Clarify UI expectations

babolivier/m_locked
Travis Ralston 2 months ago
parent 02c3a9e40a
commit 257207b82f

@ -27,14 +27,6 @@ a more useful error message about their account status, though their session dat
may be deleted by the client if it doesn't recognize the error code. Soft logout
aims to prevent total destruction of this data, however.
Clients MAY prevent actually logging the user out until the error code or response
changes. This is to allow the client to emit a few more requests after receiving
the error, as may be the case with a very active `/sync` loop. Once the error code
changes (but remains a 401 otherwise, regardless of soft logout), the client
should proceed with the logout. Similarly, if the response changes from an error
to a successful response, the client can assume the account has been unlocked and
return to normal operation without needing to get a new access token.
Upon receiving the `M_USER_LOCKED` error, clients SHOULD retain session information
including encryption state and inform the user that their account has been locked.
Details about *why* the user's account is locked are not formally described by
@ -43,6 +35,18 @@ against their account should have such details. Clients may wish to make use of
[server contact discovery](https://spec.matrix.org/v1.10/client-server-api/#getwell-knownmatrixsupport)
in the meantime.
Clients SHOULD hide the normal UI from the user when informing them that their
account is locked, preventing general use of the account.
Clients SHOULD continue to `/sync` and make other API calls to more quickly detect
when the lock has been lifted. If unlocked, the APIs will either return a different
error code or a normal 200 OK/successful response. For example, `/sync` will return
to working as though nothing ever happened. If the error code changes to
`M_UNKNOWN_TOKEN`, the client should delete local session data as it normally
would when seeing the error code (and use soft logout as it normally would). This
is typically expected if the server admin logged the user out or the user logged
themselves out.
Locked accounts are still permitted to access the following API endpoints:
* [`POST /logout`](https://spec.matrix.org/v1.9/client-server-api/#post_matrixclientv3logout)

Loading…
Cancel
Save