From b3a4a79d6c19173868f32f92490c1f044e27c064 Mon Sep 17 00:00:00 2001 From: David Teller Date: Mon, 23 May 2022 12:26:48 +0200 Subject: [PATCH 1/7] MSC: A code for account suspension Signed-off-by: David Teller --- proposals/3823-code-for-account-suspension.md | 81 +++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 proposals/3823-code-for-account-suspension.md diff --git a/proposals/3823-code-for-account-suspension.md b/proposals/3823-code-for-account-suspension.md new file mode 100644 index 00000000000..52110a1da9d --- /dev/null +++ b/proposals/3823-code-for-account-suspension.md @@ -0,0 +1,81 @@ +# MSC3823: A code for account suspension + +This MSC introduces a new error code that servers may send to clarify that an account has been +suspended *temporarily* but may still be reactivated. + +## Proposal + +### Introduction + +Matrix has a code `M_USER_DEACTIVATED` that a server may return to describe an account that has been +deactivated. So far, this code has been used to represent accounts that have been *permanently* +deactivated. In particular, clients that interpret this error code display it imply that the account +has been *permanently* deactivated. + +However, some countries (e.g. UK) have laws that require the ability to appeal account +deactivations. This requires the ability to specify that an account is *reversibly* +suspended and let users know about the appeals procedure. + +This MSC simply introduces a new error code `M_USER_ACCOUNT_SUSPENDED` that servers may send to +clarify that an account has been suspended but that the solution may still be resolved either by +an appeal or by e.g. clearing up some abusive messages. + +This MSC does *not* specify a mechanism to suspend or unsuspend the account or to handle appeals. + +### Proposal + +Introduce a new error code `M_USER_ACCOUNT_SUSPENDED`. This error code MAY be sent by the server +whenever a client attempts to use an API on behalf of a user whose account has been suspended. + +| Name | Type | Value | +|------|------|-------| +| `href` | string | (optional) If specified, a URL containing more information for the user, such as action needed. | + +The client is in charge of displaying an error message understandable by the user in case of `M_USER_ACCOUNT_SUSPENDED`, +as well as a link to `href`. + +The web server serving `href` is in charge of localizing the message, using existing HTTP mechanisms, +to adapt the page to the end user's locale. + +#### Examples + +Returning a static page: + +```json +{ + "errcode": "M_USER_ACCOUNT_SUSPENDED", + "error": "The user account has been suspended, see link for details", + "href": "https://example.org/help/my-account-is-suspended-what-can-i-do +} +``` + +Returning a dynamic page customized for this specific user: + +```json +{ + "errcode": "M_USER_ACCOUNT_SUSPENDED", + "error": "The user account has been suspended, see link for details", + "href": "https://example.org/action-needed/please-redact-events?event-id=$event_1:example.org&event-id=$event_2:example.org +} +``` + + +### Potential issues + +See security considerations. + +### Alternatives + +We could reuse `M_USER_DEACTIVATED` and introduce an additional field: + +| Name | Type | Value | +|------|------|-------| +| `permanent` | boolean | (optional) If `false`, the account may still be reactivated. | + +in addition to the fields mentioned previously. + +### Security considerations + +This has the potential to expose private data. + +To avoid this, any `M_USER_ACCOUNT_SUSPENDED` MUST NOT be sent without authentication. \ No newline at end of file From a0b237881d39db2519432760b98d9ef1d0163b67 Mon Sep 17 00:00:00 2001 From: David Teller Date: Tue, 24 May 2022 18:27:21 +0200 Subject: [PATCH 2/7] WIP: Adding prefix --- proposals/3823-code-for-account-suspension.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/proposals/3823-code-for-account-suspension.md b/proposals/3823-code-for-account-suspension.md index 52110a1da9d..96d246ec96e 100644 --- a/proposals/3823-code-for-account-suspension.md +++ b/proposals/3823-code-for-account-suspension.md @@ -78,4 +78,8 @@ in addition to the fields mentioned previously. This has the potential to expose private data. -To avoid this, any `M_USER_ACCOUNT_SUSPENDED` MUST NOT be sent without authentication. \ No newline at end of file +To avoid this, any `M_USER_ACCOUNT_SUSPENDED` MUST NOT be sent without authentication. + +### Unstable prefixes + +During testing, `M_USER_ACCOUNT_SUSPENDED` will be prefixed as `M_ORG_MATRIX_MSC3823_USER_ACCOUNT_SUSPENDED`. From fe62d93d16ed35a5649e916bee638b0d2b2db60c Mon Sep 17 00:00:00 2001 From: David Teller Date: Tue, 31 May 2022 09:51:55 +0200 Subject: [PATCH 3/7] Update proposals/3823-code-for-account-suspension.md Co-authored-by: Travis Ralston --- proposals/3823-code-for-account-suspension.