From 010a6b05cda80ab32bd6716e61f54af2011e1e4c Mon Sep 17 00:00:00 2001 From: Olivier 'reivilibre Date: Fri, 14 Nov 2025 11:36:46 +0000 Subject: [PATCH] Clarify that servers may not use M_USER_DEACTIVATED when they don't know who is asking See: https://github.com/element-hq/synapse/issues/15747 --- data/api/client-server/login.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/api/client-server/login.yaml b/data/api/client-server/login.yaml index 28de0be1..95d24ad8 100644 --- a/data/api/client-server/login.yaml +++ b/data/api/client-server/login.yaml @@ -262,6 +262,8 @@ paths: or the requested device ID is the same as a cross-signing key ID. * `M_USER_DEACTIVATED`: The user has been deactivated. + Note that servers MAY choose not to use this error code and instead use `M_FORBIDDEN`, + particularly when the server can't authenticate the deactivated user. content: application/json: schema: