From e95eafb2ba6b12d010b2b3c3e651424793ba2e72 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 4 Nov 2019 15:17:51 -0700 Subject: [PATCH 1/2] Clarify that submit_url is without authentication The request is authorized by its parameters, not by an additional access token. Fixes https://github.com/matrix-org/matrix-doc/issues/2298 --- api/client-server/administrative_contact.yaml | 7 ++++--- api/client-server/definitions/request_token_response.yaml | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/api/client-server/administrative_contact.yaml b/api/client-server/administrative_contact.yaml index 9a59cb6b..fc231b60 100644 --- a/api/client-server/administrative_contact.yaml +++ b/api/client-server/administrative_contact.yaml @@ -157,9 +157,10 @@ paths: An optional field containing a URL where the client must submit the validation token to, with identical parameters to the Identity Service API's ``POST - /validate/email/submitToken`` endpoint. The homeserver must - send this token to the user (if applicable), who should - then be prompted to provide it to the client. + /validate/email/submitToken`` endpoint (without the requirement + for an access token). The homeserver must send this token to the + user (if applicable), who should then be prompted to provide it + to the client. If this field is not present, the client can assume that verification will happen without the client's involvement diff --git a/api/client-server/definitions/request_token_response.yaml b/api/client-server/definitions/request_token_response.yaml index e47db8a0..45201a20 100644 --- a/api/client-server/definitions/request_token_response.yaml +++ b/api/client-server/definitions/request_token_response.yaml @@ -25,9 +25,9 @@ properties: description: |- An optional field containing a URL where the client must submit the validation token to, with identical parameters to the Identity Service - API's ``POST /validate/email/submitToken`` endpoint. The homeserver must - send this token to the user (if applicable), who should then be - prompted to provide it to the client. + API's ``POST /validate/email/submitToken`` endpoint (without the requirement + for an access token). The homeserver must send this token to the user (if + applicable), who should then be prompted to provide it to the client. If this field is not present, the client can assume that verification will happen without the client's involvement provided the homeserver From 1dfe2ade0839dd037d8deaa23282518fa253b943 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 4 Nov 2019 15:19:10 -0700 Subject: [PATCH 2/2] Changelog --- changelogs/client_server/newsfragments/2341.clarification | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelogs/client_server/newsfragments/2341.clarification diff --git a/changelogs/client_server/newsfragments/2341.clarification b/changelogs/client_server/newsfragments/2341.clarification new file mode 100644 index 00000000..a941db1b --- /dev/null +++ b/changelogs/client_server/newsfragments/2341.clarification @@ -0,0 +1 @@ +Clarify that the ``submit_url`` field is without authentication.