From b1fd2af72cd41f79a89fe6ff1fffc5a3f21be402 Mon Sep 17 00:00:00 2001 From: reivilibre Date: Mon, 24 Nov 2025 17:28:16 +0000 Subject: [PATCH] Clarify that servers may choose not to use `M_USER_DEACTIVATED` when they don't know who is asking. (#2246) Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> --- changelogs/client_server/newsfragments/2246.clarification | 1 + data/api/client-server/login.yaml | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 changelogs/client_server/newsfragments/2246.clarification diff --git a/changelogs/client_server/newsfragments/2246.clarification b/changelogs/client_server/newsfragments/2246.clarification new file mode 100644 index 00000000..7d2625a6 --- /dev/null +++ b/changelogs/client_server/newsfragments/2246.clarification @@ -0,0 +1 @@ +Clarify that servers may choose not to use `M_USER_DEACTIVATED` at login time, for example for privacy reasons when they can't authenticate deactivated users. diff --git a/data/api/client-server/login.yaml b/data/api/client-server/login.yaml index 28de0be1..4eba954e 100644 --- a/data/api/client-server/login.yaml +++ b/data/api/client-server/login.yaml @@ -262,6 +262,8 @@ paths: or the requested device ID is the same as a cross-signing key ID. * `M_USER_DEACTIVATED`: The user has been deactivated. + Servers MAY instead use `M_FORBIDDEN` when they can no longer authenticate + the deactivated user (e.g. their password has been wiped). content: application/json: schema: