Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSC3939: Account locking #3939

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

MSC3939: Account locking #3939

Changes from 2 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
36ed829
MSCXXXX: Account locking
babolivier Nov 24, 2022
79472a2
MSC number
babolivier Nov 24, 2022
9a7a903
Switch to 401 + soft_lougout
Aug 8, 2023
73b0a48
FCP updates/clarity
turt2live Mar 21, 2024
3c23f61
Mention appeals/information
turt2live Mar 26, 2024
5bccc4e
v1.10
turt2live Mar 26, 2024
896e98c
Clarify why not 403
turt2live Mar 26, 2024
02c3a9e
Update proposals/3939-account-locking.md
turt2live Mar 26, 2024
257207b
Clarify UI expectations
turt2live Mar 26, 2024
920d315
Update proposals/3939-account-locking.md
turt2live Mar 27, 2024
a10802d
Update proposals/3939-account-locking.md
turt2live Apr 3, 2024
f76d53a
Update proposals/3939-account-locking.md
turt2live Apr 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
50 changes: 50 additions & 0 deletions proposals/3939-account-locking.md
View file
Open in desktop
@@ -0,0 +1,50 @@
# MSC3939: Account locking

There are legitimate cases where server administrators might want the ability to
temporarily lock users out of their account. For example, server administrators
might require users to go through a regular, out-of-bounds verification check in
turt2live marked this conversation as resolved.
Show resolved Hide resolved
order to keep using their account, and temporarily lock a user out of their
account if they do not complete this check in time.

At the time of writing this proposal, the only option for a server administrator
to prevent a user from accessing their account is to deactivate it. However,
turt2live marked this conversation as resolved.
Show resolved Hide resolved
this is a pretty destructive operation. Ideally, a locked account could be
turt2live marked this conversation as resolved.
Show resolved Hide resolved
unlocked without any visible impact on the account itself (joined rooms,
associated 3PIDs, etc).

## Proposal

A new `M_USER_LOCKED` is introduced, which is communicated to clients in `403 Forbidden` HTTP responses.

When an account is locked:

* homeservers must respond to any authenticated request from the user with
`M_USER_LOCKED`, _except_ for requests to `/logout` and `/logout/all`.
* homeservers must not automatically invalidate existing access tokens for the
user.
* clients should keep data that has already been locally persisted, unless the
turt2live marked this conversation as resolved.
Show resolved Hide resolved
user manually logs out.

turt2live marked this conversation as resolved.
Show resolved Hide resolved
When an account is unlocked, clients and the homeserver can start interacting
again as if nothing happened, similarly to when a client recovers after loss of
connection.

## Alternatives
turt2live marked this conversation as resolved.
Show resolved Hide resolved

This proposal could be merged with
[MSC3823](https://github.com/matrix-org/matrix-spec-proposals/pull/3823), which
describes a similar concept coming from a content moderation perspective.
However, locking and suspending an account are semantically different enough
that the author of this proposal thinks that it makes sense for those two cases
to be described differently in the API.

Another option for merging this proposal with MSC3823 would be adding a
`suspended` boolean property and an optional `href` string property (which would
be required if `suspended` is `true`) to errors bearing the `M_USER_LOCKED`
error code. Opinions are welcome on whether this is a better solution than using
two distincts error codes.

## Unstable prefix

Until this proposal is accepted, implementations must use
`ORG_MATRIX_MSC3939_USER_LOCKED` instead of `M_USER_LOCKED`.