Install
Works with Drupal: 8.xUsing Composer to manage Drupal site dependencies
Alternative installation files
Release notes
This initial Alpha release fixes an information disclosure issue, and should be considered a Security release.
When a message is posted to Matrix, if there is any kind of error or problem with the request, Guzzle throws an exception with the URL of the request -- e.g. if there's a 502 Gateway timeout. If this happens, Guzzle includes the access_token in the exception.
This might get revealed to a caller -- for example, when a JSONAPI request creates an entity and triggers this error, the Matrix user's access_token is sent back to the caller in the exception.
Today's release moves the access_token to the Authorization header where it is not so trivially revealed, and is highly recommended.
Matrix API is still considered Alpha, with the following potentially breaking change coming:
- Support for multiple Matrix accounts
In addition, this incident suggests that we may need to queue messages for later processing instead of handling them synchronously.