& token.is_none()
		{
			return Err!(Request(Unauthorized(
				"This server requires authentication to access user profiles."
			)));
		}

		<AccessTokenOptional as CheckAuth>::verify(services, token, request, query, route).await
	}
}
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`use std::any::{Any, TypeId};`

			`use conduwuit::{Err, Result, err};`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00			`use ruma::{`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`DeviceId, OwnedDeviceId, OwnedServerName, OwnedUserId, UserId,`
add `require_auth_for_profile_requests` config option, check endpoint metadata instead of request string 2024-10-26 12:32:47 -04:00			`api::{`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`IncomingRequest,`
			`auth_scheme::{`
			`AccessToken, AccessTokenOptional, AppserviceToken, AppserviceTokenOptional,`
			`AuthScheme, NoAccessToken, NoAuthentication,`
add `require_auth_for_profile_requests` config option, check endpoint metadata instead of request string 2024-10-26 12:32:47 -04:00			`},`
fix: Restore functionality of `require_auth_for_profile_requests` 2026-05-20 11:54:09 -04:00			`client,`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`federation::authentication::ServerSignatures,`
add `require_auth_for_profile_requests` config option, check endpoint metadata instead of request string 2024-10-26 12:32:47 -04:00			`},`
Refactor server_keys service/interface and related callsites 2024-10-11 18:57:59 +00:00			`};`
			`use service::{`
			`Services,`
run cargo fix for rust 2024 changes and rustfmt 2025-02-23 01:17:45 -05:00			`server_keys::{PubKeyMap, PubKeys},`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00			`};`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`use crate::{router::args::AuthQueryParams, service::appservice::RegistrationInfo};`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`pub(crate) enum ClientIdentity {`
			`User {`
			`sender_user: OwnedUserId,`
			`sender_device: OwnedDeviceId,`
			`},`
			`Appservice {`
			`sender_user: OwnedUserId,`
			`sender_device: Option<OwnedDeviceId>,`
			`appservice_info: RegistrationInfo,`
			`},`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00			`}`

refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`impl ClientIdentity {`
			`pub(crate) fn sender_user(&self) -> &UserId {`
			`match self {`
			`\| Self::User { sender_user, .. } \| Self::Appservice { sender_user, .. } =>`
			`sender_user,`
			`}`
			`}`

			`pub(crate) fn sender_device(&self) -> Option<&DeviceId> {`
			`match self {`
			`\| Self::User { sender_device, .. } => Some(sender_device),`
			`\| Self::Appservice { sender_device, .. } => sender_device.as_deref(),`
			`}`
			`}`

			`pub(crate) fn expect_sender_device(&self) -> Result<&DeviceId> {`
			`self.sender_device().ok_or_else(\|\| {`
			`err!(Request(Forbidden("Appservices must masquerade to use this endpoint")))`
			`})`
			`}`

			`pub(crate) fn appservice_info(&self) -> Option<&RegistrationInfo> {`
			`match self {`
			`\| Self::User { .. } => None,`
			`\| Self::Appservice { appservice_info, .. } => Some(appservice_info),`
			`}`
			`}`

			`pub(crate) fn is_appservice(&self) -> bool { matches!(self, Self::Appservice { .. }) }`
			`}`

			`pub(crate) trait CheckAuth: AuthScheme {`
			`type Identity: Send;`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`fn authenticate<R: IncomingRequest + Any, B: AsRef<[u8]> + Sync>(`
			`services: &Services,`
			`incoming_request: &hyper::Request<B>,`
			`query: AuthQueryParams,`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`) -> impl Future<Output = Result<Self::Identity>> + Send {`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`async move {`
			`let route = TypeId::of::<R>();`

chore: Clippy fixes 2026-04-13 18:31:16 -04:00			`let output = Self::extract_authentication(incoming_request).map_err(\|err\| {`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`err!(Request(Unauthorized(warn!(`
			`"Failed to extract authorization: {}",`
			`err.into()`
			`))))`
			`})?;`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`Self::verify(services, output, incoming_request, query, route).await`
fix edition 2024 lints 2025-02-25 18:38:12 +00:00			`}`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00			`}`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`fn verify<B: AsRef<[u8]> + Sync>(`
			`services: &Services,`
			`output: Self::Output,`
			`request: &hyper::Request<B>,`
			`query: AuthQueryParams,`
			`route: TypeId,`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`) -> impl Future<Output = Result<Self::Identity>> + Send;`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00			`}`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`impl CheckAuth for ServerSignatures {`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`type Identity = OwnedServerName;`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`async fn verify<B: AsRef<[u8]> + Sync>(`
			`services: &Services,`
			`output: Self::Output,`
			`request: &hyper::Request<B>,`
			`_query: AuthQueryParams,`
			`_route: TypeId,`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`) -> Result<Self::Identity> {`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`let destination = services.globals.server_name();`
			`if output`
			`.destination`
			`.as_ref()`
			`.is_some_and(\|supplied_destination\| supplied_destination != destination)`
			`{`
			`return Err!(Request(Unauthorized("Destination mismatch.")));`
			`}`

