Clarify that per-request UIA for /login/get_token is an RFC 2119 MUST…

… requirement (#1846) Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>
matrix-org · Jun 7, 2024 · 5a86e38 · 5a86e38
1 parent 1e303b3
commit 5a86e38
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/changelogs/client_server/newsfragments/1846.clarification b/changelogs/client_server/newsfragments/1846.clarification
@@ -0,0 +1 @@
+Clarify that per-request UIA for /login/get_token is an RFC 2119 MUST requirement.
diff --git a/data/api/client-server/login_token.yaml b/data/api/client-server/login_token.yaml
@@ -45,7 +45,7 @@ paths:
         intend to log in multiple devices must generate a token for each.
 
         With other User-Interactive Authentication (UIA)-supporting endpoints, servers sometimes do not re-prompt
-        for verification if the session recently passed UIA. For this endpoint, servers should always re-prompt
+        for verification if the session recently passed UIA. For this endpoint, servers MUST always re-prompt
         the user for verification to ensure explicit consent is gained for each additional client.
 
         Servers are encouraged to apply stricter than normal rate limiting to this endpoint, such as maximum