MSC: Error on invalid auth where it is optional
Signed-off-by: Matthias Ahouansou <matthias@ahouansou.cz>pull/4128/head
parent
1a82fca4eb
commit
733467ae78
@ -0,0 +1,44 @@
|
|||||||
|
# MSC4128: Error on invalid optional authentication
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
|
||||||
|
[MSC4026](https://github.com/matrix-org/matrix-spec-proposals/pull/4026) added optional authentication
|
||||||
|
to the `/versions` endpoint, the first of the spec to do so. However, this MSC did not specify the behaviour
|
||||||
|
of servers in cases where the authentication failed.
|
||||||
|
|
||||||
|
Similarly, endpoints like `POST /login` and `POST /register` accept authentication only from appservices, and
|
||||||
|
the behaviour of cases where either the authentication failed and/or the user to be accessed was unavailable
|
||||||
|
(user does not exist, user is deactivated, etc.).
|
||||||
|
|
||||||
|
This has lead to some implementations of the spec expecting the request to go through even when the auth is
|
||||||
|
invalid, while some servers respond with an error in the above cases, damaging interoperability.
|
||||||
|
|
||||||
|
## Proposal
|
||||||
|
|
||||||
|
In cases where authentication is optional and provided, servers should respond with an error when the authentication
|
||||||
|
token is invalid, and/or
|
||||||
|
[the user the appservice is acting as](https://spec.matrix.org/v1.10/application-service-api/#identity-assertion)
|
||||||
|
is unavailable.
|
||||||
|
|
||||||
|
## Potential issues
|
||||||
|
|
||||||
|
Once merged, implementations unaware of this change may error unexpectedly, as they previously depended on such
|
||||||
|
endpoints not returning an error. However, since this has already occurred with some servers already doing this,
|
||||||
|
it is best to specify this so that implementers know to account for this.
|
||||||
|
|
||||||
|
## Alternatives
|
||||||
|
|
||||||
|
Specifying that servers must **not** error in these cases is a possible alternative, but it is undesirable since
|
||||||
|
if the implementation is doing something wrong, they should be made aware of it as soon as possible.
|
||||||
|
|
||||||
|
## Security considerations
|
||||||
|
|
||||||
|
None considered.
|
||||||
|
|
||||||
|
## Unstable prefix
|
||||||
|
|
||||||
|
Due to this MSC simply enforcing that servers should error in specific conditions, no unstable prefix is applicable.
|
||||||
|
|
||||||
|
## Dependencies
|
||||||
|
|
||||||
|
None.
|
Loading…
Reference in New Issue