Only send token after verifying the homeserver

src/matrix/Client.js

@@ -290,8 +290,11 @@ export class Client {
             serverVersions: lastVersionsResponse.versions,
         });
 
-        // Let the serviceWorkerHandler know of this access-token
-        this._platform.updateService.setAccessToken(sessionInfo.accessToken);
+        // Let the serviceWorkerHandler know of this access-token and homeserver
+        this._platform.updateService.updateAuthData({
+            accessToken: sessionInfo.accessToken,
+            homeserver: sessionInfo.homeServer,
+        });
 
         this._session = new Session({
             storage: this._storage,
@@ -382,7 +385,9 @@ export class Client {
             throw Error("No session loaded, cannot update access token");
         }
         this._session.updateAccessToken(token);
-        await this._platform.updateService.setAccessToken(token);
+        this._platform.updateService.updateAuthData({
+            accessToken: token,
+        });
         await this._platform.sessionInfoStorage.updateAccessToken(this._sessionId, token);
     }
 

src/platform/web/dom/ServiceWorkerHandler.js

@@ -28,19 +28,24 @@ export class ServiceWorkerHandler {
         this._currentController = null;
         this._sessionInfoStorage = sessionInfoStorage;
         this.haltRequests = false;
-        this._accessToken = null;
+        this._authData = {};
     }
 
     setNavigation(navigation) {
         this._navigation = navigation;
     }
 
     /**
-     * Set the access-token to be used within the service worker.
-     * @param token An access-token
+     * Set the access-token and homeserver to be used within the service worker.
+     * @param auth An object with accessToken and homeserver
      */
-    setAccessToken(token) {
-        this._accessToken = token;
+    updateAuthData(auth) {
+        if (!auth.accessToken && !auth.homeserver) {
+            throw new Error(
+                "updateAuthData argument must contain accessToken, homeserver or both!"
+            );
+        }
+        this._authData = { ...this._authData, ...auth };
     }
 
     registerAndStart(path) {
@@ -96,10 +101,10 @@ export class ServiceWorkerHandler {
             event.source.postMessage({ replyTo: data.id });
         } else if (data.type === "openRoom") {
             this._navigation.push("room", data.payload.roomId);
-        } else if (data.type === "getAccessToken") {
+        } else if (data.type === "getAuthInfo") {
             event.source.postMessage({
                 replyTo: data.id,
-                payload: this._accessToken,
+                payload: this._authData,
             });
         }
     }

src/platform/web/sw.js

@@ -124,25 +124,39 @@ async function handleRequest({ request, clientId }) {
         }
 
         // Add access token for authenticated media endpoints
-        if (request.url.includes("_matrix/client/v1/media")) {
-            const headers = new Headers(request.headers);
+        const pathNameStartsWithMediaPrefix =
+            url.pathname.indexOf("/_matrix/client/v1/media") === 0;
+        if (pathNameStartsWithMediaPrefix) {
             const client = await self.clients.get(clientId);
-            const accessToken = await sendAndWaitForReply(
+            const { accessToken, homeserver } = await sendAndWaitForReply(
                 client,
-                "getAccessToken",
+                "getAuthInfo",
                 {}
             );
             if (!accessToken) {
                 throw new Error(
-                    "Token returned from getAccessToken message in sw.js is null"
+                    "Token returned from getAuthInfo message in sw.js is null!"
                 );
             }
-            headers.set("authorization", `Bearer ${accessToken}`);
-            request = new Request(request, {
-                mode: "cors",
-                credentials: "omit",
-                headers,
-            });
+            if (!homeserver) {
+                throw new Error(
+                    "homeserver returned from getAuthInfo message in sw.js is null!"
+                );
+            }
+            // Is this request actually going to the homeserver?
+            const isRequestForHomeserver =
+                new URL(homeserver).origin === url.origin;
+            if (isRequestForHomeserver) {
+                // Only add the access-token if we know that this request
+                // is going to the homeserver.
+                const headers = new Headers(request.headers);
+                headers.set("authorization", `Bearer ${accessToken}`);
+                request = new Request(request, {
+                    mode: "cors",
+                    credentials: "omit",
+                    headers,
+                });
+            }
         }
 
         let response = await readCache(request);