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/3823-code-for-account-suspension.md b/proposals/3823-code-for-account-suspension.md index 96d246ec96e..87e6d11cbad 100644 --- a/proposals/3823-code-for-account-suspension.md +++ b/proposals/3823-code-for-account-suspension.md @@ -82,4 +82,4 @@ To avoid this, any `M_USER_ACCOUNT_SUSPENDED` MUST NOT be sent without authentic ### Unstable prefixes -During testing, `M_USER_ACCOUNT_SUSPENDED` will be prefixed as `M_ORG_MATRIX_MSC3823_USER_ACCOUNT_SUSPENDED`. +During testing, `M_USER_ACCOUNT_SUSPENDED` will be prefixed as `ORG.MATRIX.MSC3823.USER_ACCOUNT_SUSPENDED`. From 35cb1c4049159f7e5ae712023beea8aac93f18ab Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Tue, 12 Mar 2024 15:33:32 -0600 Subject: [PATCH 4/7] Apply suggestions from code review Co-authored-by: Dirk Klimpel <5740567+dklimpel@users.noreply.github.com> --- proposals/3823-code-for-account-suspension.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proposals/3823-code-for-account-suspension.md b/proposals/3823-code-for-account-suspension.md index 87e6d11cbad..3bd45c2049c 100644 --- a/proposals/3823-code-for-account-suspension.md +++ b/proposals/3823-code-for-account-suspension.md @@ -45,7 +45,7 @@ Returning a static page: { "errcode": "M_USER_ACCOUNT_SUSPENDED", "error": "The user account has been suspended, see link for details", - "href": "https://example.org/help/my-account-is-suspended-what-can-i-do + "href": "https://example.org/help/my-account-is-suspended-what-can-i-do" } ``` @@ -55,7 +55,7 @@ Returning a dynamic page customized for this specific user: { "errcode": "M_USER_ACCOUNT_SUSPENDED", "error": "The user account has been suspended, see link for details", - "href": "https://example.org/action-needed/please-redact-events?event-id=$event_1:example.org&event-id=$event_2:example.org + "href": "https://example.org/action-needed/please-redact-events?event-id=$event_1:example.org&event-id=$event_2:example.org" } ``` From 6dbe71d1b3df9d935db1362bcdfd90e5b6cf27a1 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 25 Mar 2024 20:39:03 -0600 Subject: [PATCH 5/7] Update for latest requirements * Add list of permitted/forbidden actions * Remove `href` from error code - this will be handled in a later MSC * Match modern template --- proposals/3823-code-for-account-suspension.md | 119 ++++++++---------- 1 file changed, 50 insertions(+), 69 deletions(-) diff --git a/proposals/3823-code-for-account-suspension.md b/proposals/3823-code-for-account-suspension.md index 3bd45c2049c..9b81008a57e 100644 --- a/proposals/3823-code-for-account-suspension.md +++ b/proposals/3823-code-for-account-suspension.md @@ -1,85 +1,66 @@ -# MSC3823: A code for account suspension +# MSC3823: Account Suspension -This MSC introduces a new error code that servers may send to clarify that an account has been -suspended *temporarily* but may still be reactivated. +Unlike [account locking](https://github.com/matrix-org/matrix-spec-proposals/pull/3939), suspension +allows the user to have a (largely) readonly view of their account. Homeserver administrators and +moderators may use this functionality to temporarily deactivate an account, or place conditions on +the account's experience. Critically, like locking, account suspension is reversible, unlike the +deactivation mechanism currently available in Matrix - a destructive, irreversible, action. -## Proposal - -### Introduction - -Matrix has a code `M_USER_DEACTIVATED` that a server may return to describe an account that has been -deactivated. So far, this code has been used to represent accounts that have been *permanently* -deactivated. In particular, clients that interpret this error code display it imply that the account -has been *permanently* deactivated. - -However, some countries (e.g. UK) have laws that require the ability to appeal account -deactivations. This requires the ability to specify that an account is *reversibly* -suspended and let users know about the appeals procedure. - -This MSC simply introduces a new error code `M_USER_ACCOUNT_SUSPENDED` that servers may send to -clarify that an account has been suspended but that the solution may still be resolved either by -an appeal or by e.g. clearing up some abusive messages. - -This MSC does *not* specify a mechanism to suspend or unsuspend the account or to handle appeals. - -### Proposal - -Introduce a new error code `M_USER_ACCOUNT_SUSPENDED`. This error code MAY be sent by the server -whenever a client attempts to use an API on behalf of a user whose account has been suspended. +This proposal introduces an error code for communicating suspension to a user, alongside