Clarify that servers may choose not to use `M_USER_DEACTIVATED` when they don't know who is asking. (#2246)

Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
1 week ago · b1fd2af72c
parent f7a0d8d135
commit b1fd2af72c
2 changed files with 3 additions and 0 deletions
--- a/changelogs/client_server/newsfragments/2246.clarification
+++ b/changelogs/client_server/newsfragments/2246.clarification
@ -0,0 +1 @@
 Clarify that servers may choose not to use `M_USER_DEACTIVATED` at login time, for example for privacy reasons when they can't authenticate deactivated users.
--- a/data/api/client-server/login.yaml
+++ b/data/api/client-server/login.yaml
@ -262,6 +262,8 @@ paths:
                or the requested device ID is the same as a cross-signing key
                ID.
              * `M_USER_DEACTIVATED`: The user has been deactivated.
                Servers MAY instead use `M_FORBIDDEN` when they can no longer authenticate
                the deactivated user (e.g. their password has been wiped).
          content:
            application/json:
              schema:
		`@ -0,0 +1 @@`
							Clarify that servers may choose not to use `M_USER_DEACTIVATED` at login time, for example for privacy reasons when they can't authenticate deactivated users.