search

matrix-org / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://matrix-org.github.io/synapse
Apache License 2.0
11.83k stars 2.12k forks source link

Spec compliance: Logging in multiple times with same device ID does not invalidate old access tokens #6616

Open aaronraimist opened 4 years ago

aaronraimist commented 4 years ago

https://matrix.org/docs/spec/client_server/r0.6.0#relationship-between-access-tokens-and-devices says

[When logging in] If the client sets the device_id, the server will invalidate any access token previously assigned to that device. There is therefore at most one active access token assigned to each device at any one time.

You can reproduce with:

curl -XPOST -d '{"type":"m.login.password", "user":"xxx", "password":"yyy", "device_id":"MYDEVICE"}' "https://server.com/_matrix/client/r0/login"

curl -XPOST -d '{"type":"m.login.password", "user":"xxx", "password":"yyy", "device_id":"MYDEVICE"}' "https://server.com/_matrix/client/r0/login"

Two rows are created in the access_tokens table with the same device ID but different access tokens, both of which are valid.

Cadair commented 4 years ago

I ran into this today, it's somewhat surprising...