some +guidelines for how suspension could be implemented by a server. APIs to invoke or clear suspension +are not introduced, and left as an implementation detail. These will typically be done through an +administrator-only API. -| Name | Type | Value | -|------|------|-------| -| `href` | string | (optional) If specified, a URL containing more information for the user, such as action needed. | - -The client is in charge of displaying an error message understandable by the user in case of `M_USER_ACCOUNT_SUSPENDED`, -as well as a link to `href`. - -The web server serving `href` is in charge of localizing the message, using existing HTTP mechanisms, -to adapt the page to the end user's locale. - -#### Examples - -Returning a static page: - -```json -{ - "errcode": "M_USER_ACCOUNT_SUSPENDED", - "error": "The user account has been suspended, see link for details", - "href": "https://example.org/help/my-account-is-suspended-what-can-i-do" -} -``` - -Returning a dynamic page customized for this specific user: +## Proposal -```json -{ - "errcode": "M_USER_ACCOUNT_SUSPENDED", - "error": "The user account has been suspended, see link for details", - "href": "https://example.org/action-needed/please-redact-events?event-id=$event_1:example.org&event-id=$event_2:example.org" -} -``` +When an account is suspended, any [Client-Server API](https://spec.matrix.org/v1.10/client-server-api/) +endpoint MAY return a 403 HTTP status code with `errcode` of `M_USER_SUSPENDED`. This indicates to +the user that the associated action is unavailable. +Clients should note that for more general endpoints, like `/send/:eventType`, suspension MAY only be +applied to a subset of request parameters. For example, a user may be allowed to *redact* events but +not send messages. -### Potential issues +The specific list of permitted actions during suspension is left as a deliberate implementation +detail, however a server SHOULD permit the user to: -See security considerations. +* Log in/create additional sessions (which should also behave as suspended). +* See and receive messages, particularly via `/sync` and `/messages`. +* [Verify their other devices](https://spec.matrix.org/v1.10/client-server-api/#device-verification) + and write associated [cross-signing data](https://spec.matrix.org/v1.10/client-server-api/#cross-signing). +* [Populate their key backup](https://spec.matrix.org/v1.10/client-server-api/#server-side-key-backups). +* Leave rooms & reject invites. +* Redact events. +* Log out/delete any device of theirs, including the current session. +* Deactivate their account, potentially with a deliberate time delay to discourage making a new + account right away. +* Change or add [admin contacts](https://spec.matrix.org/v1.10/client-server-api/#adding-account-administrative-contact-information), + but not remove. -### Alternatives +The suggested set of explicitly forbidden actions is: -We could reuse `M_USER_DEACTIVATED` and introduce an additional field: +* Joining or knocking on rooms, including accepting invites. +* Sending messages. +* Sending invites. +* Changing profile data (display name and avatar). -| Name | Type | Value | -|------|------|-------| -| `permanent` | boolean | (optional) If `false`, the account may still be reactivated. | +## Potential issues -in addition to the fields mentioned previously. +This proposal does not communicate *why* a user's account is restricted. The human-readable `error` +field may contain some information, though anything comprehensive may not be surfaced to the user. +A future MSC is expected to build a system for both informing the user of the action taken against +their account and allow the user to appeal that action. -### Security considerations +## Alternatives -This has the potential to expose private data. +No significant alternatives are plausible. `M_USER_DEACTIVATED` could be expanded with a `permanent` +flag, though ideally each error code should provide meaning on its own. -To avoid this, any `M_USER_ACCOUNT_SUSPENDED` MUST NOT be sent without authentication. +The related concept of locking, as discussed in places like [MSC3939](https://github.com/matrix-org/matrix-spec-proposals/pull/3939) +and [matrix-org/glossary](https://github.com/matrix-org/glossary), is semantically different from +suspension. -### Unstable prefixes +## Unstable prefixes -During testing, `M_USER_ACCOUNT_SUSPENDED` will be prefixed as `ORG.MATRIX.MSC3823.USER_ACCOUNT_SUSPENDED`. +Until this proposal is considered stable, implementations must use +`ORG.MATRIX.MSC3823.USER_SUSPENDED` instead of `M_USER_SUSPENDED`. From d1b461dc8ec639b540330d463ff251db78beefdf Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Wed, 23 Oct 2024 14:33:47 -0600 Subject: [PATCH 6/7] Clarify MSC --- proposals/3823-code-for-account-suspension.md | 25 +++++++++++++------ 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/proposals/3823-code-for-account-suspension.md b/proposals/3823-code-for-account-suspension.md index 9b81008a57e..7cdbd19ff2a 100644 --- a/proposals/3823-code-for-account-suspension.md +++ b/proposals/3823-code-for-account-suspension.md @@ -1,15 +1,20 @@ # MSC3823: Account Suspension -Unlike [account locking](https://github.com/matrix-org/matrix-spec-proposals/pull/3939), suspension +Unlike [account locking](https://spec.matrix.org/v1.12/client-server-api/#account-locking), suspension allows the user to have a (largely) readonly view of their account. Homeserver administrators and moderators may use this functionality to temporarily deactivate an account, or place conditions on the account's experience. Critically, like locking, account suspension is reversible, unlike the deactivation mechanism currently available in Matrix - a destructive, irreversible, action. -This proposal introduces an error code for communicating suspension to a user, alongside some -guidelines for how suspension could be implemented by a server. APIs to invoke or clear suspension -are not introduced, and left as an implementation detail. These will typically be done through an -administrator-only API. +This proposal introduces a concept of suspension to complement locking for server admins to use. Locking +is typically more used in narrow scenarios, where the server admin wants to prevent the account from +engaging any further. An example of this may be too many failed password attempts. Suspension is more +general purpose to create a barrier to further action - a "something weird is going on -> suspend" +kind of button. + +The error code introduced by this proposal is accompanied by guidelines on how servers can implement +suspension. APIs to invoke or clear suspension are not introduced, and left as an implementation detail. +These will typically be done through an administrator-only API. ## Proposal @@ -30,12 +35,17 @@ detail, however a server SHOULD permit the user to: and write associated [cross-signing data](https://spec.matrix.org/v1.10/client-server-api/#cross-signing). * [Populate their key backup](https://spec.matrix.org/v1.10/client-server-api/#server-side-key-backups). * Leave rooms & reject invites. -* Redact events. +* Redacting their own events. * Log out/delete any device of theirs, including the current session. * Deactivate their account, potentially with a deliberate time delay to discourage making a new account right away. * Change or add [admin contacts](https://spec.matrix.org/v1.10/client-server-api/#adding-account-administrative-contact-information), - but not remove. + but not remove. Servers are recommended to only permit this if they keep a changelog on contact information + to prevent misuse. + +The recommendation for users to continue receiving/reading messages is largely so the administrator +can maintain contact with the user, where applicable. Future MSCs may improve upon the admin<>user +communication, and account locking may also be used to prevent access to messages. The suggested set of explicitly forbidden actions is: @@ -43,6 +53,7 @@ The suggested set of explicitly forbidden actions is: * Sending messages. * Sending invites. * Changing profile data (display name and avatar). +* Redacting other users' events (when a moderator/admin of a room, for example). ## Potential issues From c54e982a49429977aafa95cf769044e0787ace50 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 18 Nov 2024 16:28:50 -0700 Subject: [PATCH 7/7] Clarify differences in locking vs suspension, and future scope --- proposals/3823-code-for-account-suspension.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/proposals/3823-code-for-account-suspension.md b/proposals/3823-code-for-account-suspension.md index 7cdbd19ff2a..3458736c193 100644 --- a/proposals/3823-code-for-account-suspension.md +++ b/proposals/3823-code-for-account-suspension.md @@ -69,7 +69,10 @@ flag, though ideally each error code should provide meaning on its own. The related concept of locking, as discussed in places like [MSC3939](https://github.com/matrix-org/matrix-spec-proposals/pull/3939) and [matrix-org/glossary](https://github.com/matrix-org/glossary), is semantically different from -suspension. +suspension. Suspension has the key difference that the user is *not* logged out of their client, +typically used by safety teams, while locking *does* log the user out and would primarily be used by +security teams. A future MSC may combine or split the two related error codes into a descriptive set +of capabilities the user can perform. ## Unstable prefixes