Support being provided an access token without first having logged in

[turt2live]

Many bots work by being provided an access token and aren't aware of their password - pantalaimon should support this by making a /account/whois call on tokens it does not recognize.

[poljar]

For this to work reliably we would need to know the device ID of the access token as well. If, for example, someone provides an access token of a device that already has encryption keys uploaded we shouldn't create new device keys and refuse to work with such an access token (provided that we don't have a pan client running for this user).

We can only create new device keys for access tokens that don't have device keys uploaded.

To get an user ID from an access token we can use the /account/whoami call.

The mentioned /account/whois call already requires the user ID and doesn't seem to return a device ID at all.

A list of devices can be fetched with the /devices call. But that returns the full list of devices and there isn't an easy and reliable way to figure out which device belongs to this access token.

Am I missing something with the /account/whois call that would make this possible?

[turt2live]

The endpoint could certainly use an extension to expose this information

[poljar]

This has only been partially fixed.

[turt2live]

Have opened MSC2033 to try and address this.