-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC3823: Account Suspension #3823
Changes from all commits
b3a4a79
a0b2378
fe62d93
35cb1c4
6dbe71d
d1b461d
c54e982
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
# MSC3823: Account Suspension | ||
|
||
Unlike [account locking](https://spec.matrix.org/v1.12/client-server-api/#account-locking), suspension | ||
allows the user to have a (largely) readonly view of their account. Homeserver administrators and | ||
moderators may use this functionality to temporarily deactivate an account, or place conditions on | ||
the account's experience. Critically, like locking, account suspension is reversible, unlike the | ||
deactivation mechanism currently available in Matrix - a destructive, irreversible, action. | ||
|
||
This proposal introduces a concept of suspension to complement locking for server admins to use. Locking | ||
is typically more used in narrow scenarios, where the server admin wants to prevent the account from | ||
engaging any further. An example of this may be too many failed password attempts. Suspension is more | ||
general purpose to create a barrier to further action - a "something weird is going on -> suspend" | ||
kind of button. | ||
|
||
The error code introduced by this proposal is accompanied by guidelines on how servers can implement | ||
suspension. APIs to invoke or clear suspension are not introduced, and left as an implementation detail. | ||
These will typically be done through an administrator-only API. | ||
|
||
## Proposal | ||
|
||
When an account is suspended, any [Client-Server API](https://spec.matrix.org/v1.10/client-server-api/) | ||
endpoint MAY return a 403 HTTP status code with `errcode` of `M_USER_SUSPENDED`. This indicates to | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
the user that the associated action is unavailable. | ||
Comment on lines
+21
to
+23
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. someone remind me why this should be a 403 rather than a 401 (and why does locking specify a 401)? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 401 is "token doesn't work anymore" while 403 is "your token works, but server says no". |
||
|
||
Clients should note that for more general endpoints, like `/send/:eventType`, suspension MAY only be | ||
applied to a subset of request parameters. For example, a user may be allowed to *redact* events but | ||
not send messages. | ||
|
||
The specific list of permitted actions during suspension is left as a deliberate implementation | ||
detail, however a server SHOULD permit the user to: | ||
|
||
* Log in/create additional sessions (which should also behave as suspended). | ||
* See and receive messages, particularly via `/sync` and `/messages`. | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
* [Verify their other devices](https://spec.matrix.org/v1.10/client-server-api/#device-verification) | ||
and write associated [cross-signing data](https://spec.matrix.org/v1.10/client-server-api/#cross-signing). | ||
* [Populate their key backup](https://spec.matrix.org/v1.10/client-server-api/#server-side-key-backups). | ||
* Leave rooms & reject invites. | ||
* Redacting their own events. | ||
* Log out/delete any device of theirs, including the current session. | ||
* Deactivate their account, potentially with a deliberate time delay to discourage making a new | ||
account right away. | ||
* Change or add [admin contacts](https://spec.matrix.org/v1.10/client-server-api/#adding-account-administrative-contact-information), | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
but not remove. Servers are recommended to only permit this if they keep a changelog on contact information | ||
to prevent misuse. | ||
|
||
The recommendation for users to continue receiving/reading messages is largely so the administrator | ||
can maintain contact with the user, where applicable. Future MSCs may improve upon the admin<>user | ||
communication, and account locking may also be used to prevent access to messages. | ||
|
||
The suggested set of explicitly forbidden actions is: | ||
|
||
* Joining or knocking on rooms, including accepting invites. | ||
* Sending messages. | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
* Sending invites. | ||
* Changing profile data (display name and avatar). | ||
* Redacting other users' events (when a moderator/admin of a room, for example). | ||
|
||
## Potential issues | ||
|
||
This proposal does not communicate *why* a user's account is restricted. The human-readable `error` | ||
field may contain some information, though anything comprehensive may not be surfaced to the user. | ||
A future MSC is expected to build a system for both informing the user of the action taken against | ||
their account and allow the user to appeal that action. | ||
|
||
## Alternatives | ||
|
||
No significant alternatives are plausible. `M_USER_DEACTIVATED` could be expanded with a `permanent` | ||
flag, though ideally each error code should provide meaning on its own. | ||
|
||
The related concept of locking, as discussed in places like [MSC3939](https://github.com/matrix-org/matrix-spec-proposals/pull/3939) | ||
and [matrix-org/glossary](https://github.com/matrix-org/glossary), is semantically different from | ||
suspension. Suspension has the key difference that the user is *not* logged out of their client, | ||
typically used by safety teams, while locking *does* log the user out and would primarily be used by | ||
security teams. A future MSC may combine or split the two related error codes into a descriptive set | ||
of capabilities the user can perform. | ||
|
||
## Unstable prefixes | ||
|
||
Until this proposal is considered stable, implementations must use | ||
`ORG.MATRIX.MSC3823.USER_SUSPENDED` instead of `M_USER_SUSPENDED`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementation requirements:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The client implementation requirement has been questioned a bit - I think for this MSC, evidence of clients not exploding would be fine. The list won't be exhaustive or fully representative of the ecosystem, but would indicate the typical user experience.
Specifically, I think the following clients need to be tested with a suspended account:
"Exploding" would be defined as the user being logged out, or otherwise unable to interact with their account. Failing to show the error message ("your account is suspended") is fine, but bonus points to the client if it makes it clear to the user. If the user can (minimally) interact with their rooms without being kicked to an error screen or login page, the client "works", even if clunky.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This testing has been completed by the T&S team at the Foundation. Results are compiled here: https://docs.google.com/document/d/1oTVKRLHCc6x4iYti8bkhRN3YbBO29oAjqmZE-mj-xXY/edit?usp=sharing
TLDR: The above-listed clients all passed, but a few had some weird-ish errors/rough edges. With my SCT hat, I don't think these rough edges are blockers for merging.