Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSC4170: 403 error responses for profile APIs #4170

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open

MSC4170: 403 error responses for profile APIs #4170

Changes from 16 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
ca54955
MSC4170: 403 error responses for profile APIs
Johennes Jul 8, 2024
c3d5e7e
Add links to CS & SS endpoints
Johennes Jul 9, 2024
6664b2f
Clarify which endpoint the 403 was added on
Johennes Jul 23, 2024
8fa644b
Better differentiate requirements for CS and SS API
Johennes Jul 23, 2024
2bef80d
Update proposals/4170-profile-403.md
Johennes Aug 5, 2024
0d03f8c
Update proposals/4170-profile-403.md
Johennes Aug 5, 2024
3baad1a
Clarify relation between the profile and user directory APIs
Johennes Aug 7, 2024
c1aafd8
Clarify that this proposal won't solve the public room problem
Johennes Aug 7, 2024
8f30d2a
Fix typo
Johennes Aug 7, 2024
0e8d732
Call out that limit_profile_requests_to_users_who_share_rooms is only…
Johennes Aug 7, 2024
400c5fe
Update proposals/4170-profile-403.md
Johennes Aug 14, 2024
6ccc715
Update proposals/4170-profile-403.md
Johennes Aug 14, 2024
a6f1910
Update proposals/4170-profile-403.md
Johennes Aug 14, 2024
c8cb03f
Update proposals/4170-profile-403.md
Johennes Aug 14, 2024
d11ead3
Update proposals/4170-profile-403.md
Johennes Aug 14, 2024
c2663da
Update proposals/4170-profile-403.md
Johennes Aug 15, 2024
ebd3549
Relocate history to its own section
Johennes Aug 19, 2024
76391ea
Let implementations decide whether to use 403 or 404 for non-existing…
Johennes Aug 19, 2024
0e1c81e
Explain why an unstable prefix isn't possible
Johennes Aug 19, 2024
1ab5780
Add privacy considerations
Johennes Aug 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
125 changes: 125 additions & 0 deletions proposals/4170-profile-403.md
View file
Open in desktop
richvdh marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
# MSC4170: 403 error responses for profile APIs

Matrix currently defines the following [client-server APIs] for profile look-ups:

- [`GET /_matrix/client/v3/profile/{userId}`]
- [`GET /_matrix/client/v3/profile/{userId}/avatar_url`]
- [`GET /_matrix/client/v3/profile/{userId}/displayname`]

These endpoints also support look-up over federation via the accompanying
[server-server API]:

- [`GET /_matrix/federation/v1/query/profile`]

Each of these endpoints has a documented 404 response for the case that no profile
information is available.

> 404 There is no profile information for this user or this user does not exist.
>
> 404 There is no avatar URL for this user or this user does not exist.
>
> 404 There is no display name for this user or this user does not exist.
>
> 404 The user does not exist or does not have a profile.

However, `GET /_matrix/client/v3/profile/{userId}` additionally reserves a 403
status code that is not available on the other endpoints and can be used to deny
profile look-ups.

> 403 The server is unwilling to disclose whether the user exists and/or has profile information.

Unfortunately, the concrete semantics of when to respond with 403 are not fully
spelled out in the spec and understanding prior proposals' intention requires some
archeology.

In [2017], the user directory API, [`POST /_matrix/client/v3/user_directory/search`],
which closely relates to the profile APIs, was introduced into the spec. Since its
inception, it contained the requirement for servers to consider (at least) users from
shared and public rooms in the search.

Later, [MSC1301] proposed a 403 `M_USER_NOT_PUBLIC` response on all four profile
endpoints to optionally disallow profile look-up for users that the requester does
not share a room with. This MSC was never accepted, but in 2019
was partially implemented by Synapse[^1]: it was only implemented for the client-server
endpoints, and an error code of `M_FORBIDDEN` was used rather than `M_USER_NOT_PUBLIC`.

In 2021, Synapse implemented[^2] a switchable feature to disable profile look-up
over federation via a 403 `M_FORBIDDEN` response. [MSC3550] picked up on this
feature and introduced this response type in the spec though only on the
`GET /_matrix/client/v3/profile/{userId}` endpoint in the client-server API.

The current proposal aims to restore consistency among the profile endpoints
by standardizing their 403 error response format and behaviour.


## Proposal

For the endpoints in the client-server API

- [`GET /_matrix/client/v3/profile/{userId}`]
- [`GET /_matrix/client/v3/profile/{userId}/avatar_url`]
- [`GET /_matrix/client/v3/profile/{userId}/displayname`]

homeservers MUST at a minimum allow profile look-up for users that either share a room
with the requester or reside in a public room known to the homeserver (i.e, the same
requirements as [`POST /_matrix/client/v3/user_directory/search`])[^3]. In all other
cases, homeservers MAY deny profile look-up by responding with 403 `M_FORBIDDEN`.
Johennes marked this conversation as resolved.
Show resolved Hide resolved

If a remote user is queried through the client-server endpoints and the query is not
denied per the preceding paragraph, homeservers SHOULD query the remote server for the
user's profile information.

Homeservers MAY deny profile look-up over federation by responding with 403 `M_FORBIDDEN`
to [`GET /_matrix/federation/v1/query/profile`]. To be clear: there is no requirement to return
profiles of users in public or shared rooms over the federation API.

Whenever profile look-up is disabled on any of the four endpoints, the server's
response MUST be 403 `M_FORBIDDEN` regardless of whether the user exists or not.


## Potential issues

Synapse already complies with this proposal in its default configuration. However,
its `limit_profile_requests_to_users_who_share_rooms` config setting is only partially
compatible with this proposal because it disallows profile look-up for users in public
rooms that the requester does not share a room with. This inconsistency would need to
be fixed if this proposal is accepted into the spec.


## Alternatives

None.


## Security considerations

None.
Johennes marked this conversation as resolved.
Show resolved Hide resolved


## Unstable prefix

None.
Johennes marked this conversation as resolved.
Show resolved Hide resolved


## Dependencies

None.


[^1]: https://github.com/element-hq/synapse/commit/c0e0740bef0db661abce352afaf6c958e276f11d
[^2]: https://github.com/matrix-org/synapse/pull/9203/files#diff-2f70c35b9dd342bfdaaed445847e0ccabbad63aa9a208d80d38fb248cbf57602L311
[^3]: As stated in https://github.com/matrix-org/matrix-spec/issues/633, the spec currently
doesn't clearly define what a public room is. This proposal does not aim to solve this
problem and instead only requires that the user directory and profile APIs use the same
definition.

[`GET /_matrix/client/v3/profile/{userId}`]: https://spec.matrix.org/v1.11/client-server-api/#get_matrixclientv3profileuserid
[`GET /_matrix/client/v3/profile/{userId}/avatar_url`]: https://spec.matrix.org/v1.11/client-server-api/#get_matrixclientv3profileuseridavatar_url
[`GET /_matrix/client/v3/profile/{userId}/displayname`]: https://spec.matrix.org/v1.11/client-server-api/#get_matrixclientv3profileuseriddisplayname
[`GET /_matrix/federation/v1/query/profile`]: https://spec.matrix.org/v1.11/server-server-api/#get_matrixfederationv1queryprofile
[`POST /_matrix/client/v3/user_directory/search`]: https://spec.matrix.org/v1.11/client-server-api/#post_matrixclientv3user_directorysearch
[2017]: https://github.com/matrix-org/matrix-spec-proposals/pull/1096/files#diff-332ce28a7277b9375050644632f99c0e606acb751adc54c64c5faabf981ac7edR35
[MSC1301]: https://github.com/matrix-org/matrix-spec-proposals/issues/1301
[MSC3550]: https://github.com/matrix-org/matrix-spec-proposals/pull/3550
[client-server APIs]: https://spec.matrix.org/v1.11/client-server-api/#profiles
[server-server API]: https://spec.matrix.org/v1.11/server-server-api/#get_matrixfederationv1queryprofile