Specify token used in /login is not an Access Token (#1155)

* Specify token used in /login is not an Access Token While working through the implementation of /login in Dendrite, it was confusing what the contents of the token attribute in the login request body referred to. Initially, I thought it was an access token, which led to further confusion. This commit explicitly states that the token is a login token, which is separate from an access token, hopefully reducing confusion for future readers. Signed-off-by: Andrew Morgan (https://amorgan.xyz) <andrew@amorgan.xyz>
2018-03-23 03:00:49 -07:00 · 2018-03-23 03:00:49 -07:00 · cd26c170de
commit cd26c170de
parent 8e97ec8bad
2 changed files with 4 additions and 3 deletions
--- a/api/client-server/login.yaml
+++ b/api/client-server/login.yaml
@ -75,7 +75,7 @@ paths:
              token:
                type: string
                description: |-
-                  Required when ``type`` is ``m.login.token``. The login token.
+                  Required when ``type`` is ``m.login.token``. Part of `Token-based`_ login.
              device_id:
                type: string
                description: |-
--- a/specification/client_server_api.rst
+++ b/specification/client_server_api.rst
@ -510,8 +510,9 @@ To use this authentication type, clients should submit an auth dict as follows:
 The ``nonce`` should be a random string generated by the client for the
 request. The same ``nonce`` should be used if retrying the request.

-There are many ways a client may receive a ``token``, including via an email or
-from an existing logged in device.
+A client may receive a login ``token`` via some external service, such as email
+or SMS. Note that a login token is separate from an access token, the latter
+providing general authentication to various API endpoints.

 The ``txn_id`` may be used by the server to disallow other devices from using
 the token, thus providing "single use" tokens while still allowing the device