Spec MSC2285: Private read receipts (#1216)

* Convert `m.receipt.yaml` to traditional YAML * Spec MSC2285 (private read receipts) * Add some obvious copyright headers * Add changelog entries * Appease the linter Apparently it hates it when you do this. * Allow m.fully_read on /receipts * Apply suggestions from code review Co-authored-by: Matthew Hodgson <matthew@matrix.org> Co-authored-by: Matthew Hodgson <matthew@matrix.org>
2022-09-12 16:34:51 -06:00 · 2022-09-12 16:34:51 -06:00 · e406bd94f6
commit e406bd94f6
parent a6990ff27c
10 changed files with 146 additions and 66 deletions
--- a/content/client-server-api/modules/push.md
+++ b/content/client-server-api/modules/push.md
@ -107,7 +107,19 @@ determined by the push rules which apply to an event.

 When the user updates their read receipt (either by using the API or by
 sending an event), notifications prior to and including that event MUST
-be marked as read.
+be marked as read. Note that users can send both an `m.read` and
+`m.read.private` receipt, both of which are capable of clearing notifications.
+
+If the user has both `m.read` and `m.read.private` set in the room then
+the receipt which is more recent/ahead must be used to determine where
+the user has read up to. For example, given an oldest-first set of events A,
+B, C, and D the `m.read` receipt could be at event C and `m.read.private`
+at event A - the user is considered to have read up to event C. If the
+`m.read.private` receipt is then updated to point to B or C, the user's
+notification state doesn't change (the `m.read` receipt is still more
+ahead), however if the `m.read.private` receipt were to be updated to
+event D then the user has read up to D (the `m.read` receipt is now
+behind the `m.read.private` receipt).

 ##### Push Rules

--- a/content/client-server-api/modules/read_markers.md
+++ b/content/client-server-api/modules/read_markers.md
@ -31,12 +31,16 @@ The client cannot update fully read markers by directly modifying the
 `m.fully_read` account data event. Instead, the client must make use of
 the read markers API to change the values.

+{{< changed-in v="1.4" >}} `m.read.private` receipts can now be sent from
+`/read_markers`.
+
 The read markers API can additionally update the user's read receipt
-(`m.read`) location in the same operation as setting the fully read
-marker location. This is because read receipts and read markers are
-commonly updated at the same time, and therefore the client might wish
-to save an extra HTTP call. Providing an `m.read` location performs the
-same task as a request to `/receipt/m.read/$event:example.org`.
+(`m.read` or `m.read.private`) location in the same operation as setting
+the fully read marker location. This is because read receipts and read
+markers are commonly updated at the same time, and therefore the client
+might wish to save an extra HTTP call. Providing `m.read` and/or
+`m.read.private` performs the same task as a request to
+[`/receipt/{receiptType}/{eventId}`](#post_matrixclientv3roomsroomidreceiptreceipttypeeventid).

 {{% http-api spec="client-server" api="read_markers" %}}

@ -44,8 +48,9 @@ same task as a request to `/receipt/m.read/$event:example.org`.

 The server MUST prevent clients from setting `m.fully_read` directly in
 room account data. The server must additionally ensure that it treats
-the presence of `m.read` in the `/read_markers` request the same as how
-it would for a request to `/receipt/m.read/$event:example.org`.
+the presence of `m.read` and `m.read.private` in the `/read_markers`
+request the same as how it would for a request to
+[`/receipt/{receiptType}/{eventId}`](#post_matrixclientv3roomsroomidreceiptreceipttypeeventid).

 Upon updating the `m.fully_read` event due to a request to
 `/read_markers`, the server MUST send the updated account data event
--- a/content/client-server-api/modules/receipts.md
+++ b/content/client-server-api/modules/receipts.md
@ -4,10 +4,14 @@ type: module

 ### Receipts

+{{< changed-in v="1.4" >}} Added private read receipts.
+
 This module adds in support for receipts. These receipts are a form of
-acknowledgement of an event. This module defines a single
-acknowledgement: `m.read` which indicates that the user has read up to a
-given event.
+acknowledgement of an event. This module defines the `m.read` receipt
+for indicating that the user has read up to a given event, and `m.read.private`
+to achieve the same purpose without any other user being aware. Primarily,
+`m.read.private` is intended to clear [notifications](#receiving-notifications)
+without advertising read-up-to status to others.

 Sending a receipt for each event can result in sending large amounts of
 traffic to a homeserver. To prevent this from becoming a problem,
@ -59,12 +63,36 @@ following HTTP APIs.

 {{% http-api spec="client-server" api="receipts" %}}

+##### Private read receipts
+
+{{% added-in v="1.4" %}}
+
+Some users would like to mark a room as read, clearing their [notification counts](#receiving-notifications),
+but not give away the fact that they've read a particular message yet. To
+achieve this, clients can send `m.read.private` receipts instead of `m.read`
+to do exactly that: clear notifications and not broadcast the receipt to
+other users.
+
+Servers MUST NOT send the `m.read.private` receipt to any other user than the
+one which originally sent it.
+
+Between `m.read` and `m.read.private`, the receipt which is more "ahead" or
+"recent" is used when determining the highest read-up-to mark. See the
+[notifications](#receiving-notifications) section for more information on
+how this affects notification counts.
+
+If a client sends an `m.read` receipt which is "behind" the `m.read.private`
+receipt, other users will see that change happen but the sending user will
+not have their notification counts rewound to that point in time. While
+uncommon, it is considered valid to have an `m.read` (public) receipt lag
+several messages behind the `m.read.private` receipt, for example.
+
 #### Server behaviour

 For efficiency, receipts SHOULD be batched into one event per room
 before delivering them to clients.

-Receipts are sent across federation as EDUs with type `m.receipt`. The
+Some receipts are sent across federation as EDUs with type `m.receipt`. The
 format of the EDUs are:

 ```
@ -80,7 +108,8 @@ format of the EDUs are:
 ```

 These are always sent as deltas to previously sent receipts. Currently
-only a single `<receipt_type>` should be used: `m.read`.
+only a single `<receipt_type>` should be used: `m.read`. `m.read.private`
+MUST NOT appear in this federated `m.receipt` EDU.

 #### Security considerations