matrix-nio
matrix-nio copied to clipboard
Pass access_token as Authorization Bearer token?
Query parameters tend to get logged along with the rest of the URL, so probably prudent to pass the access_token via headers instead.
For this to work we'll need to make the API layer smarter.
It's a bit dumb that it returns just tuples, so expanding functionality there is not really possible.
We'll need to add a Request
class that holds the path/method/body. All the API endpoints will then return this class instead of a tuple and set a flag on the class if authorization is required.
The client layer can then insert the access token any way it likes if it gets a Request
object that requires authorization.
This is a breaking change for the API layer, to ease the transition we'll need to have a way to get from a Request
object to a old fashioned tuple.
There's another way I can think of, that can easily be implemented in the async client without breaking everything that relies on the API layer: in _send()
, how about extracting the access_token
out of the request URL, and adding it to the headers instead?
This is quite a hackish way, while we might want to do this to get this quickly, the correct way is to refactor the API to return a Request
class that tells us if auth is required.