			`let key = services`
			`.server_keys`
			`.get_verify_key(&output.origin, &output.key)`
			`.await`
			`.map_err(\|e\| {`
			`err!(Request(Unauthorized(warn!("Failed to fetch signing keys: {e}"))))`
			`})?;`
Refactor server_keys service/interface and related callsites 2024-10-11 18:57:59 +00:00
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`let keys: PubKeys = [(output.key.to_string(), key.key)].into();`
			`let keys: PubKeyMap = [(output.origin.as_str().into(), keys)].into();`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`match output.verify_request(request, destination, &keys) {`
fix: Properly check `forbidden_remote_server_names` for incoming requests 2026-05-20 12:39:39 -04:00			`\| Ok(()) => {`
			`if services`
			`.moderation`
			`.is_remote_server_forbidden(&output.origin)`
			`{`
fix: Correct error code 2026-05-20 12:57:46 -04:00			`return Err!(Request(Forbidden(`
fix: Properly check `forbidden_remote_server_names` for incoming requests 2026-05-20 12:39:39 -04:00			`"You are blocked from federating with this server."`
			`)));`
			`}`

refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`Ok(output.origin)`
fix: Properly check `forbidden_remote_server_names` for incoming requests 2026-05-20 12:39:39 -04:00			`},`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`\| Err(err) =>`
			`Err!(Request(Unauthorized(warn!("Failed to verify X-Matrix header: {err}")))),`
			`}`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00			`}`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`}`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`impl CheckAuth for AccessToken {`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`type Identity = ClientIdentity;`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`async fn verify<B: AsRef<[u8]> + Sync>(`
			`services: &Services,`
			`output: Self::Output,`
			`_request: &hyper::Request<B>,`
fix: Fix appservice authentication 2026-04-29 09:09:09 -04:00			`query: AuthQueryParams,`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`route: TypeId,`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`) -> Result<Self::Identity> {`
			`if let Ok((sender_user, sender_device)) = services.users.find_from_token(&output).await {`
			`// Locked users can only use /logout and /logout/all`
			`if services`
			`.users`
			`.is_locked(&sender_user)`
			`.await`
			`.is_ok_and(std::convert::identity)`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`{`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`if !(route == TypeId::of::<client::session::logout::v3::Request>()`
			`\|\| route == TypeId::of::<client::session::logout_all::v3::Request>())`
fix: Fix appservice authentication 2026-04-29 09:09:09 -04:00			`{`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`return Err!(Request(Unauthorized("Your account is locked.")));`
fix: Fix appservice authentication 2026-04-29 09:09:09 -04:00			`}`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`}`
fix: Fix appservice authentication 2026-04-29 09:09:09 -04:00
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`Ok(ClientIdentity::User { sender_user, sender_device })`
			`} else if let Ok(appservice_info) = services.appservice.find_from_token(&output).await {`
			`let Ok(sender_user) = query.user_id.clone().map_or_else(`
			`\|\| {`
			`UserId::parse_with_server_name(`
			`appservice_info.registration.sender_localpart.as_str(),`
			`services.globals.server_name(),`
			`)`
			`},`
			`UserId::parse,`
			`) else {`
			`return Err!(Request(InvalidUsername("Username is invalid.")));`
			`};`
fix: Fix appservice authentication 2026-04-29 09:09:09 -04:00
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`if !appservice_info.is_user_match(&sender_user) {`
			`return Err!(Request(Exclusive("User is not in namespace.")));`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`}`
feat(appservices): MSC3202 Device masquerading for appservices 2026-02-21 23:21:58 +00:00
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`// MSC3202/MSC4190: Handle device_id masquerading for appservices.`
			// The device_id can be provided via `device_id` or
			// `org.matrix.msc3202.device_id` query parameter.
			`let sender_device =`
			`if let Some(device_id) = query.device_id.as_deref().map(Into::into) {`
			`// Verify the device exists for this user`
			`if services`
			`.users`
			`.get_device_metadata(&sender_user, device_id)`
			`.await`
			`.is_err()`
			`{`
			`return Err!(Request(Forbidden(`
			`"Device does not exist for user or appservice cannot masquerade as \`
			`this device."`
			`)));`
			`}`

