Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC1692: Terms of service at registration #1692

Merged
merged 15 commits into from
Apr 15, 2024
Merged

Conversation

turt2live
Copy link
Member

@turt2live turt2live commented Oct 3, 2018

Rendered


Implementation: matrix-org/synapse#4004

FCP tickyboxes


Notes from 2018:

This proposal is the first to try a new process where we avoid creating excess issues with locked discussions. Discussion about this proposal should happen on this PR, preferably inline where possible.

Riot/synapse is going ahead and trying out the registration portion of this proposal to fix a UX bug. Given UI auth has fallback support, this should not break any clients and can be easily modified in the future if this proposal were to change. Implementation is required as a proof of concept for the proposal anyways.

@turt2live
Copy link
Member Author

Also I just found #1231 which doesn't appear to have a conclusion to it. This proposal also alters how https://github.com/matrix-org/matrix-doc/issues/1252 works.

turt2live added a commit to matrix-org/synapse that referenced this pull request Oct 3, 2018
proposals/1692-terms-api.md Outdated Show resolved Hide resolved
proposals/1692-terms-api.md Outdated Show resolved Hide resolved
proposals/1692-terms-api.md Outdated Show resolved Hide resolved
proposals/1692-terms-api.md Outdated Show resolved Hide resolved
proposals/1692-terms-api.md Outdated Show resolved Hide resolved
proposals/1692-terms-api.md Outdated Show resolved Hide resolved
proposals/1692-terms-api.md Outdated Show resolved Hide resolved
@erikjohnston
Copy link
Member

This looks mostly sane I guess, though I don't really know much about registration/login.

One thing that I'm unsure of is the behaviour when we need the user to agree to an updated ToS. Locking down the APIs and returning 403s has a number of issues:

  • Server side its a bit annoying to keep track of which APIs are safe to allow the user access to and which aren't. Denying everything but sync doesn't terribly worthwhile given the likelihood that clients will want to make API call when actually rendering things to client (e.g. avatars)
  • Breaking people's messaging app is unlikely to make people particularly happy. I think we need to make sure that clients get proactively told that action needs to be taken, and ideally allow being notified in advance (long before the API gets blocked).

I also think it'd make more sense to return a 401 with a specific error code. That way "dumb" clients just log out and the user can log in again and accept the updated ToS. Smarter clients can interpret the 401 and show a "accept ToS" screen.

@Half-Shot
Copy link
Contributor

I agree with almost everything here, except the need for a new endpoint.

I strongly disagree with /terms unless someone can explain what makes it special enough to warrant it's own endpoint in favour of developing PUT /account_data with the optional ability to request auth first. It would definitely benefit future proposals, even if it doesn't save any effort for this proposal.

It seems like it's going to take the same amount of effort whichever way this goes, so why not make this endpoint generic now to save some effort for future proposals.

@turt2live
Copy link
Member Author

@erikjohnston

Breaking people's messaging app is unlikely to make people particularly happy. I think we need to make sure that clients get proactively told that action needs to be taken, and ideally allow being notified in advance (long before the API gets blocked).

There's nothing stopping the homeserver from saying a policy is not required and then later requiring it. The proposal should be fairly supportive of whatever the homeserver admin wants to do by not being overly opinionated.

I also think it'd make more sense to return a 401 with a specific error code. That way "dumb" clients just log out and the user can log in again and accept the updated ToS. Smarter clients can interpret the 401 and show a "accept ToS" screen.

Logging the user out sounds really bad for dumb clients. If that dumb client has e2e support (which is not impossible) then that user could lose data. This is probably another great case where a soft logout would work, although it would probably need to be carefully executed.

@turt2live
Copy link
Member Author

@Half-Shot

I strongly disagree with /terms unless someone can explain what makes it special enough to warrant it's own endpoint in favour of developing PUT /account_data with the optional ability to request auth first. It would definitely benefit future proposals, even if it doesn't save any effort for this proposal.

I'd like to see a strong use case for other cases where UI auth is helpful on the account data. As previously mentioned several times, I do not see the benefit in adding such a feature where it results in complicated client code.

@Half-Shot
Copy link
Contributor

Sure. I think I have failed to explain where this could also be useful, so I will write up a through explanation this evening. (This can serve as a placeholder)

This also introduces an ID for clients to internally reference the policies.
@turt2live
Copy link
Member Author

I've made some changes to this based on the feedback above:

  • Multiple languages are now supported
  • An ID is introduced for each policy for clients to reference
  • The login UI auth is fixed to represent the actual specification. In the future, we should consider actually cutting over to using UI auth on login and not doing half the job (which is proposed here).
  • Misc wording and language changes

I have not changed the proposal regarding introduction of a new endpoint. I've spent the better part of the week thinking about whether or not it is worth it, and I'm still not convinced that having UI auth on account data makes sense for primarily backwards compatibility reasons. Older clients would likely see the 401 as the user's token suddenly not being valid and log them out, which is a lot more dangerous than having another endpoint. Although older clients would not be accessing the terms metadata as they would not understand it, I don't think the proposal to add UI auth to account data would be worth it unless it was permitted on any event type - which could cause problems when someone inevitably blanket-enables it in their homeserver.

