|
|
|
@ -71,10 +71,12 @@ inconsistency.
|
|
|
|
|
Any errors which occur at the Matrix API level MUST return a "standard
|
|
|
|
|
error response". This is a JSON object which looks like:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"errcode": "<error code>",
|
|
|
|
|
"error": "<error message>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The `error` string will be a human-readable error message, usually a
|
|
|
|
|
sentence explaining what went wrong. The `errcode` string will be a
|
|
|
|
@ -439,6 +441,7 @@ homeserver returns an HTTP 401 response, with a JSON body, as follows:
|
|
|
|
|
HTTP/1.1 401 Unauthorized
|
|
|
|
|
Content-Type: application/json
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"flows": [
|
|
|
|
|
{
|
|
|
|
@ -455,6 +458,7 @@ homeserver returns an HTTP 401 response, with a JSON body, as follows:
|
|
|
|
|
},
|
|
|
|
|
"session": "xxxxxx"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
In addition to the `flows`, this object contains some extra information:
|
|
|
|
|
|
|
|
|
@ -482,6 +486,7 @@ type `example.type.foo`, it might submit something like this:
|
|
|
|
|
POST /_matrix/client/r0/endpoint HTTP/1.1
|
|
|
|
|
Content-Type: application/json
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"a_request_parameter": "something",
|
|
|
|
|
"another_request_parameter": "something else",
|
|
|
|
@ -491,6 +496,7 @@ type `example.type.foo`, it might submit something like this:
|
|
|
|
|
"example_credential": "verypoorsharedsecret"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If the homeserver deems the authentication attempt to be successful but
|
|
|
|
|
still requires more stages to be completed, it returns HTTP status 401
|
|
|
|
@ -501,6 +507,7 @@ client has completed successfully:
|
|
|
|
|
HTTP/1.1 401 Unauthorized
|
|
|
|
|
Content-Type: application/json
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"completed": [ "example.type.foo" ],
|
|
|
|
|
"flows": [
|
|
|
|
@ -518,6 +525,7 @@ client has completed successfully:
|
|
|
|
|
},
|
|
|
|
|
"session": "xxxxxx"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Individual stages may require more than one request to complete, in
|
|
|
|
|
which case the response will be as if the request was unauthenticated
|
|
|
|
@ -531,6 +539,7 @@ status 401 response as above, with the addition of the standard
|
|
|
|
|
HTTP/1.1 401 Unauthorized
|
|
|
|
|
Content-Type: application/json
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"errcode": "M_FORBIDDEN",
|
|
|
|
|
"error": "Invalid password",
|
|
|
|
@ -550,6 +559,7 @@ status 401 response as above, with the addition of the standard
|
|
|
|
|
},
|
|
|
|
|
"session": "xxxxxx"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If the request fails for a reason other than authentication, the server
|
|
|
|
|
returns an error message in the standard format. For example:
|
|
|
|
@ -557,10 +567,12 @@ returns an error message in the standard format. For example:
|
|
|
|
|
HTTP/1.1 400 Bad request
|
|
|
|
|
Content-Type: application/json
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"errcode": "M_EXAMPLE_ERROR",
|
|
|
|
|
"error": "Something was wrong"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If the client has completed all stages of a flow, the homeserver
|
|
|
|
|
performs the API call and returns the result as normal. Completed stages
|
|
|
|
@ -641,6 +653,7 @@ plain-text.
|
|
|
|
|
To use this authentication type, clients should submit an auth dict as
|
|
|
|
|
follows:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
{
|
|
|
|
|
"type": "m.login.password",
|
|
|
|
|
"identifier": {
|
|
|
|
@ -649,6 +662,7 @@ follows:
|
|
|
|
|
"password": "<password>",
|
|
|
|
|
"session": "<session ID>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
where the `identifier` property is a user identifier object, as
|
|
|
|
|
described in [Identifier types](#identifier-types).
