From c61aee4f1c75b37b66d3d323e0e375240c2ce29f Mon Sep 17 00:00:00 2001
From: Matthias Ahouansou <matthias@ahouansou.cz>
Date: Sun, 31 Mar 2024 10:16:29 -0400
Subject: [PATCH] fix: reject /register requests when there is no token and the
 type is appservice

Signed-off-by: strawberry <strawberry@puppygock.gay>
---
 src/api/client_server/account.rs | 7 ++++++-
 src/api/client_server/session.rs | 6 +-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/api/client_server/account.rs b/src/api/client_server/account.rs
index 4b172fd6..54f3117c 100644
--- a/src/api/client_server/account.rs
+++ b/src/api/client_server/account.rs
@@ -2,7 +2,8 @@ use register::RegistrationKind;
 use ruma::{
 	api::client::{
 		account::{
-			change_password, deactivate, get_3pids, get_username_availability, register,
+			change_password, deactivate, get_3pids, get_username_availability,
+			register::{self, LoginType},
 			request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn, whoami,
 			ThirdPartyIdRemovalStatus,
 		},
@@ -91,6 +92,10 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
 		return Err(Error::BadRequest(ErrorKind::Forbidden, "Registration has been disabled."));
 	}
 
+	if body.body.login_type == Some(LoginType::ApplicationService) && !body.from_appservice {
+		return Err(Error::BadRequest(ErrorKind::MissingToken, "Missing Appservice token."));
+	}
+
 	let is_guest = body.kind == RegistrationKind::Guest;
 
 	if is_guest
diff --git a/src/api/client_server/session.rs b/src/api/client_server/session.rs
index ad135d0e..86ab4bbc 100644
--- a/src/api/client_server/session.rs
+++ b/src/api/client_server/session.rs
@@ -145,11 +145,7 @@ pub async fn login_route(body: Ruma<login::v3::Request>) -> Result<login::v3::Re
 		}) => {
 			debug!("Got appservice login type");
 			if !body.from_appservice {
-				info!(
-					"User tried logging in as an appservice, but request body is not from a known/registered \
-					 appservice"
-				);
-				return Err(Error::BadRequest(ErrorKind::Forbidden, "Forbidden login type."));
+				return Err(Error::BadRequest(ErrorKind::MissingToken, "Missing Appservice token."));
 			};
 			let username = if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
 				user_id.to_lowercase()