Application service API sends both access_token and an authorization header with an empty key
Background
I am no means an expert on this, but I think there is a discrepancy here. I was having a difficulty with integrating the matrix-hookshot bridge to conduit. I realized that although the two docker containers can communicate, the bridge bot user was unresponsive, the bridge returned 401, Not authorized. Therefore after a lot of elaboration I decided to eavesdrop the packets with tcpdump.
Crux of the issue
So I took a look at what the request is (I redacted things. Conduit is 172.21.0.2 Hookshot is 172.21.0.3, I listened on hookshot side.)
Hypertext Transfer Protocol
PUT /_matrix/app/v1/transactions/6CydR2%5FNNwEKP5DaSFAG6A00KZyHmMVX2gY7eHJcxCU?access_token=REDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTED HTTP/1.1\r\n
content-type: application/json\r\n
authorization: Bearer \r\n
accept: */*\r\n
host: 172.21.0.3:9993\r\n
content-length: 452\r\n
So the request has the access_token on the URI:
PUT /_matrix/app/v1/transactions/6CydR2%5FNNwEKP5DaSFAG6A00KZyHmMVX2gY7eHJcxCU?access_token=REDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTED HTTP/1.1\r\n
and an authorization header with empty Bearer string:
authorization: Bearer \r\n
The matrix_bot_sdk from Element checks implementation as: https://github.com/vector-im/matrix-bot-sdk/blob/element-main/src/appservice/Appservice.ts#L647-L656
It seems that the sdk expects either the access_token or the authorization header, but not both.