|
|
|
|
@ -656,6 +670,7 @@ described in [Identifier types](#identifier-types).
|
|
|
|
|
For example, to authenticate using the user's Matrix ID, clients would
|
|
|
|
|
submit:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "m.login.password",
|
|
|
|
|
"identifier": {
|
|
|
|
@ -665,11 +680,13 @@ submit:
|
|
|
|
|
"password": "<password>",
|
|
|
|
|
"session": "<session ID>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Alternatively reply using a 3PID bound to the user's account on the
|
|
|
|
|
homeserver using the `/account/3pid`\_ API rather than giving the `user`
|
|
|
|
|
explicitly as follows:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "m.login.password",
|
|
|
|
|
"identifier": {
|
|
|
|
@ -680,6 +697,7 @@ explicitly as follows:
|
|
|
|
|
"password": "<password>",
|
|
|
|
|
"session": "<session ID>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
In the case that the homeserver does not know about the supplied 3PID,
|
|
|
|
|
the homeserver must respond with 403 Forbidden.
|
|
|
|
@ -695,11 +713,13 @@ The user completes a Google ReCaptcha 2.0 challenge
|
|
|
|
|
To use this authentication type, clients should submit an auth dict as
|
|
|
|
|
follows:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "m.login.recaptcha",
|
|
|
|
|
"response": "<captcha response>",
|
|
|
|
|
"session": "<session ID>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Single Sign-On
|
|
|
|
|
|
|
|
|
@ -730,6 +750,7 @@ information should be submitted to the homeserver.
|
|
|
|
|
To use this authentication type, clients should submit an auth dict as
|
|
|
|
|
follows:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "m.login.email.identity",
|
|
|
|
|
"threepidCreds": [
|
|
|
|
@ -742,6 +763,7 @@ follows:
|
|
|
|
|
],
|
|
|
|
|
"session": "<session ID>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Note that `id_server` (and therefore `id_access_token`) is optional if
|
|
|
|
|
the `/requestToken` request did not include them.
|
|
|
|
@ -762,6 +784,7 @@ information should be submitted to the homeserver.
|
|
|
|
|
To use this authentication type, clients should submit an auth dict as
|
|
|
|
|
follows:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "m.login.msisdn",
|
|
|
|
|
"threepidCreds": [
|
|
|
|
@ -774,6 +797,7 @@ follows:
|
|
|
|
|
],
|
|
|
|
|
"session": "<session ID>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Note that `id_server` (and therefore `id_access_token`) is optional if
|
|
|
|
|
the `/requestToken` request did not include them.
|
|
|
|
@ -798,10 +822,12 @@ server can instead send flows `m.login.recaptcha, m.login.dummy` and
|
|
|
|
|
To use this authentication type, clients should submit an auth dict with
|
|
|
|
|
just the type and session, if provided:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "m.login.dummy",
|
|
|
|
|
"session": "<session ID>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
##### Fallback
|
|
|
|
|
|
|
|
|
@ -820,11 +846,13 @@ This MUST return an HTML page which can perform this authentication
|
|
|
|
|
stage. This page must use the following JavaScript when the
|
|
|
|
|
authentication has been completed:
|
|
|
|
|
|
|
|
|
|
```js
|
|
|
|
|
if (window.onAuthDone) {
|
|
|
|
|
window.onAuthDone();
|
|
|
|
|
} else if (window.opener && window.opener.postMessage) {
|
|
|
|
|
window.opener.postMessage("authDone", "*");
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
This allows the client to either arrange for the global function
|
|
|
|
|
`onAuthDone` to be defined in an embedded browser, or to use the HTML5
|
|
|
|
@ -836,15 +864,18 @@ Once a client receives the notification that the authentication stage
|
|
|
|
|
has been completed, it should resubmit the request with an auth dict
|
|
|
|
|
with just the session ID:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"session": "<session ID>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Example
|
|
|
|
|
|
|
|
|
|
A client webapp might use the following JavaScript to open a popup
|
|
|
|
|
window which will handle unknown login types:
|
|
|
|
|
|
|
|
|
|
```js
|
|
|
|
|
/**
|
|
|
|
|
* Arguments:
|
|
|
|
|
* homeserverUrl: the base url of the homeserver (e.g. "https://matrix.org")
|
|
|
|
@ -891,9 +922,9 @@ window which will handle unknown login types:
|
|
|
|
|
"/fallback/web?session=" +
|
|
|
|
|
encodeURIComponent(sessionID);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
popupWindow = window.open(url);
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
##### Identifier types
|
|
|
|
|
|
|
|
|
@ -920,10 +951,12 @@ A client can identify a user using their Matrix ID. This can either be
|
|
|
|
|
the fully qualified Matrix user ID, or just the localpart of the user
|
|
|
|
|
ID.
