diff --git a/specification/client_server_api.rst b/specification/client_server_api.rst index 77dc90b6..6217b9fc 100644 --- a/specification/client_server_api.rst +++ b/specification/client_server_api.rst @@ -298,8 +298,42 @@ successfully: "session": "xxxxxx" } -If the homeserver decides the attempt was unsuccessful, it returns an error -message in the standard format: +Individual stages may require more than one request to complete, in which case +the response will be as if the request was unauthenticated with the addition of +any other keys as defined by the auth type. + +If the homeserver decides that an attempt on a stage was unsuccessful, but the +client may make a second attempt, it returns the same HTTP status 401 response +as above, with the addition of the standard ``errcode`` and ``error`` fields +describing the error. For example: + +.. code:: + + HTTP/1.1 401 Unauthorized + Content-Type: application/json + + { + "errcode": "M_FORBIDDEN", + "error": "Invalid password", + "completed": [ "example.type.foo" ], + "flows": [ + { + "stages": [ "example.type.foo", "example.type.bar" ] + }, + { + "stages": [ "example.type.foo", "example.type.baz" ] + } + ], + "params": { + "example.type.baz": { + "example_key": "foobar" + } + }, + "session": "xxxxxx" + } + +If the request fails for a reason other than authentication, the server returns an error +message in the standard format. For example: .. code:: @@ -311,10 +345,6 @@ message in the standard format: "error": "Something was wrong" } -Individual stages may require more than one request to complete, in which case -the response will be as if the request was unauthenticated with the addition of -any other keys as defined by the auth type. - If the client has completed all stages of a flow, the homeserver performs the API call and returns the result as normal. @@ -417,12 +447,6 @@ follows: In the case that the homeserver does not know about the supplied 3pid, the homeserver must respond with 403 Forbidden. -.. WARNING:: - Clients SHOULD enforce that the password provided is suitably complex. The - password SHOULD include a lower-case letter, an upper-case letter, a number - and a symbol and be at a minimum 8 characters in length. Servers MAY reject - weak passwords with an error code ``M_WEAK_PASSWORD``. - Google ReCaptcha <<<<<<<<<<<<<<<< :Type: