From 1facf7ff12834ad06fcaff9ee5e2cdf9d1302837 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Thu, 12 Mar 2020 14:14:20 -0400
Subject: [PATCH 1/4] Add an MSC proposal for how to handle sessions when
 modifying a password.

---
 ...sword-modification-invalidating-devices.md | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 proposals/2457-password-modification-invalidating-devices.md

diff --git a/proposals/2457-password-modification-invalidating-devices.md b/proposals/2457-password-modification-invalidating-devices.md
new file mode 100644
index 000000000..910e7b62f
--- /dev/null
+++ b/proposals/2457-password-modification-invalidating-devices.md
@@ -0,0 +1,53 @@
+# Invalidating devices during password modification
+
+There are multiple use cases for why a user might want to modify their password:
+
+* Adopting a password manager (to use a unique password or more secure password).
+* Password rotation.
+* Re-secure a compromised account.
+* ... probably tons of others ...
+
+These can be summarized into two groups:
+
+1. "My account has been compromised and I need to re-secure it."
+2. "I just want to change my password."
+
+The [current Matrix specification](https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-account-password)
+does not provide a way to differentiate between these use cases. It gives no
+guidance into what should happen to other sessions / devices when a password is
+modified and leaves it up to the implementation.
+
+It is reasonable for a client to want to specify this behavior to offer two
+different workflows:
+
+1. Modify a password and log all other devices out (for use when an account has
+   been compromised).
+2. Modify a password and do not touch any session data (for use in a
+   non-malicious situations).
+
+Alternately a client may default to whichever workflow is best for their users.
+
+## Proposal
+
+An optional field is added to the JSON body body of the [password reset endpoint](https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-account-password)
+called `logout_devices`. This is a boolean flag (defaulting to `true`) that
+signals to whether other devices and sessions should be invalidated after
+modifying the password.
+
+## Potential issues
+
+While Synapse defaults to the behavior of invalidating other devices and
+sessions this may not be true of other implementations. Thus, a default of
+`true` may not be backwards compatible. It might be more prudent to specify that
+the behavior of not specifying the `logout_devices` flag is undefined.
+
+## Alternatives
+
+Provide a new endpoint in a future version that supports an additional field (as
+above), using a new endpoint would avoid backwards compatibility issues.
+
+## Security considerations
+
+By defaulting to invalidating devices and sessions the security considerations
+of this endpoint should remain intact. A client will need to be modified to
+choose to keep other devices active.

From 61b306f8a8a63005f2ab131d32cbf1d5409ddada Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Fri, 13 Mar 2020 07:12:57 -0400
Subject: [PATCH 2/4] Remove concerns about backwards compatibility.

---
 ...-password-modification-invalidating-devices.md | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/proposals/2457-password-modification-invalidating-devices.md b/proposals/2457-password-modification-invalidating-devices.md
index 910e7b62f..9af6e2296 100644
--- a/proposals/2457-password-modification-invalidating-devices.md
+++ b/proposals/2457-password-modification-invalidating-devices.md
@@ -36,15 +36,18 @@ modifying the password.
 
 ## Potential issues
 
-While Synapse defaults to the behavior of invalidating other devices and
-sessions this may not be true of other implementations. Thus, a default of
-`true` may not be backwards compatible. It might be more prudent to specify that
-the behavior of not specifying the `logout_devices` flag is undefined.
+The specification states:
+
+> The homeserver SHOULD NOT revoke the access token provided in the request,
+> however all other access tokens for the user should be revoked if the request
+> succeeds.
+
+Defaulting `logout_devices` to `true` should be backwards compatible.
 
 ## Alternatives
 
-Provide a new endpoint in a future version that supports an additional field (as
-above), using a new endpoint would avoid backwards compatibility issues.
+A new endpoint could be provided in a future version of the specification that
+supports an additional field (as described above).
 
 ## Security considerations
 

From 2d2731efff99ddeb67bdb16a716ed1eba8660189 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <clokep@users.noreply.github.com>
Date: Mon, 16 Mar 2020 10:42:17 -0400
Subject: [PATCH 3/4] Remove duplicated word.

Co-Authored-By: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
---
 proposals/2457-password-modification-invalidating-devices.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proposals/2457-password-modification-invalidating-devices.md b/proposals/2457-password-modification-invalidating-devices.md
index 9af6e2296..9b59156c9 100644
--- a/proposals/2457-password-modification-invalidating-devices.md
+++ b/proposals/2457-password-modification-invalidating-devices.md
@@ -29,7 +29,7 @@ Alternately a client may default to whichever workflow is best for their users.
 
 ## Proposal
 
-An optional field is added to the JSON body body of the [password reset endpoint](https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-account-password)
+An optional field is added to the JSON body of the [password reset endpoint](https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-account-password)
 called `logout_devices`. This is a boolean flag (defaulting to `true`) that
 signals to whether other devices and sessions should be invalidated after
 modifying the password.

From 745f8c09df6f948f9083449b2b0848444776855e Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Fri, 27 Mar 2020 13:59:37 -0400
Subject: [PATCH 4/4] Fix incorrect statement about the current spec's
 guidance.

---
 .../2457-password-modification-invalidating-devices.md      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/proposals/2457-password-modification-invalidating-devices.md b/proposals/2457-password-modification-invalidating-devices.md
index 9b59156c9..ccde2ac6d 100644
--- a/proposals/2457-password-modification-invalidating-devices.md
+++ b/proposals/2457-password-modification-invalidating-devices.md
@@ -13,9 +13,9 @@ These can be summarized into two groups:
 2. "I just want to change my password."
 
 The [current Matrix specification](https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-account-password)
-does not provide a way to differentiate between these use cases. It gives no
-guidance into what should happen to other sessions / devices when a password is
-modified and leaves it up to the implementation.
+does not provide a way to differentiate between these use cases. It currently
+specifies behavior that fits well into the first use-case above: that the
+sessions except the current session should be revoked.
 
 It is reasonable for a client to want to specify this behavior to offer two
 different workflows: