archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
rav/hyperlinks
travis/account-suspension
dbkr/msc4178
release/v1.12
release/v1.11
tulir/msc4142
release/v1.10
travis/msc2702-msc2701
rav/ref_objects_in_params
dkasak/foldable-sidebar
travis/knock-join
release/v1.9
release/v1.8
anoa/update_docsy
anoa/nix_flake
dbkr/3077-multi-stream-voip
release/v1.7
dbkr/2746-reliable-voip
rav/links_for_object_defs
release/v1.6
release/v1.5
release/v1.4
anoa/invite_knock_room_state
release/v1.3
push_gateway/r0.1.0
r0.0.0
0.2.0
application_service/r0.1.0
application_service/r0.1.1
application_service/r0.1.2
client-server/0.3.0
client-server/r0.1.0
client-server/r0.2.0
client-server/r0.3.0
client_server/r0.4.0
client_server/r0.5.0
client_server/r0.6.0
client_server/r0.6.1
identity_service/r0.1.0
identity_service/r0.2.0
identity_service/r0.2.1
identity_service/r0.3.0
push_gateway/r0.1.1
r0.0.1
server_server/r0.1.0
server_server/r0.1.1
server_server/r0.1.2
server_server/r0.1.3
server_server/r0.1.4
v1.1
v1.10
v1.11
v1.12
v1.2
v1.3
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3c66e149f3'
${ noResults }
matrix-spec/content/client-server-api/modules/guest_access.md

92 lines
4.0 KiB
Markdown
Raw Blame History

---
type: module
weight: 160
---
### Guest Access
There are times when it is desirable for clients to be able to interact
with rooms without having to fully register for an account on a
homeserver or join the room. This module specifies how these clients
should interact with servers in order to participate in rooms as guests.
Guest users retrieve access tokens from a homeserver using the ordinary
[register
endpoint](#post_matrixclientr0register),
specifying the `kind` parameter as `guest`. They may then interact with
the client-server API as any other user would, but will only have access
to a subset of the API as described the Client behaviour subsection
below. Homeservers may choose not to allow this access at all to their
local users, but have no information about whether users on other
homeservers are guests or not.
Guest users can also upgrade their account by going through the ordinary
`register` flow, but specifying the additional POST parameter
`guest_access_token` containing the guest's access token. They are also
required to specify the `username` parameter to the value of the local
part of their username, which is otherwise optional.
This module does not fully factor in federation; it relies on individual
homeservers properly adhering to the rules set out in this module,
rather than allowing all homeservers to enforce the rules on each other.
#### Events
{{m\_room\_guest\_access\_event}}
#### Client behaviour
The following API endpoints are allowed to be accessed by guest accounts
for retrieving events:
- [GET /rooms/:room\_id/state](#get_matrixclientr0roomsroomidstate)
- [GET /rooms/:room\_id/context/:event\_id](#get_matrixclientr0roomsroomidcontexteventid)
- [GET /rooms/:room\_id/event/:event\_id](#get_matrixclientr0roomsroomideventeventid)
- [GET /rooms/:room\_id/state/:event\_type/:state\_key](#get_matrixclientr0roomsroomidstateeventtypestatekey)
- [GET /rooms/:room\_id/messages](#get_matrixclientr0roomsroomidmessages)
- [GET /rooms/:room\_id/members](#get_matrixclientr0roomsroomidmembers)
- [GET /rooms/:room\_id/initialSync](#get_matrixclientr0roomsroomidinitialsync)
- [GET /sync](#get_matrixclientr0sync)
- [GET /events](#get_matrixclientr0events) as used for room previews.
The following API endpoints are allowed to be accessed by guest accounts
for sending events:
- [POST /rooms/:room\_id/join](#post_matrixclientr0roomsroomidjoin)
- [POST /rooms/:room\_id/leave](#post_matrixclientr0roomsroomidleave)
- [PUT /rooms/:room\_id/send/m.room.message/:txn\_id](#put_matrixclientr0roomsroomidsendeventtypetxnid)
- [PUT /sendToDevice/{eventType}/{txnId}](#put_matrixclientr0sendtodeviceeventtypetxnid)
The following API endpoints are allowed to be accessed by guest accounts
for their own account maintenance:
- [PUT /profile/:user\_id/displayname](#put_matrixclientr0profileuseriddisplayname)
- [GET /devices](#get_matrixclientr0devices)
- [GET /devices/{deviceId}](#get_matrixclientr0devicesdeviceid)
- [PUT /devices/{deviceId}](#put_matrixclientr0devicesdeviceid)
The following API endpoints are allowed to be accessed by guest accounts
for end-to-end encryption:
- [POST /keys/upload](#post_matrixclientr0keysupload)
- [POST /keys/query](#post_matrixclientr0keysquery)
- [POST /keys/claim](#post_matrixclientr0keysclaim)
#### Server behaviour
Servers MUST only allow guest users to join rooms if the
`m.room.guest_access` state event is present on the room, and has the
`guest_access` value `can_join`. If the `m.room.guest_access` event is
changed to stop this from being the case, the server MUST set those
users' `m.room.member` state to `leave`.
#### Security considerations
Each homeserver manages its own guest accounts itself, and whether an
account is a guest account or not is not information passed from server
to server. Accordingly, any server participating in a room is trusted to
properly enforce the permissions outlined in this section.
Homeservers may want to enable protections such as captchas for guest
registration to prevent spam, denial of service, and similar attacks.
Reference in New Issue View Git Blame Copy Permalink