From cd26c170de42f81fd93a2f56c8becd925d99d687 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Date: Fri, 23 Mar 2018 03:00:49 -0700
Subject: [PATCH] Specify token used in /login is not an Access Token (#1155)

* Specify token used in /login is not an Access Token

While working through the implementation of /login in Dendrite, it was
confusing what the contents of the token attribute in the login request
body referred to. Initially, I thought it was an access token, which led
to further confusion. This commit explicitly states that the token is a
login token, which is separate from an access token, hopefully reducing
confusion for future readers.

Signed-off-by: Andrew Morgan (https://amorgan.xyz) <andrew@amorgan.xyz>
---
 api/client-server/login.yaml        | 2 +-
 specification/client_server_api.rst | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/api/client-server/login.yaml b/api/client-server/login.yaml
index 03a1622c..a6e21a38 100644
--- a/api/client-server/login.yaml
+++ b/api/client-server/login.yaml
@@ -75,7 +75,7 @@ paths:
               token:
                 type: string
                 description: |-
-                  Required when ``type`` is ``m.login.token``. The login token.
+                  Required when ``type`` is ``m.login.token``. Part of `Token-based`_ login.
               device_id:
                 type: string
                 description: |-
diff --git a/specification/client_server_api.rst b/specification/client_server_api.rst
index 1041dc15..dec3a4f4 100644
--- a/specification/client_server_api.rst
+++ b/specification/client_server_api.rst
@@ -510,8 +510,9 @@ To use this authentication type, clients should submit an auth dict as follows:
 The ``nonce`` should be a random string generated by the client for the
 request. The same ``nonce`` should be used if retrying the request.
 
-There are many ways a client may receive a ``token``, including via an email or
-from an existing logged in device.
+A client may receive a login ``token`` via some external service, such as email
+or SMS. Note that a login token is separate from an access token, the latter
+providing general authentication to various API endpoints.
 
 The ``txn_id`` may be used by the server to disallow other devices from using
 the token, thus providing "single use" tokens while still allowing the device