From 984e0af7b221b480f3bc1bd0c9795a1a6411d515 Mon Sep 17 00:00:00 2001 From: Tulir Asokan Date: Sat, 24 Aug 2019 11:58:33 +0300 Subject: [PATCH] Re-word auth rule section on handling each target separately Co-authored-by: Jason Volk Signed-off-by: Tulir Asokan Signed-off-by: Jason Volk --- proposals/2244-mass-redactions.md | 43 ++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/proposals/2244-mass-redactions.md b/proposals/2244-mass-redactions.md index 296ffeeef..688022214 100644 --- a/proposals/2244-mass-redactions.md +++ b/proposals/2244-mass-redactions.md @@ -23,17 +23,21 @@ limit would cap a single redaction event at a bit less than 1500 targets. Redactions are not intrinsically heavy, so a separate limit should not be necessary. -### Auth rules +### Client behavior +Clients shall apply existing `m.room.redaction` target behavior over an array +of event ID strings. + +### Server behavior The redaction auth rules should change to iterate the array and check if the sender has the privileges to redact each event. There are at least two potential ways to handle targets that are not found or -rejected: soft failing until all targets are found and handling each target +rejected: soft failing until all targets are found or handling each target separately. #### Soft fail -Soft fail the event until all targets are found, then accept only if the sender -has the privileges to redact every listed event. This is how redactions +[Soft fail] the event until all targets are found, then accept only if the +sender has the privileges to redact every listed event. This is how redactions currently work. This has the downside of requiring servers to fetch all the target events (and @@ -41,19 +45,27 @@ possibly forward them to clients) before being able to process and forward the redaction event. #### Handle each target separately -Handle each target separately: if some targets are not found, remember the -redaction and check auth rules when the target is received. This option brings -some complexities, but might be more optimal in situations such as a spam -attack. +The target events of an `m.room.redaction` shall no longer be considered when +deciding the authenticity of an `m.room.redaction` event. Any other existing +rules remain unchanged. + +When a server accepts an `m.room.redaction` using the modified auth rules, it +evaluates targets individually for authenticity under the existing auth rules. +Servers MUST NOT include failing and unknown entries to clients. + +> Servers do not know whether redaction targets are authorized at the time they + receive the `m.room.redaction` unless they are in possession of the target + event. Implementations retain entries in the original list which were not + shared with clients to later evaluate the target's redaction status. -When receiving a redaction event: -* Ignore illegal targets -* "Remember" targets that can't be found -* Send legal target event IDs to clients in the redaction event. +When the implementation receives a belated target from an earlier +`m.room.redaction`, it evaluates at that point whether the redaction is +authorized. -When receiving an event that is "remembered" to be possibly redacted by an -earlier redaction, check if the redaction was legal, and if it was, do not -send the event to clients. +> Servers should not send belated target events to clients if their redaction + was found to be authentic, as clients were not made aware of the redaction. + That fact is also used to simply ignore unauthorized targets and send the + events to clients normally. ## Tradeoffs @@ -64,3 +76,4 @@ send the event to clients. [1]: https://img.mau.lu/hEqqt.png [MSC2174]: https://github.com/matrix-org/matrix-doc/pull/2174 +[Soft fail]: https://matrix.org/docs/spec/server_server/r0.1.3#soft-failure