fix: reject /register requests when there is no token and the type is appservice

Signed-off-by: strawberry <strawberry@puppygock.gay>

src/api/client_server/account.rs

@@ -2,7 +2,8 @@ use register::RegistrationKind;
 use ruma::{
 	api::client::{
 		account::{
-			change_password, deactivate, get_3pids, get_username_availability, register,
+			change_password, deactivate, get_3pids, get_username_availability,
+			register::{self, LoginType},
 			request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn, whoami,
 			ThirdPartyIdRemovalStatus,
 		},
@@ -91,6 +92,10 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
 		return Err(Error::BadRequest(ErrorKind::Forbidden, "Registration has been disabled."));
 	}
 
+	if body.body.login_type == Some(LoginType::ApplicationService) && !body.from_appservice {
+		return Err(Error::BadRequest(ErrorKind::MissingToken, "Missing Appservice token."));
+	}
+
 	let is_guest = body.kind == RegistrationKind::Guest;
 
 	if is_guest

src/api/client_server/session.rs

@@ -145,11 +145,7 @@ pub async fn login_route(body: Ruma<login::v3::Request>) -> Result<login::v3::Re
 		}) => {
 			debug!("Got appservice login type");
 			if !body.from_appservice {
-				info!(
+				return Err(Error::BadRequest(ErrorKind::MissingToken, "Missing Appservice token."));
-					"User tried logging in as an appservice, but request body is not from a known/registered \
-					 appservice"
-				);
-				return Err(Error::BadRequest(ErrorKind::Forbidden, "Forbidden login type."));
 			};
 			let username = if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
 				user_id.to_lowercase()