			`Some(device_id.to_owned())`
			`} else {`
			`None`
			`};`

			`Ok(ClientIdentity::Appservice {`
			`sender_user,`
			`sender_device,`
			`appservice_info,`
			`})`
			`} else {`
			`return Err!(Request(Unauthorized("Invalid access token.")));`
			`}`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`}`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00			`}`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`impl CheckAuth for AccessTokenOptional {`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`type Identity = Option<ClientIdentity>;`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`async fn verify<B: AsRef<[u8]> + Sync>(`
			`services: &Services,`
			`output: Self::Output,`
			`request: &hyper::Request<B>,`
			`query: AuthQueryParams,`
			`route: TypeId,`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`) -> Result<Self::Identity> {`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`match output {`
			`\| Some(token) =>`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`<AccessToken as CheckAuth>::verify(services, token, request, query, route)`
			`.await`
			`.map(Some),`
			`\| None => Ok(None),`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`}`
			`}`
			`}`
Refactor server_keys service/interface and related callsites 2024-10-11 18:57:59 +00:00
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`impl CheckAuth for AppserviceToken {`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`type Identity = RegistrationInfo;`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`async fn verify<B: AsRef<[u8]> + Sync>(`
			`services: &Services,`
			`output: Self::Output,`
			`_request: &hyper::Request<B>,`
fix: Fix appservice authentication 2026-04-29 09:09:09 -04:00			`_query: AuthQueryParams,`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`_route: TypeId,`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`) -> Result<Self::Identity> {`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`let Ok(appservice_info) = services.appservice.find_from_token(&output).await else {`
			`return Err!(Request(Unauthorized("Invalid appservice token.")));`
			`};`

refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`Ok(appservice_info)`
Refactor server_keys service/interface and related callsites 2024-10-11 18:57:59 +00:00			`}`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`}`
Refactor server_keys service/interface and related callsites 2024-10-11 18:57:59 +00:00
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`impl CheckAuth for AppserviceTokenOptional {`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`type Identity = Option<RegistrationInfo>;`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`async fn verify<B: AsRef<[u8]> + Sync>(`
			`services: &Services,`
			`output: Self::Output,`
			`request: &hyper::Request<B>,`
			`query: AuthQueryParams,`
			`route: TypeId,`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`) -> Result<Self::Identity> {`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`match output {`
			`\| Some(token) =>`
			`<AppserviceToken as CheckAuth>::verify(services, token, request, query, route)`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`.await`
			`.map(Some),`
			`\| None => Ok(None),`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`}`
Refactor server_keys service/interface and related callsites 2024-10-11 18:57:59 +00:00			`}`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`}`
apply `forbidden_remote_server_names` to outbound sending and inbound federation handling 2024-07-26 00:45:23 -04:00
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`impl CheckAuth for NoAuthentication {`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`type Identity = ();`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`async fn verify<B: AsRef<[u8]> + Sync>(`
			`_services: &Services,`
			`_output: Self::Output,`
			`_request: &hyper::Request<B>,`
			`_query: AuthQueryParams,`
			`_route: TypeId,`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`) -> Result<Self::Identity> {`
			`Ok(())`
apply `forbidden_remote_server_names` to outbound sending and inbound federation handling 2024-07-26 00:45:23 -04:00			`}`
Refactor server_keys service/interface and related callsites 2024-10-11 18:57:59 +00:00			`}`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`impl CheckAuth for NoAccessToken {`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`type Identity = Option<ClientIdentity>;`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`async fn verify<B: AsRef<[u8]> + Sync>(`
			`services: &Services,`
			`_output: Self::Output,`
			`request: &hyper::Request<B>,`
			`query: AuthQueryParams,`
			`route: TypeId,`
refactor: Represent route auth information in the type system 2026-05-26 13:28:23 -04:00			`) -> Result<Self::Identity> {`
refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`// We handle these the same as AccessTokenOptional`
			`let token = AccessTokenOptional::extract_authentication(request).map_err(\|err\| {`
			`err!(Request(Unauthorized(warn!("Failed to extract authorization: {}", err))))`
Refactor server_keys service/interface and related callsites 2024-10-11 18:57:59 +00:00			`})?;`
split ruma_wrapper from_request() related. 2024-05-23 18:44:19 +00:00
fix: Restore functionality of `require_auth_for_profile_requests` 2026-05-20 11:54:09 -04:00			`// Check special access restrictions`
			`if (route == TypeId::of::<client::profile::get_avatar_url::v3::Request>()`
			`\|\| route == TypeId::of::<client::profile::get_display_name::v3::Request>()`
			`\|\| route == TypeId::of::<client::profile::get_profile_field::v3::Request>()`
			`\|\| route == TypeId::of::<client::profile::get_profile::v3::Request>())`
			`&& services.config.require_auth_for_profile_requests`
			`&& token.is_none()`
			`{`
			`return Err!(Request(Unauthorized(`
			`"This server requires authentication to access user profiles."`
			`)));`
			`}`

refactor: Fix errors in `api/router/` 2026-04-13 16:20:47 -04:00			`<AccessTokenOptional as CheckAuth>::verify(services, token, request, query, route).await`
fix(auth): prevent token collisions and optimise lookups 2025-08-10 14:38:54 +01:00			`}`
			`}`