From 8d70f69e621496796341eacf760918941728f0de Mon Sep 17 00:00:00 2001
From: Matthias Ahouansou <matthias@ahouansou.cz>
Date: Sat, 30 Mar 2024 12:40:58 +0000
Subject: [PATCH] fix: reject /register requests when there is no token and the
 type is appservice

---
 src/api/client_server/account.rs | 10 +++++++++-
 src/api/client_server/session.rs |  4 ++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/api/client_server/account.rs b/src/api/client_server/account.rs
index d4529a40..9f98369b 100644
--- a/src/api/client_server/account.rs
+++ b/src/api/client_server/account.rs
@@ -3,7 +3,8 @@ use crate::{api::client_server, services, utils, Error, Result, Ruma};
 use ruma::{
     api::client::{
         account::{
-            change_password, deactivate, get_3pids, get_username_availability, register,
+            change_password, deactivate, get_3pids, get_username_availability,
+            register::{self, LoginType},
             request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn,
             whoami, ThirdPartyIdRemovalStatus,
         },
@@ -84,6 +85,13 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
         ));
     }
 
+    if body.body.login_type == Some(LoginType::ApplicationService) && !body.from_appservice {
+        return Err(Error::BadRequest(
+            ErrorKind::MissingToken,
+            "Missing appservice token.",
+        ));
+    }
+
     let is_guest = body.kind == RegistrationKind::Guest;
 
     let user_id = match (&body.username, is_guest) {
diff --git a/src/api/client_server/session.rs b/src/api/client_server/session.rs
index 23f0b457..54069c03 100644
--- a/src/api/client_server/session.rs
+++ b/src/api/client_server/session.rs
@@ -118,8 +118,8 @@ pub async fn login_route(body: Ruma<login::v3::Request>) -> Result<login::v3::Re
         }) => {
             if !body.from_appservice {
                 return Err(Error::BadRequest(
-                    ErrorKind::Forbidden,
-                    "Forbidden login type.",
+                    ErrorKind::MissingToken,
+                    "Missing appservice token.",
                 ));
             };
             if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {