Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC3823: Account Suspension #3823

Merged
merged 7 commits into from
Dec 1, 2024
Merged
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions proposals/3823-code-for-account-suspension.md
Copy link
Member

@turt2live turt2live May 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implementation requirements:

Copy link
Member

@turt2live turt2live Sep 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The client implementation requirement has been questioned a bit - I think for this MSC, evidence of clients not exploding would be fine. The list won't be exhaustive or fully representative of the ecosystem, but would indicate the typical user experience.

Specifically, I think the following clients need to be tested with a suspended account:

  • Element Web
  • Element X (iOS or Android, or both)
  • Cinny
  • FluffyChat
  • Nheko

"Exploding" would be defined as the user being logged out, or otherwise unable to interact with their account. Failing to show the error message ("your account is suspended") is fine, but bonus points to the client if it makes it clear to the user. If the user can (minimally) interact with their rooms without being kicked to an error screen or login page, the client "works", even if clunky.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This testing has been completed by the T&S team at the Foundation. Results are compiled here: https://docs.google.com/document/d/1oTVKRLHCc6x4iYti8bkhRN3YbBO29oAjqmZE-mj-xXY/edit?usp=sharing

TLDR: The above-listed clients all passed, but a few had some weird-ish errors/rough edges. With my SCT hat, I don't think these rough edges are blockers for merging.

Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
# MSC3823: A code for account suspension
Yoric marked this conversation as resolved.
Show resolved Hide resolved
turt2live marked this conversation as resolved.
Show resolved Hide resolved

This MSC introduces a new error code that servers may send to clarify that an account has been
suspended *temporarily* but may still be reactivated.

## Proposal

### Introduction

Matrix has a code `M_USER_DEACTIVATED` that a server may return to describe an account that has been
deactivated. So far, this code has been used to represent accounts that have been *permanently*
deactivated. In particular, clients that interpret this error code display it imply that the account
has been *permanently* deactivated.

However, some countries (e.g. UK) have laws that require the ability to appeal account
deactivations. This requires the ability to specify that an account is *reversibly*
suspended and let users know about the appeals procedure.

This MSC simply introduces a new error code `M_USER_ACCOUNT_SUSPENDED` that servers may send to
turt2live marked this conversation as resolved.
Show resolved Hide resolved
clarify that an account has been suspended but that the solution may still be resolved either by
an appeal or by e.g. clearing up some abusive messages.

This MSC does *not* specify a mechanism to suspend or unsuspend the account or to handle appeals.

### Proposal

Introduce a new error code `M_USER_ACCOUNT_SUSPENDED`. This error code MAY be sent by the server
whenever a client attempts to use an API on behalf of a user whose account has been suspended.

| Name | Type | Value |
|------|------|-------|
| `href` | string | (optional) If specified, a URL containing more information for the user, such as action needed. |

The client is in charge of displaying an error message understandable by the user in case of `M_USER_ACCOUNT_SUSPENDED`,
as well as a link to `href`.

The web server serving `href` is in charge of localizing the message, using existing HTTP mechanisms,
to adapt the page to the end user's locale.

#### Examples

Returning a static page:

```json
{
"errcode": "M_USER_ACCOUNT_SUSPENDED",
"error": "The user account has been suspended, see link for details",
"href": "https://example.org/help/my-account-is-suspended-what-can-i-do
turt2live marked this conversation as resolved.
Show resolved Hide resolved
turt2live marked this conversation as resolved.
Show resolved Hide resolved
}
```

Returning a dynamic page customized for this specific user:

```json
{
"errcode": "M_USER_ACCOUNT_SUSPENDED",
"error": "The user account has been suspended, see link for details",
"href": "https://example.org/action-needed/please-redact-events?event-id=$event_1:example.org&event-id=$event_2:example.org
turt2live marked this conversation as resolved.
Show resolved Hide resolved
turt2live marked this conversation as resolved.
Show resolved Hide resolved
}
```


### Potential issues

See security considerations.

### Alternatives

We could reuse `M_USER_DEACTIVATED` and introduce an additional field:

| Name | Type | Value |
|------|------|-------|
| `permanent` | boolean | (optional) If `false`, the account may still be reactivated. |

in addition to the fields mentioned previously.

### Security considerations

This has the potential to expose private data.

To avoid this, any `M_USER_ACCOUNT_SUSPENDED` MUST NOT be sent without authentication.

### Unstable prefixes

During testing, `M_USER_ACCOUNT_SUSPENDED` will be prefixed as `M_ORG_MATRIX_MSC3823_USER_ACCOUNT_SUSPENDED`.
Yoric marked this conversation as resolved.
Show resolved Hide resolved