Open abliss opened 4 years ago
FWIW I think right now in the powerbox UI the user can specify a webkey which causes the capability to add an Authorization header to all requests. But the app itself cannot set the header.
For use cases where this flow works, it's nice that the app doesn't get to see the token, therefore cannot leak it.
That is a nice feature for certain use-cases. But (a) the matrix auth header is supposed to use X-Matrix
rather than Bearer
as the first word, and (b) its token is generated by signing a message with a private key that synapse expects to manage inside the grain.
I'd like to use this to allow my matrix grain to speak to other matrix servers on the internet. CC @zenhack