#1250 issue : Updated registration.yaml

To solve the issue of securely managing the as_token and hs_token in the application service registration YAML file, we can introduce the ability to specify file paths for these tokens (as_token_path and hs_token_path) instead of hardcoding the tokens directly in the YAML file.
2026-03-23 11:34:09 +01:00 · 2024-08-13 22:34:31 +05:30 · 2024-08-13 22:34:31 +05:30 · 3701f5dd65
parent f9c4aeeea4
commit 3701f5dd65
2 changed files with 32 additions and 3 deletions
--- a/changelogs/application_service/newsfragments/1250.feature
+++ b/changelogs/application_service/newsfragments/1250.feature
@ -0,0 +1,18 @@
+Issue 1250 fixed : allowed {as,hs}_token to be specified as {as,hs_token_path} instead in registration.yaml
+
+Implementation Notes:
+Token Handling Logic:
+
+The application should first check if the *_token_path fields are set.
+If they are, it should read the token from the specified file, strip any leading/trailing whitespace, and use it as the token.
+If the *_token_path fields are not set, the application should fall back to using the *_token fields.
+Security Considerations:
+
+Ensure that the files containing the tokens have appropriate file permissions to prevent unauthorized access.
+The application should handle potential errors such as file not found, permission denied, or empty token file gracefully.
+Backward Compatibility:
+
+This change is backward-compatible as it allows the use of either the direct token value (as_token/hs_token) or the path-based approach (as_token_path/hs_token_path).
+
+Special Note : Also if we're allowing the use of either the direct token (as_token/hs_token) or the path-based token (as_token_path/hs_token_path), then neither
+ as_token nor hs_token should be marked as strictly required on their own in the required container.
--- a/data/api/application-service/definitions/registration.yaml
+++ b/data/api/application-service/definitions/registration.yaml
@ -24,9 +24,21 @@ properties:
  as_token:
    type: string
    description: A secret token that the application service will use to authenticate requests to the homeserver.
+  as_token_path:
+    type: string
+    description: |-
+      A path to a file containing the secret token that the application service will use to authenticate requests to the homeserver.
+      If specified, the file contents will be used as the as_token. This file should contain only the token, and leading or trailing
+      whitespaces will be stripped before use.
  hs_token:
    type: string
-    description: A secret token that the homeserver will use authenticate requests to the application service.
+    description: A secret token that the homeserver will use to authenticate requests to the application service.
+  hs_token_path:
+    type: string
+    description: |-
+      A path to a file containing the secret token that the homeserver will use to authenticate requests to the application service.
+      If specified, the file contents will be used as the hs_token. This file should contain only the token, and leading or trailing
+      whitespaces will be stripped before use.
  sender_localpart:
    type: string
    description: |-
@ -71,7 +83,6 @@ properties:
 required:
  - id
  - url
-  - as_token
-  - hs_token
  - sender_localpart
  - namespaces
+