MSC3823: Account Suspension (#3823)

* MSC: A code for account suspension Signed-off-by: David Teller <davidt@element.io> * WIP: Adding prefix * Update proposals/3823-code-for-account-suspension.md Co-authored-by: Travis Ralston <travpc@gmail.com> * Apply suggestions from code review Co-authored-by: Dirk Klimpel <5740567+dklimpel@users.noreply.github.com> * Update for latest requirements * Add list of permitted/forbidden actions * Remove `href` from error code - this will be handled in a later MSC * Match modern template * Clarify MSC * Clarify differences in locking vs suspension, and future scope --------- Signed-off-by: David Teller <davidt@element.io> Co-authored-by: Travis Ralston <travpc@gmail.com> Co-authored-by: Dirk Klimpel <5740567+dklimpel@users.noreply.github.com> Co-authored-by: Travis Ralston <travisr@matrix.org>
1 year ago · aa7a3fc035
parent 9deddd1558
commit aa7a3fc035
1 changed files with 80 additions and 0 deletions
--- a/proposals/3823-code-for-account-suspension.md
+++ b/proposals/3823-code-for-account-suspension.md
@ -0,0 +1,80 @@
 # MSC3823: Account Suspension
 Unlike [account locking](https://spec.matrix.org/v1.12/client-server-api/#account-locking), suspension
 allows the user to have a (largely) readonly view of their account. Homeserver administrators and
 moderators may use this functionality to temporarily deactivate an account, or place conditions on
 the account's experience. Critically, like locking, account suspension is reversible, unlike the
 deactivation mechanism currently available in Matrix - a destructive, irreversible, action.
 This proposal introduces a concept of suspension to complement locking for server admins to use. Locking
 is typically more used in narrow scenarios, where the server admin wants to prevent the account from
 engaging any further. An example of this may be too many failed password attempts. Suspension is more
 general purpose to create a barrier to further action - a "something weird is going on -> suspend"
 kind of button.
 The error code introduced by this proposal is accompanied by guidelines on how servers can implement
 suspension. APIs to invoke or clear suspension are not introduced, and left as an implementation detail.
 These will typically be done through an administrator-only API.
 ## Proposal
 When an account is suspended, any [Client-Server API](https://spec.matrix.org/v1.10/client-server-api/)
 endpoint MAY return a 403 HTTP status code with `errcode` of `M_USER_SUSPENDED`. This indicates to
 the user that the associated action is unavailable.
 Clients should note that for more general endpoints, like `/send/:eventType`, suspension MAY only be
 applied to a subset of request parameters. For example, a user may be allowed to *redact* events but
 not send messages.
 The specific list of permitted actions during suspension is left as a deliberate implementation
 detail, however a server SHOULD permit the user to:
 * Log in/create additional sessions (which should also behave as suspended).
 * See and receive messages, particularly via `/sync` and `/messages`.
 * [Verify their other devices](https://spec.matrix.org/v1.10/client-server-api/#device-verification)
  and write associated [cross-signing data](https://spec.matrix.org/v1.10/client-server-api/#cross-signing).
 * [Populate their key backup](https://spec.matrix.org/v1.10/client-server-api/#server-side-key-backups).
 * Leave rooms & reject invites.
 * Redacting their own events.
 * Log out/delete any device of theirs, including the current session.
 * Deactivate their account, potentially with a deliberate time delay to discourage making a new
  account right away.
 * Change or add [admin contacts](https://spec.matrix.org/v1.10/client-server-api/#adding-account-administrative-contact-information),
  but not remove. Servers are recommended to only permit this if they keep a changelog on contact information
  to prevent misuse.
 The recommendation for users to continue receiving/reading messages is largely so the administrator
 can maintain contact with the user, where applicable. Future MSCs may improve upon the admin<>user
 communication, and account locking may also be used to prevent access to messages.
 The suggested set of explicitly forbidden actions is:
 * Joining or knocking on rooms, including accepting invites.
 * Sending messages.
 * Sending invites.
 * Changing profile data (display name and avatar).
 * Redacting other users' events (when a moderator/admin of a room, for example).
 ## Potential issues
 This proposal does not communicate *why* a user's account is restricted. The human-readable `error`
 field may contain some information, though anything comprehensive may not be surfaced to the user.
 A future MSC is expected to build a system for both informing the user of the action taken against
 their account and allow the user to appeal that action.
 ## Alternatives
 No significant alternatives are plausible. `M_USER_DEACTIVATED` could be expanded with a `permanent`
 flag, though ideally each error code should provide meaning on its own.
 The related concept of locking, as discussed in places like [MSC3939](https://github.com/matrix-org/matrix-spec-proposals/pull/3939)
 and [matrix-org/glossary](https://github.com/matrix-org/glossary), is semantically different from
 suspension. Suspension has the key difference that the user is *not* logged out of their client,
 typically used by safety teams, while locking *does* log the user out and would primarily be used by
 security teams. A future MSC may combine or split the two related error codes into a descriptive set
 of capabilities the user can perform.
 ## Unstable prefixes
 Until this proposal is considered stable, implementations must use
 `ORG.MATRIX.MSC3823.USER_SUSPENDED` instead of `M_USER_SUSPENDED`.