Add configuration option for app service auth (header vs. query string)

[matrixbot]

This issue has been migrated from #14415.

---

Description:

After matrix-org/synapse#13996 we now send the HS token in an authentication header in addition to the legacy query string. It would be good to make this configurable in the AS config, e.g. so that logs which include the query string no longer expose this security token or require manual redaction.

[clokep]

I suspect matrix-org/synapse#16017 fixed this?

[anoadragon453]

Is it sufficient that the config option is in the Synapse config, rather than the application service registration file, as I understand the original issue to be referring to?

cc @bradjones1 as the original issue author.

[bradjones1]

I believe that matrix-org/synapse#16017 should address the concern of the query string being exposed. I filed that original issue quite a long time ago and I haven't revisited this but looking at the changes throughout 2023 I think that change addresses the original concern. 👍

[anoadragon453]

Wonderful, thanks for confirming @bradjones1! Closing this issue then.