wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

MSC4170: 403 error responses for profile APIs (#1867)

Browse source 
Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>
This commit is contained in:
Johannes Marbach 2024-10-07 11:45:17 +02:00 committed by GitHub
parent 27b4cdcc9e
commit 871c10577e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 67 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
changelogs/client_server/newsfragments/1867.feature Normal file
View file

@ -0,0 +1 @@
Add 403 responses on `/profile/{userId}/avatar_url` and `/profile/{userId}/displayname` as per [MSC4170](https://github.com/matrix-org/matrix-spec-proposals/pull/4170).

1
changelogs/server_server/newsfragments/1867.feature Normal file
View file

@ -0,0 +1 @@
Add 403 response on `/query/profile` as per [MSC4170](https://github.com/matrix-org/matrix-spec-proposals/pull/4170).

20
content/client-server-api/_index.md
View file

@ -2753,7 +2753,25 @@ re-invited.
{{% http-api spec="client-server" api="profile" %}} {{% http-api spec="client-server" api="profile" %}}
#### Events on Change of Profile Information #### Server behaviour
Homeservers MUST at a minimum allow profile look-up for:
- users that share a room with the requesting user
- users that reside in public rooms known to the homeserver
In all other cases, homeservers MAY deny profile look-up by responding with
403 and an error code of `M_FORBIDDEN`.
When a remote user is queried and the query is not denied per the above,
homeservers SHOULD query the remote server for the user's profile information.
The remote server MAY itself deny profile queries over federation, however.
When the requested user does not exist, homeservers MAY choose whether to
respond with 403 or 404. If the server denies profile look-up in all but the
required cases, 403 is RECOMMENDED.
##### Events on Change of Profile Information
Because the profile display name and avatar information are likely to be Because the profile display name and avatar information are likely to be
used in many places of a client's display, changes to these fields cause used in many places of a client's display, changes to these fields cause

30
data/api/client-server/profile.yaml
View file

@ -98,6 +98,20 @@ paths:
value: { value: {
"displayname": "Alice Margatroid" "displayname": "Alice Margatroid"
} }
"403":
x-addedInMatrixVersion: "1.12"
description: The server is unwilling to disclose whether the user exists and/or
has a display name.
content:
application/json:
schema:
$ref: definitions/errors/error.yaml
examples:
response:
value: {
"errcode": "M_FORBIDDEN",
"error": "Profile lookup is disabled on this homeserver"
}
"404": "404":
description: There is no display name for this user or this user does not exist. description: There is no display name for this user or this user does not exist.
tags: tags:
@ -185,6 +199,20 @@ paths:
value: { value: {
"avatar_url": "mxc://matrix.org/SDGdghriugerRg" "avatar_url": "mxc://matrix.org/SDGdghriugerRg"
} }
"403":
x-addedInMatrixVersion: "1.12"
description: The server is unwilling to disclose whether the user exists and/or
has an avatar URL.
content:
application/json:
schema:
$ref: definitions/errors/error.yaml
examples:
response:
value: {
"errcode": "M_FORBIDDEN",
"error": "Profile lookup is disabled on this homeserver"
}
"404": "404":
description: There is no avatar URL for this user or this user does not exist. description: There is no avatar URL for this user or this user does not exist.
tags: tags:
@ -239,7 +267,7 @@ paths:
response: response:
value: { value: {
"errcode": "M_FORBIDDEN", "errcode": "M_FORBIDDEN",
"error": "Profile lookup over federation is disabled on this homeserver" "error": "Profile lookup is disabled on this homeserver"
} }
"404": "404":
description: There is no profile information for this user or this user does not description: There is no profile information for this user or this user does not

17
data/api/server-server/query.yaml
View file

@ -117,6 +117,9 @@ paths:
Servers may wish to cache the response to this query to avoid requesting the Servers may wish to cache the response to this query to avoid requesting the
information too often. information too often.
Servers MAY deny profile look-up over federation by responding with 403 and an
error code of `M_FORBIDDEN`.
operationId: queryProfile operationId: queryProfile
security: security:
- signedRequest: [] - signedRequest: []
@ -172,6 +175,20 @@ paths:
"displayname": "John Doe", "displayname": "John Doe",
"avatar_url": "mxc://matrix.org/MyC00lAvatar" "avatar_url": "mxc://matrix.org/MyC00lAvatar"
} }
"403":
x-addedInMatrixVersion: "1.12"
description: The server is unwilling to disclose whether the user exists and/or
has profile information.
content:
application/json:
schema:
$ref: ../client-server/definitions/errors/error.yaml
examples:
response:
value: {
"errcode": "M_FORBIDDEN",
"error": "Profile lookup over federation is disabled on this homeserver"
}
"404": "404":
description: The user does not exist or does not have a profile. description: The user does not exist or does not have a profile.
content: content: