-
-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X-Matrix
Authorization header format summary does not mention comma whitespace rules
#1817
Comments
It appears that dendrite (or any homeserver using gomatrixserverlib) does not support optional whitespace around the commas either: https://github.com/matrix-org/gomatrixserverlib/blob/c2391f7113a5020d28d9fa5680ae025c20062126/fclient/request.go#L336 |
Conduit (or any homeserver using ruma) does not support optional whitespace around the commas either. Pair names or values are not trimmed for whitespace: https://github.com/ruma/ruma/blob/b4d0ab42a370c36b5cbb2daf241eafa5e402a2d7/crates/ruma-server-util/src/authorization.rs#L112 And space or tab is not allowed in the |
For the record, Conduit doesn't use ruma for parsing the X-Matrix header for some reason (probably because @timokoesters didn't know or it didn't exist at the time). Still has the same issue tho. |
@Kladki Aha, thank you very much! I'll create an issue on Conduit as well then. |
Conduit issue: https://gitlab.com/famedly/conduit/-/issues/447 |
Fixed by #1818. |
Link to problem area: https://spec.matrix.org/v1.10/server-server-api/#authentication
Issue
The spec mentions that:
This summary has missed out the detail that the comma-separated list of parameters may have optional whitespace (a space
0x20
or tab0x09
specifically) around them. See this bit of RFC 7235:OWS
is defined by RFC 7230 as:This was called out as an issue for Synapse a few years ago: matrix-org/synapse#1350 and a recently-submitted PR to Synapse has been filed to fix it: element-hq/synapse#17145
But I fear that the initial reason for this being missed was that the summary did not include this detail.
The "For compatibility with older servers, the sender should..." section should also be updated to include the bullet point:
Alternatively, we could update the spec to explicitly disallow whitespace around commas, which would match current implementations. But it would diverge from typical
Authorization
header behaviour, which may be confusing.The text was updated successfully, but these errors were encountered: