Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC2181: Add an Error Code for Signaling a Deactivated User #2181

Merged
merged 12 commits into from
Jul 31, 2019
45 changes: 45 additions & 0 deletions proposals/2181-user-deactivated-errcode.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# Add an Error Code for Signaling a Deactivated User

Currently, when a user attempts to log in, they will receive an `M_FORBIDDEN`
errcode if their password is incorrect. However, if the user's account is
deactivated, they will also receive an `M_FORBIDDEN`, leaving clients in a
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: What do homeservers do if the user is deactivated and somebody tries to log in with an incorrect password? Is the homeserver expected to retain the password forever? If the password is not retained, should all attempts to login as a deactivated user return the deactivated error (which may have some privacy implications?).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should still return M_USER_DEACTIVATED. Password hashes are wiped (at least in Synapse) upon user deactivation.

which may have some privacy implications?

Privacy implications are here whether password hashes are retained or not, no?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem with shifting it so that you need to login to see if you're deactivated, is that we already have tons of deactivated users whose password hashes have been cleared.

Also worth noting reddit's APIs allow you to tell if any user has been shadowbanned, something that ideally even the user wouldn't know, and that doesn't seem to have caused their service any harm. https://nullprogram.com/am-i-shadowbanned/

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... also by nature of being deactivated you shouldn't be allowed back in. Why would we let people get that far into the process without telling them to go away? I think the proposed approach is fine

state where they are unable to inform the user that the reason they cannot
log in is that their account has been deactivated. This leads to confusion
and password resetting with ultimately results in unnecessary support
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved
requests.

## Proposal

This proposal asks to create a new errcode, `M_USER_DEACTIVATED`, that MAY be
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved
returned whenever an action is attempted that requires an activited user, but
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved
the authenticating user is deactivated. The HTTP code to return alongside is
`403`.
Half-Shot marked this conversation as resolved.
Show resolved Hide resolved

This should initially be returned by `/login`, when an identifier of a
deactivated user is sent in the request. The password does not have to be
correct, as some homeserver implementations remove password information on
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved
deactivation.
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved

## Tradeoffs
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved

The alternative is to continue returning an `M_FORBIDDEN`, but send back a
different errmsg. This is undesirable as clients are supposed to treat the
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved
message as an opaque string, and should not be performing any
pattern-matching on it.

## Potential issues

None

## Security considerations
turt2live marked this conversation as resolved.
Show resolved Hide resolved

While the existence of a user was already public knowledge (one can check if
the User ID is available through
[/_matrix/client/r0/register/available](https://matrix.org/docs/spec/client_server/r0.5.0#get-matrix-client-r0-register-available),
this proposal would allow any user to be able to detect if a registered
account has been deactivated.
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved

## Conclusion

Adding `M_USER_DEACTIVATED` would better inform clients about the state of a
user's account, and lead to less confusion when they cannot log in.