MSC3939: Account locking #3939
MSC3939: Account locking #3939
Conversation
turt2live
added
proposal
This comment was marked as resolved.
This comment was marked as resolved.
See the Alternatives section :) Also please write comments on MSCs in threads to prevent clottering the timeline 😅 |
|
PSA: I don't really wish to spend time maintaining this MSC anymore (as it was written in the context of work related to a role I no longer hold; plus I don't have write access to this branch anymore). This MSC should be considered unmaintained/abandoned unless someone else wishes to take it over (in which case, be my guest). |
|
Thanks for your work @babolivier. I am going to take this over. |
|
An implementation has been merged in synapse and will be available in synapse 1.91. |
|
Aside from some editorial comments, I think this is largely ready to go. SCT members should feel welcome to comment on the user directory thread. @mscbot fcp merge |
|
Team member @mscbot has proposed to merge this. The next step is review by the rest of the tagged people: Concerns:
Once at least 75% of reviewers approve (and there are no outstanding concerns), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for information about what commands tagged team members can give me. |
mscbot
added
proposed-final-comment-period
turt2live
removed
the
needs-implementation
|
@mscbot concern 401/403 behaviour |
mscbot
added
the
unresolved-concerns
|
@mscbot concern general clarity #3939 (comment) mostly |
|
@mscbot concern general clarity (duplicate because I spelt MSC wrong the first time and the bot doesn't understand edits) |
|
This MSC is on a shortlist for considerations in Matrix 1.11's release cycle, and so I'm taking it on under my Element T&S hat in service of the Foundation. |
|
@dbkr I believe I've addressed your concerns, but please feel free to raise new threads as needed. |
Co-authored-by: David Baker <dbkr@users.noreply.github.com>
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
|
@mscbot resolve general clarity |
|
Unknown concern 'general clarity'. |
|
@mscbot resolve 401/403 behaviour |
|
Unknown concern '401/403 behaviour'. |
turt2live
removed
the
unresolved-concerns
|
I've manually resolved the concerns for now. |
| Clients SHOULD hide the normal UI from the user when informing them that their | ||
| account is locked, preventing general use of the account. | ||
|
|
||
| Clients SHOULD continue to `/sync` and make other API calls to more quickly detect |
There was a problem hiding this comment.
How should the server behave when /sync is called? If it returns immediately with the 401 Unauthorized, and then the client immediately retries, it sounds like this would cause unnecessary traffic. So presumably the server should wait until the timeout is reached before sending the 401, unless the account gets unlocked before? Though I guess it should send the 401 immediately the first time that /sync gets called after the account gets locked, so that the user is notified immediately?
There was a problem hiding this comment.
I also found this bit weird since it says /sync and make other API calls. I assumed it means the client should make any API calls periodically, which could be /sync or /account/whoami or whatever.
If /sync is getting a new kind of 401 long polling, it definitely needs to be documented explicitly. If not, the section should probably be clarified that clients should just periodically call any API (but not in a tight loop like /sync)
There was a problem hiding this comment.
I believe the missing language is that clients should back off for some time, as if they were rate limited. I don't think /sync neccessarily gets a new long poll mechanism here, but clients do need to do something to discover when an account is no longer locked. Element Web for example will back off on /sync errors, then loop a /versions, /push_rules/, /sync call order - if all of these endpoints return success codes, the client resumes normal operation.
The bit about "other API calls" is mostly to acknowledge that clients do not linearly send requests. An account may be locked in the middle of a user scrolling through backlog: there's /messages, /send/m.receipt, and /sync all happening at that point - the client should recognize that an error on any of them is assumed to be an error on all of them.
(if this is clearer, happy to translate it to the MSC)
There was a problem hiding this comment.
I agree it would be great to spell out that clients should back off - it does sound rather intuitive but the special nature of /sync makes it easy to get confused.
Co-authored-by: Hubert Chathi <hubert@uhoreg.ca>
| account is locked, preventing general use of the account. | ||
|
|
||
| Clients SHOULD continue to `/sync` and make other API calls to more quickly detect | ||
| when the lock has been lifted. If unlocked, the APIs will either return a different |
There was a problem hiding this comment.
| when the lock has been lifted. If unlocked, the APIs will either return a different | |
| when the lock has been lifted. However, clients should rate-limit their requests. If unlocked, the APIs will either return a different |
to address the thread above.
Rendered
Synapse implementation
FCP tickyboxes