From 2f197969fe662870e28416ca632af9cca085d126 Mon Sep 17 00:00:00 2001
From: Aaron Raimist <aaron@raim.ist>
Date: Mon, 13 Apr 2020 18:50:53 -0500
Subject: [PATCH 1/6] Create MSC with fixes for client well-known

Signed-off-by: Aaron Raimist <aaron@raim.ist>
---
 proposals/2499-client-well-known-fixes.md | 35 +++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 proposals/2499-client-well-known-fixes.md

diff --git a/proposals/2499-client-well-known-fixes.md b/proposals/2499-client-well-known-fixes.md
new file mode 100644
index 000000000..43daf19e4
--- /dev/null
+++ b/proposals/2499-client-well-known-fixes.md
@@ -0,0 +1,35 @@
+# MSC2499: Fixes for Client Well-known URI
+
+Several minor issues and inconsistencies have cropped up since the `/.well-known/matrix/client`
+method was added to allow clients to discover servers. This proposal intends to fix these issues.
+
+## Proposal
+
+The following changes should be made to the client server spec:
+
+1. The spec does not mention that redirects should be followed. The spec should be changed to
+state that when a client is looking up the well-known URI, it should follow HTTP 3xx redirects
+up to 30 times. This is consistent with the redirects followed when a server resolves a
+server name using `/.well-known/matrix/server`.
+
+1. Currently the spec does not mention which Content-Type should be used for the response to
+`/.well-known/matrix/client`. The Content-Type SHOULD be `application/json` however it
+should be assumed to be JSON regardless of type. This is consistent with the Server-Server API.
+
+1. When a client is following the flow described in the spec for looking up `/.well-known/matrix/client`,
+the spec currently states, in part:
+
+    > 3․ Make a GET request to https://hostname/.well-known/matrix/client.<br>
+	>>  a․ If the returned status code is 404, then `IGNORE`.<br>
+    >>  b․ If the returned status code is not 200, or the response body is empty, then `FAIL_PROMPT`.
+
+    In practice most web servers do not add CORS headers on 404 errors by default. Therefore
+    web based clients cannot always determine if the status code is 404. Step 3b should be 
+    changed from `FAIL_PROMPT` to `IGNORE` so that a non 200 response is treated in the same
+    way as 404. This change is intended to fix issues like https://github.com/vector-im/riot-web/issues/7875.
+  
+    This change does have potential security concerns, see https://github.com/vector-im/riot-web/issues/11136.
+
+1. Step 3f in the flow should be changed to use the modern `/_matrix/identity/v2` API to
+validate the identity server rather than the deprecated `/_matrix/identity/api/v1`. Clients
+should fall back to the v1 API as described in the identity service spec.

From 9ca1b651b7d1da0fc112005e5e010e63bcd5cd3d Mon Sep 17 00:00:00 2001
From: Aaron Raimist <aaron@raim.ist>
Date: Sun, 25 Apr 2021 23:52:29 -0500
Subject: [PATCH 2/6] Clarify redirects that should be followed, add maximum
 size

Signed-off-by: Aaron Raimist <aaron@raim.ist>
---
 proposals/2499-client-well-known-fixes.md | 33 ++++++++++++-----------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/proposals/2499-client-well-known-fixes.md b/proposals/2499-client-well-known-fixes.md
index 43daf19e4..3fc44c9bd 100644
--- a/proposals/2499-client-well-known-fixes.md
+++ b/proposals/2499-client-well-known-fixes.md
@@ -1,23 +1,23 @@
-# MSC2499: Fixes for Client Well-known URI
+# MSC2499: Fixes for Well-Known URIs
 
-Several minor issues and inconsistencies have cropped up since the `/.well-known/matrix/client`
-method was added to allow clients to discover servers. This proposal intends to fix these issues.
+Several minor issues and inconsistencies have come up with the well-known URIs used for
+discovering clients and servers. This proposal intends to fix these issues.
 