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
"identifier": {
|
|
|
|
|
"type": "m.id.user",
|
|
|
|
|
"user": "<user_id or user localpart>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Third-party ID
|
|
|
|
|
|
|
|
|
@ -940,11 +973,13 @@ using the `/account/3pid`\_ API. See the [3PID
|
|
|
|
|
Types](../appendices.html#pid-types) Appendix for a list of Third-party
|
|
|
|
|
ID media.
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
"identifier": {
|
|
|
|
|
"type": "m.id.thirdparty",
|
|
|
|
|
"medium": "<The medium of the third party identifier>",
|
|
|
|
|
"address": "<The canonicalised third party address of the user>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Phone number
|
|
|
|
|
|
|
|
|
@ -962,11 +997,13 @@ If the client wishes to canonicalise the phone number, then it can use
|
|
|
|
|
the `m.id.thirdparty` identifier type with a `medium` of `msisdn`
|
|
|
|
|
instead.
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
"identifier": {
|
|
|
|
|
"type": "m.id.phone",
|
|
|
|
|
"country": "<The country that the phone number is from>",
|
|
|
|
|
"phone": "<The phone number>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The `country` is the two-letter uppercase ISO-3166-1 alpha-2 country
|
|
|
|
|
code that the number in `phone` should be parsed as if it were dialled
|
|
|
|
@ -983,6 +1020,7 @@ API](#user-interactive-authentication-api).
|
|
|
|
|
For a simple username/password login, clients should submit a `/login`
|
|
|
|
|
request as follows:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "m.login.password",
|
|
|
|
|
"identifier": {
|
|
|
|
@ -991,11 +1029,13 @@ request as follows:
|
|
|
|
|
},
|
|
|
|
|
"password": "<password>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Alternatively, a client can use a 3PID bound to the user's account on
|
|
|
|
|
the homeserver using the `/account/3pid`\_ API rather than giving the
|
|
|
|
|
`user` explicitly, as follows:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "m.login.password",
|
|
|
|
|
"identifier": {
|
|
|
|
@ -1004,6 +1044,7 @@ the homeserver using the `/account/3pid`\_ API rather than giving the
|
|
|
|
|
},
|
|
|
|
|
"password": "<password>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
In the case that the homeserver does not know about the supplied 3PID,
|
|
|
|
|
the homeserver must respond with `403 Forbidden`.
|
|
|
|
@ -1011,10 +1052,12 @@ the homeserver must respond with `403 Forbidden`.
|
|
|
|
|
To log in using a login token, clients should submit a `/login` request
|
|
|
|
|
as follows:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "m.login.token",
|
|
|
|
|
"token": "<login token>"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
As with [token-based]() interactive login, the `token` must encode the
|
|
|
|
|
user ID. In the case that the token is not valid, the homeserver must
|
|
|
|
@ -1166,6 +1209,7 @@ to change their password.
|
|
|
|
|
|
|
|
|
|
An example of the capability API's response for this capability is:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"capabilities": {
|
|
|
|
|
"m.change_password": {
|
|
|
|
@ -1173,6 +1217,7 @@ An example of the capability API's response for this capability is:
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### `m.room_versions` capability
|
|
|
|
|
|
|
|
|
@ -1183,6 +1228,7 @@ upgrade their rooms.
|
|
|
|
|
|
|
|
|
|
An example of the capability API's response for this capability is:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"capabilities": {
|
|
|
|
|
"m.room_versions": {
|
|
|
|
@ -1196,6 +1242,7 @@ An example of the capability API's response for this capability is:
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
This capability mirrors the same restrictions of [room
|
|
|
|
|
versions](../index.html#room-versions) to describe which versions are
|
|
|
|
@ -1626,36 +1673,48 @@ There are several APIs provided to `GET` events for a room:
|
|
|
|
|
|
|
|
|
|
Valid requests look like:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
PUT /rooms/!roomid:domain/state/m.example.event
|
|
|
|
|
{ "key" : "without a state key" }
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
```
|
|
|
|
|
PUT /rooms/!roomid:domain/state/m.another.example.event/foo
|
|
|
|
|
{ "key" : "with 'foo' as the state key" }
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
In contrast, these requests are invalid:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
POST /rooms/!roomid:domain/state/m.example.event/
|
|
|
|
|
{ "key" : "cannot use POST here" }
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
```
|
|
|
|
|
PUT /rooms/!roomid:domain/state/m.another.example.event/foo/11
|
|
|
|
|
{ "key" : "txnIds are not supported" }
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Care should be taken to avoid setting the wrong `state key`:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
PUT /rooms/!roomid:domain/state/m.another.example.event/11
|
|
|
|
|
{ "key" : "with '11' as the state key, but was probably intended to be a txnId" }
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The `state_key` is often used to store state about individual users, by
|
|
|
|
|
using the user ID as the `state_key` value. For example:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
PUT /rooms/!roomid:domain/state/m.favorite.animal.event/%40my_user%3Aexample.org
|
|
|
|
|
{ "animal" : "cat", "reason": "fluffy" }
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
In some cases, there may be no need for a `state_key`, so it can be
|
|
|
|
|
omitted:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
PUT /rooms/!roomid:domain/state/m.room.bgd.color
|
|
|
|
|
{ "color": "red", "hex": "#ff0000" }
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
{{room\_send\_cs\_http\_api}}
|
|
|
|
|
|
|
|
|
@ -1872,19 +1931,23 @@ someone, the user performing the ban MUST have the required power level.
|
|
|
|
|
To ban a user, a request should be made to `/rooms/<room_id>/ban`\_
|
|
|
|
|
with:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"user_id": "<user id to ban>"
|
|
|
|
|
"user_id": "<user id to ban>",
|
|
|
|
|
"reason": "string: <reason for the ban>"
|
|
|
|
|
}
|
|
|
|
|
````
|
|
|
|
|
|
|
|
|
|
Banning a user adjusts the banned member's membership state to `ban`.
|
|
|
|
|
Like with other membership changes, a user can directly adjust the
|
|
|
|
|
target member's state, by making a request to
|
|
|
|
|
`/rooms/<room id>/state/m.room.member/<user id>`:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"membership": "ban"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
A user must be explicitly unbanned with a request to
|
|
|
|
|
`/rooms/<room_id>/unban`\_ before they can re-join the room or be
|
|
|
|
@ -1938,11 +2001,13 @@ Homeservers SHOULD implement rate limiting to reduce the risk of being
|
|
|
|
|
overloaded. If a request is refused due to rate limiting, it should
|
|
|
|
|
return a standard error response of the form:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"errcode": "M_LIMIT_EXCEEDED",
|
|
|
|
|
"error": "string",
|
|
|
|
|
"retry_after_ms": integer (optional)
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The `retry_after_ms` key SHOULD be included to tell the client how long
|
|
|
|
|
they have to wait in milliseconds before they can try again.
|
|
|
|
|