-
Notifications
You must be signed in to change notification settings - Fork 385
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC3173: Expose stripped state events to any potential joiner #3173
Changes from all commits
3d913b3
ce86508
b6cba64
1cfbf76
45bcd86
62e94c5
84331fc
d879eb6
3fe5ca9
d069ca2
b1051e4
c44998c
29e4006
6923606
4b7dc17
b5d0969
b94d379
122c803
5204b85
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,195 @@ | ||
# MSC3173: Expose stripped state events to any potential joiner | ||
|
||
It can be useful to view the partial state of a room before joining to allow a user | ||
to know *what* they're joining. For example, it improves the user experience to | ||
show the user the room name and avatar before joining. | ||
|
||
It is already allowed to partially view the room state without being joined to | ||
the room in some situations: | ||
|
||
* If the room has `history_visibility: world_readable`, then anyone can inspect | ||
it (by calling `/state` on it). | ||
* Rooms in the [room directory](https://matrix.org/docs/spec/client_server/latest#get-matrix-client-r0-publicrooms) | ||
expose some of their state publicly. | ||
* [Invited users](https://matrix.org/docs/spec/server_server/r0.1.4#put-matrix-federation-v2-invite-roomid-eventid) | ||
and [knocking users](https://github.com/matrix-org/matrix-doc/pull/2403) | ||
receive stripped state events to display metadata to users. | ||
|
||
This MSC proposes formalizing that the stripped state that is currently available | ||
to invited and knocking users is available to any user who could potentially join | ||
a room. It also defines "stripped state" and consolidates the recommendation on | ||
which events to include in the stripped state. | ||
|
||
## Background | ||
|
||
When creating an invite it is [currently recommended](https://matrix.org/docs/spec/server_server/r0.1.4#put-matrix-federation-v2-invite-roomid-eventid) | ||
to include stripped state events which are useful for displaying the invite to a user: | ||
|
||
> An optional list of simplified events to help the receiver of the invite identify | ||
> the room. The recommended events to include are the join rules, canonical alias, | ||
> avatar, and name of the room. | ||
The invited user receives these [stripped state events](https://spec.matrix.org/unstable/client-server-api/#get_matrixclientr0sync) | ||
as part of the `/sync` response: | ||
|
||
> The state of a room that the user has been invited to. These state events may | ||
> only have the `sender`, `type`, `state_key` and `content` keys present. These | ||
> events do not replace any state that the client already has for the room, for | ||
> example if the client has archived the room. | ||
These are sent as part of the [`unsigned` content of the `m.room.member` event](https://spec.matrix.org/unstable/client-server-api/#mroommember) | ||
containing the invite. | ||
|
||
[MSC2403: Add "knock" feature](https://github.com/matrix-org/matrix-doc/pull/2403) | ||
extends this concept to also include the stripped state events in the `/sync` response | ||
for knocking users: | ||
|
||
> It is proposed to add a fourth possible key to rooms, called `knock`. Its value | ||
> is a mapping from room ID to room information. The room information is a mapping | ||
> from a key `knock_state` to another mapping with key events being a list of | ||
> `StrippedStateEvent`. | ||
It is also provides an extended rationale of why this is useful: | ||
|
||
> These stripped state events contain information about the room, most notably the | ||
> room's name and avatar. A client will need this information to show a nice | ||
> representation of pending knocked rooms. The recommended events to include are the | ||
> join rules, canonical alias, avatar, name and encryption state of the room, rather | ||
> than all room state. This behaviour matches the information sent to remote | ||
> homeservers when remote users are invited to a room. | ||
[MSC1772: Spaces](https://github.com/matrix-org/matrix-doc/pull/1772) additionally | ||
recommends including the `m.room.create` event as one of the stripped state events: | ||
|
||
> Join rules, invites and 3PID invites work as for a normal room, with the exception | ||
> that `invite_state` sent along with invites should be amended to include the | ||
> `m.room.create` event, to allow clients to discern whether an invite is to a | ||
> space-room or not. | ||
## Proposal | ||
|
||
The specification does not currently define what "stripped state" is or formally | ||
describe who can access it, instead it is specified that certain situations (e.g. | ||
an invite or knock) provide a potential joiner with the stripped state of a room. | ||
|
||
This MSC clarifies what "stripped state" is and formalizes who can access the | ||
stripped state of a room in future cases. | ||
|
||
Potential ways that a user might be able to join a room include, but are not | ||
limited to, the following mechanisms: | ||
|
||
* A room that has `join_rules` set to `public` or `knock`. | ||
* A room that the user is in possession of an invite to (regardless of the `join_rules`). | ||
