Ensure appservices have their devices checked (#554)

The regular device check will return the device for the appservice's bot user instead of going through the user_id branch. The check has been moved to below the user_id check to ensure the right virtual user's device is chosen.
This commit is contained in:
Travis Ralston 2019-03-21 08:48:21 -06:00 committed by GitHub
parent 5d2d0484d1
commit f8f9965cc5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -65,12 +65,6 @@ type Data struct {
func VerifyUserFromRequest(
req *http.Request, data Data,
) (*authtypes.Device, *util.JSONResponse) {
// Try to find local user from device database
dev, devErr := verifyAccessToken(req, data.DeviceDB)
if devErr == nil {
return dev, verifyUserParameters(req)
}
// Try to find the Application Service user
token, err := ExtractAccessToken(req)
if err != nil {
@ -128,6 +122,12 @@ func VerifyUserFromRequest(
return &dev, nil
}
// Try to find local user from device database
dev, devErr := verifyAccessToken(req, data.DeviceDB)
if devErr == nil {
return dev, verifyUserParameters(req)
}
return nil, &util.JSONResponse{
Code: http.StatusUnauthorized,
JSON: jsonerror.UnknownToken("Unrecognized access token"),