MSC4170: 403 error responses for profile APIs (#1867)

Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>
2 months ago · 871c10577e
parent 27b4cdcc9e
commit 871c10577e
5 changed files with 67 additions and 2 deletions
--- a/changelogs/client_server/newsfragments/1867.feature
+++ b/changelogs/client_server/newsfragments/1867.feature
@ -0,0 +1 @@
 Add 403 responses on `/profile/{userId}/avatar_url` and `/profile/{userId}/displayname` as per [MSC4170](https://github.com/matrix-org/matrix-spec-proposals/pull/4170).
--- a/changelogs/server_server/newsfragments/1867.feature
+++ b/changelogs/server_server/newsfragments/1867.feature
@ -0,0 +1 @@
 Add 403 response on `/query/profile` as per [MSC4170](https://github.com/matrix-org/matrix-spec-proposals/pull/4170).
--- a/content/client-server-api/_index.md
+++ b/content/client-server-api/_index.md
@ -2753,7 +2753,25 @@ re-invited.
 {{% http-api spec="client-server" api="profile" %}}
-#### Events on Change of Profile Information
+#### Server behaviour
 Homeservers MUST at a minimum allow profile look-up for:
 -   users that share a room with the requesting user
 -   users that reside in public rooms known to the homeserver
 In all other cases, homeservers MAY deny profile look-up by responding with
 403 and an error code of `M_FORBIDDEN`.
 When a remote user is queried and the query is not denied per the above,
 homeservers SHOULD query the remote server for the user's profile information.
 The remote server MAY itself deny profile queries over federation, however.
 When the requested user does not exist, homeservers MAY choose whether to
 respond with 403 or 404. If the server denies profile look-up in all but the
 required cases, 403 is RECOMMENDED.
 ##### Events on Change of Profile Information
 Because the profile display name and avatar information are likely to be
 used in many places of a client's display, changes to these fields cause
--- a/data/api/client-server/profile.yaml
+++ b/data/api/client-server/profile.yaml
@ -98,6 +98,20 @@ paths:
                  value: {
                    "displayname": "Alice Margatroid"
                  }
        "403":
          x-addedInMatrixVersion: "1.12"
          description: The server is unwilling to disclose whether the user exists and/or
            has a display name.
          content:
            application/json:
              schema:
                $ref: definitions/errors/error.yaml
              examples:
                response:
                  value: {
                    "errcode": "M_FORBIDDEN",
                    "error": "Profile lookup is disabled on this homeserver"
                  }
        "404":
          description: There is no display name for this user or this user does not exist.
      tags:
@ -185,6 +199,20 @@ paths:
                  value: {
                    "avatar_url": "mxc://matrix.org/SDGdghriugerRg"
                  }
        "403":
          x-addedInMatrixVersion: "1.12"
          description: The server is unwilling to disclose whether the user exists and/or
            has an avatar URL.
          content:
            application/json:
              schema:
                $ref: definitions/errors/error.yaml
              examples:
                response:
                  value: {
                    "errcode": "M_FORBIDDEN",
                    "error": "Profile lookup is disabled on this homeserver"
                  }
        "404":
          description: There is no avatar URL for this user or this user does not exist.
      tags:
@ -239,7 +267,7 @@ paths:
                response:
                  value: {
                    "errcode": "M_FORBIDDEN",
-                    "error": "Profile lookup over federation is disabled on this homeserver"
+                    "error": "Profile lookup is disabled on this homeserver"
                  }
        "404":
          description: There is no profile information for this user or this user does not
--- a/data/api/server-server/query.yaml
+++ b/data/api/server-server/query.yaml
@ -117,6 +117,9 @@ paths:
        Servers may wish to cache the response to this query to avoid requesting the
        information too often.
        Servers MAY deny profile look-up over federation by responding with 403 and an
        error code of `M_FORBIDDEN`.
      operationId: queryProfile
      security:
        - signedRequest: []
@ -172,6 +175,20 @@ paths:
                    "displayname": "John Doe",
                    "avatar_url": "mxc://matrix.org/MyC00lAvatar"
                  }
        "403":
          x-addedInMatrixVersion: "1.12"
          description: The server is unwilling to disclose whether the user exists and/or
            has profile information.
          content:
            application/json:
              schema:
                $ref: ../client-server/definitions/errors/error.yaml
              examples:
                response:
                  value: {
                    "errcode": "M_FORBIDDEN",
                    "error": "Profile lookup over federation is disabled on this homeserver"
                  }
        "404":
          description: The user does not exist or does not have a profile.
          content:
		`@ -0,0 +1 @@`
							Add 403 responses on `/profile/{userId}/avatar_url` and `/profile/{userId}/displayname` as per [MSC4170](https://github.com/matrix-org/matrix-spec-proposals/pull/4170).
		`@ -0,0 +1 @@`
							Add 403 response on `/query/profile` as per [MSC4170](https://github.com/matrix-org/matrix-spec-proposals/pull/4170).