Make userapi responsible for checking access tokens (#1133)

* Make userapi responsible for checking access tokens

There's still plenty of dependencies on account/device DBs, but this
is a start. This is a breaking change as it adds a required config
value `listen.user_api`.

* Cleanup

* Review comments and test fix

1 files changed, 40 insertions, 1 deletions

diff --git a/userapi/api/api.go b/userapi/api/api.go
index 8534fb17..57b5165a 100644
--- a/userapi/api/api.go
+++ b/userapi/api/api.go
@@ -19,6 +19,21 @@ import "context"
 // UserInternalAPI is the internal API for information about users and devices.
 type UserInternalAPI interface {
 	QueryProfile(ctx context.Context, req *QueryProfileRequest, res *QueryProfileResponse) error
+	QueryAccessToken(ctx context.Context, req *QueryAccessTokenRequest, res *QueryAccessTokenResponse) error
+}
+
+// QueryAccessTokenRequest is the request for QueryAccessToken
+type QueryAccessTokenRequest struct {
+	AccessToken string
+	// optional user ID, valid only if the token is an appservice.
+	// https://matrix.org/docs/spec/application_service/r0.1.2#using-sync-and-events
+	AppServiceUserID string
+}
+
+// QueryAccessTokenResponse is the response for QueryAccessToken
+type QueryAccessTokenResponse struct {
+	Device *Device
+	Err    error // e.g ErrorForbidden
 }
 
 // QueryProfileRequest is the request for QueryProfile
@@ -29,10 +44,34 @@ type QueryProfileRequest struct {
 
 // QueryProfileResponse is the response for QueryProfile
 type QueryProfileResponse struct {
-	// True if the user has been created. Querying for a profile does not create them.
+	// True if the user exists. Querying for a profile does not create them.
 	UserExists bool
 	// The current display name if set.
 	DisplayName string
 	// The current avatar URL if set.
 	AvatarURL string
 }
+
+// Device represents a client's device (mobile, web, etc)
+type Device struct {
+	ID     string
+	UserID string
+	// The access_token granted to this device.
+	// This uniquely identifies the device from all other devices and clients.
+	AccessToken string
+	// The unique ID of the session identified by the access token.
+	// Can be used as a secure substitution in places where data needs to be
+	// associated with access tokens.
+	SessionID int64
+	// TODO: display name, last used timestamp, keys, etc
+	DisplayName string
+}
+
+// ErrorForbidden is an error indicating that the supplied access token is forbidden
+type ErrorForbidden struct {
+	Message string
+}
+
+func (e *ErrorForbidden) Error() string {
+	return "Forbidden: " + e.Message
+}