MSC: Error on invalid auth where it is optional
Signed-off-by: Matthias Ahouansou <matthias@ahouansou.cz>pull/4128/head
Matthias Ahouansou
3 months ago
parent
1a82fca4eb
commit
733467ae78
@ -0,0 +1,44 @@
|
||||
# MSC4128: Error on invalid optional authentication
|
||||
|
||||
## Introduction
|
||||
|
||||
[MSC4026](https://github.com/matrix-org/matrix-spec-proposals/pull/4026) added optional authentication
|
||||
to the `/versions` endpoint, the first of the spec to do so. However, this MSC did not specify the behaviour
|
||||
of servers in cases where the authentication failed.
|
||||
|
||||
Similarly, endpoints like `POST /login` and `POST /register` accept authentication only from appservices, and
|
||||
the behaviour of cases where either the authentication failed and/or the user to be accessed was unavailable
|
||||
(user does not exist, user is deactivated, etc.).
|
||||
|
||||
This has lead to some implementations of the spec expecting the request to go through even when the auth is
|
||||
invalid, while some servers respond with an error in the above cases, damaging interoperability.
|
||||
|
||||
## Proposal
|
||||
|
||||
In cases where authentication is optional and provided, servers should respond with an error when the authentication
|
||||
token is invalid, and/or
|
||||
[the user the appservice is acting as](https://spec.matrix.org/v1.10/application-service-api/#identity-assertion)
|
||||
is unavailable.
|
||||
|
||||
## Potential issues
|
||||
|
||||
Once merged, implementations unaware of this change may error unexpectedly, as they previously depended on such
|
||||
endpoints not returning an error. However, since this has already occurred with some servers already doing this,
|
||||
it is best to specify this so that implementers know to account for this.
|
||||
|
||||
## Alternatives
|
||||
|
||||
Specifying that servers must **not** error in these cases is a possible alternative, but it is undesirable since
|
||||
if the implementation is doing something wrong, they should be made aware of it as soon as possible.
|
||||
|
||||
## Security considerations
|
||||
|
||||
None considered.
|
||||
|
||||
## Unstable prefix
|
||||
|
||||
Due to this MSC simply enforcing that servers should error in specific conditions, no unstable prefix is applicable.
|
||||
|
||||
## Dependencies
|
||||
|
||||
None.
|
||||
Loading…
Reference in New Issue