Ideally in a major version change of the spec we could support UI auth on most endpoints, not just account data, therefore adding an option for more security-conscious environments. For example, a homeserver may rightfully want to prevent the user from uploading content until they acknowledge that they actually own the content. Another scenario would be the homeserver requiring a user to refresh their login details after some time - previously we had a token refresh API however I don't believe it was supportive of alternative login flows, such as TOTP, being required to authenticate a user.

@erikjohnston
Copy link
Member

@turt2live is my understanding correct that Synapse already implements this (UGH)? And if so does the current MSC match the implementation?

@turt2live
Copy link
Member Author

@turt2live is my understanding correct that Synapse already implements this (UGH)? And if so does the current MSC match the implementation?

Yes and yes. If you've had the unfortunate opportunity to review the original MSC here, the bits which Synapse doesn't implement were already broken out to #3012

@mscbot
Copy link
Collaborator

mscbot commented Apr 9, 2024

🔔 This is now entering its final comment period, as per the review above. 🔔

@mscbot mscbot added final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. and removed proposed-final-comment-period Currently awaiting signoff of a majority of team members in order to enter the final comment period. labels Apr 9, 2024
@mscbot
Copy link
Collaborator

mscbot commented Apr 14, 2024

The final comment period, with a disposition to merge, as per the review above, is now complete.

@mscbot mscbot added finished-final-comment-period and removed disposition-merge final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. labels Apr 14, 2024
@turt2live turt2live merged commit a19bbec into old_master Apr 15, 2024
@turt2live turt2live deleted the travis/msc/terms-api branch April 15, 2024 17:21
@turt2live turt2live added spec-pr-missing Proposal has been implemented and is being used in the wild but hasn't yet been added to the spec and removed finished-final-comment-period labels Apr 15, 2024
turt2live added a commit that referenced this pull request Apr 15, 2024
* Terms of service API proposal

* Alter structures to support multiple languages

This also introduces an ID for clients to internally reference the policies.

* Alter the login process to reflect login's lack of UI auth

* Add a note about MSC2140

* Add a flag to the sync response to indicate the sync is withheld

* Use the soft logout MSC

* Fix headings

* Move non-registration bits out

* Reference MSC3012

* Adjust wording for new scope

* Rewrite to newer modern standards; address feedback from last FCP

* Update proposals/1692-terms-at-registration.md

Co-authored-by: Richard van der Hoff <[email protected]>

* Update references

---------

Co-authored-by: Richard van der Hoff <[email protected]>
Comment on lines +70 to +71
To complete the stage, accepting *all* of the listed documents, the client submits an empty `auth`
dict. The client *should* present the user with a checkbox to accept each policy, including a link
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

an empty auth dict

This can't be right. I'm assuming it means an auth dict which looks like:

  "auth": {
      "type": "m.login.terms",
      "session": "xxxxxx"
  }

(ie, nothing other than the type and session).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

err, yes. UIA is complicated, and I can believe this part of the MSC was written with confusion.

It'd be the same as dummy auth: https://spec.matrix.org/v1.10/client-server-api/#dummy-auth

@richvdh
Copy link
Member

richvdh commented Apr 30, 2024

Spec PR: matrix-org/matrix-spec#1812

@richvdh richvdh added spec-pr-in-review A proposal which has been PR'd against the spec and is in review and removed spec-pr-missing Proposal has been implemented and is being used in the wild but hasn't yet been added to the spec labels Apr 30, 2024
richvdh added a commit to matrix-org/matrix-spec that referenced this pull request May 8, 2024
@turt2live
Copy link
Member Author

Merged 🎉

@turt2live turt2live added merged A proposal whose PR has merged into the spec! and removed spec-pr-in-review A proposal which has been PR'd against the spec and is in review labels May 10, 2024
@zecakeh zecakeh mentioned this pull request Jun 7, 2024
53 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
client-server Client-Server API kind:core MSC which is critical to the protocol's success merged A proposal whose PR has merged into the spec! proposal A matrix spec change proposal
Projects
Status: Done to some definition
Development

Successfully merging this pull request may close these issues.

8 participants