 ## Proposal
 
-The following changes should be made to the client server spec:
+The following changes should be made to the spec:
 
-1. The spec does not mention that redirects should be followed. The spec should be changed to
-state that when a client is looking up the well-known URI, it should follow HTTP 3xx redirects
-up to 30 times. This is consistent with the redirects followed when a server resolves a
-server name using `/.well-known/matrix/server`.
+1. The spec does not mention that redirects should be followed for `/.well-known/matrix/client`
+and does not clearly specify what type of redirects should be followed for `/.well-known/matrix/server`.
+To fix this, the spec should be changed to state that when a well-known URI is requested,
+the client or server should follow HTTP 301, 302, 303, 307, and 308 redirects up to 30 times.
 
 1. Currently the spec does not mention which Content-Type should be used for the response to
-`/.well-known/matrix/client`. The Content-Type SHOULD be `application/json` however it
-should be assumed to be JSON regardless of type. This is consistent with the Server-Server API.
+`/.well-known/matrix/client`. The Client-Server spec should be changed to state the Content-Type
+SHOULD be `application/json` however it should be assumed to be JSON regardless of Content-Type.
+This is consistent with the Server-Server API.
 
-1. When a client is following the flow described in the spec for looking up `/.well-known/matrix/client`,
-the spec currently states, in part:
+1. The Client-Server spec for looking up `/.well-known/matrix/client` currently states, in part:
 
     > 3․ Make a GET request to https://hostname/.well-known/matrix/client.<br>
 	>>  a․ If the returned status code is 404, then `IGNORE`.<br>
@@ -30,6 +30,9 @@ the spec currently states, in part:
   
     This change does have potential security concerns, see https://github.com/vector-im/riot-web/issues/11136.
 
-1. Step 3f in the flow should be changed to use the modern `/_matrix/identity/v2` API to
-validate the identity server rather than the deprecated `/_matrix/identity/api/v1`. Clients
-should fall back to the v1 API as described in the identity service spec.
+1. Step 3f in the Client-Server well-known flow should be changed to use the modern
+`/_matrix/identity/v2` API to validate the identity server rather than the deprecated
+`/_matrix/identity/api/v1`.
+
+1. The maximum size of size of the well-known file is 51200 bytes. A client or server
+requesting a well-known file MUST abort and FAIL_PROMPT if the response exceeds 51200 bytes.
\ No newline at end of file

From 1a6a0e4734390f8eb75d2d15ffb45618998b9833 Mon Sep 17 00:00:00 2001
From: Aaron Raimist <aaron@raim.ist>
Date: Thu, 6 May 2021 13:49:22 -0500
Subject: [PATCH 3/6] Remove change from FAIL_PROMPT to IGNORE

Signed-off-by: Aaron Raimist <aaron@raim.ist>
---
 proposals/2499-client-well-known-fixes.md | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/proposals/2499-client-well-known-fixes.md b/proposals/2499-client-well-known-fixes.md
index 3fc44c9bd..8bc9de56a 100644
--- a/proposals/2499-client-well-known-fixes.md
+++ b/proposals/2499-client-well-known-fixes.md
@@ -17,19 +17,6 @@ the client or server should follow HTTP 301, 302, 303, 307, and 308 redirects up
 SHOULD be `application/json` however it should be assumed to be JSON regardless of Content-Type.
 This is consistent with the Server-Server API.
 
-1. The Client-Server spec for looking up `/.well-known/matrix/client` currently states, in part:
-
-    > 3․ Make a GET request to https://hostname/.well-known/matrix/client.<br>
-	>>  a․ If the returned status code is 404, then `IGNORE`.<br>
-    >>  b․ If the returned status code is not 200, or the response body is empty, then `FAIL_PROMPT`.
-
-    In practice most web servers do not add CORS headers on 404 errors by default. Therefore
-    web based clients cannot always determine if the status code is 404. Step 3b should be 
-    changed from `FAIL_PROMPT` to `IGNORE` so that a non 200 response is treated in the same
-    way as 404. This change is intended to fix issues like https://github.com/vector-im/riot-web/issues/7875.
-  
-    This change does have potential security concerns, see https://github.com/vector-im/riot-web/issues/11136.
-
 1. Step 3f in the Client-Server well-known flow should be changed to use the modern
 `/_matrix/identity/v2` API to validate the identity server rather than the deprecated
 `/_matrix/identity/api/v1`.

From 4c2d13a95f16859697c7ef2e46fd570632edc311 Mon Sep 17 00:00:00 2001
From: Aaron Raimist <aaron@raim.ist>
Date: Thu, 6 May 2021 14:21:47 -0500
Subject: [PATCH 4/6] Update proposals/2499-client-well-known-fixes.md

Co-authored-by: Travis Ralston <travpc@gmail.com>
---
 proposals/2499-client-well-known-fixes.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/proposals/2499-client-well-known-fixes.md b/proposals/2499-client-well-known-fixes.md
index 8bc9de56a..2432ece70 100644
--- a/proposals/2499-client-well-known-fixes.md
+++ b/proposals/2499-client-well-known-fixes.md
@@ -18,8 +18,8 @@ SHOULD be `application/json` however it should be assumed to be JSON regardless
 This is consistent with the Server-Server API.
 
 1. Step 3f in the Client-Server well-known flow should be changed to use the modern
-`/_matrix/identity/v2` API to validate the identity server rather than the deprecated
+`/_matrix/identity/versions` API to validate the identity server rather than the deprecated
 `/_matrix/identity/api/v1`.
 
 1. The maximum size of size of the well-known file is 51200 bytes. A client or server
-requesting a well-known file MUST abort and FAIL_PROMPT if the response exceeds 51200 bytes.
\ No newline at end of file
+requesting a well-known file MUST abort and FAIL_PROMPT if the response exceeds 51200 bytes.

From a8b5fbdfa302498049a8cd3514d221d065573eef Mon Sep 17 00:00:00 2001
From: Aaron Raimist <aaron@raim.ist>
Date: Thu, 6 May 2021 14:22:50 -0500
Subject: [PATCH 5/6] Deprecate /_matrix/identity/v2

Signed-off-by: Aaron Raimist <aaron@raim.ist>
---
 proposals/2499-client-well-known-fixes.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/proposals/2499-client-well-known-fixes.md b/proposals/2499-client-well-known-fixes.md
index 2432ece70..c4ac1a2e2 100644
--- a/proposals/2499-client-well-known-fixes.md
+++ b/proposals/2499-client-well-known-fixes.md
@@ -21,5 +21,8 @@ This is consistent with the Server-Server API.
 `/_matrix/identity/versions` API to validate the identity server rather than the deprecated
 `/_matrix/identity/api/v1`.
 
+1. Mark the `/_matrix/identity/v2` status check API as deprecated. `/_matrix/identity/versions`
+is the suggested replacement.
+
 1. The maximum size of size of the well-known file is 51200 bytes. A client or server
 requesting a well-known file MUST abort and FAIL_PROMPT if the response exceeds 51200 bytes.

From fb2186baedd9f3fc5a5d4e428ac40614cbd6ac5c Mon Sep 17 00:00:00 2001
From: Aaron Raimist <aaron@raim.ist>
Date: Sat, 25 Mar 2023 23:18:15 -0600
Subject: [PATCH 6/6] Remove duplicate words

Co-authored-by: Vladimir Panteleev <CyberShadow@users.noreply.github.com>
---
 proposals/2499-client-well-known-fixes.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proposals/2499-client-well-known-fixes.md b/proposals/2499-client-well-known-fixes.md
index c4ac1a2e2..775bad464 100644
--- a/proposals/2499-client-well-known-fixes.md
+++ b/proposals/2499-client-well-known-fixes.md
@@ -24,5 +24,5 @@ This is consistent with the Server-Server API.
 1. Mark the `/_matrix/identity/v2` status check API as deprecated. `/_matrix/identity/versions`
 is the suggested replacement.
 
-1. The maximum size of size of the well-known file is 51200 bytes. A client or server
+1. The maximum size of the well-known file is 51200 bytes. A client or server
 requesting a well-known file MUST abort and FAIL_PROMPT if the response exceeds 51200 bytes.