|
||
This MSC proposes a formal definition for the stripped state of a room<sup id="a1">[1](#f1)</sup>: | ||
|
||
> The stripped state of a room is a list of simplified state events to help a | ||
> potential joiner identify the room. These state events may only have the | ||
> `sender`, `type`, `state_key` and `content` keys present. | ||
### Client behavior | ||
|
||
These events do not replace any state that the client already has for the room, | ||
for example if the client has archived the room. Instead the client should keep | ||
two separate copies of the state: the one from the stripped state and one from the | ||
archived state. If the client joins the room then the current state will be given | ||
as a delta against the archived state not the stripped state. | ||
|
||
### Server behavior | ||
|
||
It is recommended (although not required<sup id="a2">[2](#f2)</sup>) that | ||
homeserver implementations include the following events as part of the stripped | ||
state of a room: | ||
|
||
* Create event (`m.room.create`)<sup id="a3">[3](#f3)</sup> | ||
* Join rules (`m.room.join_rules`) | ||
* Canonical alias (`m.room.canonical_alias`) | ||
* Room avatar (`m.room.avatar`) | ||
* Room name (`m.room.name`) | ||
* Encryption information (`m.room.encryption`)<sup id="a4">[4](#f4)</sup> | ||
* Room topic (`m.room.topic`)<sup id="a5">[5](#f5)</sup> | ||
|
||
## Potential issues | ||
|
||
This is a formalization of current behavior and should not introduce new issues. | ||
|
||
## Alternatives | ||
|
||
A different approach would be to continue with what is done today for invites, | ||
knocking, the room directory: separately specify that a user is allowed to see | ||
the stripped state (and what events the stripped state should contain). | ||
|
||
## Security considerations | ||
clokep marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
This would allow for invisibly accessing the stripped state of a room with `public` | ||
or `knock` join rules. | ||
Comment on lines
+124
to
+125
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this still true, or can this section be removed now that the proposed API is removed? I don't see that it currently introduces any new way for users to fetch the stripped state. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this is still true since a server could expose this information for a room which is knockable in e.g. the room directory (this is somewhat covered by the knocking MSC already). So it isn't really a "change", but I think it is worth calling out. |
||
|
||
In the case of a public room, if the room has `history_visibility` set to `world_readable` | ||
then this is no change. Additionally, this information is already provided by the | ||
room directory (if the room is listed there). Otherwise, it is trivial to access | ||
the state of the room by joining, but currently users in the room would know | ||
that the join occurred. | ||
|
||
Similarly, in the case of knocking, a user is able to trivially access the | ||
stripped state of the room by knocking, but users in the room would know that | ||
the knock occurred. | ||
|
||
This does not seem to weaken the security expectations of either join rule. | ||
|
||
## Future extensions | ||
|
||
### Revisions to the room directory | ||
|
||
A future MSC could include additional information from the stripped state events | ||
in the [room directory](https://matrix.org/docs/spec/client_server/latest#get-matrix-client-r0-publicrooms). | ||
The main missing piece seems to be the encryption information, but there may also | ||
be other pieces of information to include. | ||
|
||
### Additional ways to access the stripped state | ||
|
||
[MSC2946](https://github.com/matrix-org/matrix-doc/pull/2946) proposes including | ||
the stripped state in the spaces summary. Not needing to rationalize what state | ||
can be included for a potential joiner would simplify this (and future) MSCs. | ||
|
||
### Additional ways to join a room | ||
|
||
[MSC3083](https://github.com/matrix-org/matrix-doc/pull/3083) proposes a new | ||
join rule due to membership in a space. This MSC would clarify that the stripped | ||
state of a room is available to those joiners. | ||
|
||
### Dedicated API for accessing the stripped state | ||
|
||
Dedicated client-server and server-server APIs could be added to request the | ||
stripped state events, but that is considered out-of-scope for the current | ||
proposal. | ||
|
||
This API would allow any potential joiner to query for the stripped state. If | ||
the server does not know the room's state it would need to query other servers | ||
for it. | ||
|
||
## Unstable prefix | ||
|
||
N/A | ||
|
||
## Footnotes | ||
|
||
<a id="f1"/>[1]: No changes are proposed to | ||
[the definition of `history_visibility`](https://matrix.org/docs/spec/client_server/latest#room-history-visibility). | ||
The state of a room which is `world_readable` is available to anyone. This somewhat | ||
implies that the stripped state is also available to anyone, regardless of the join | ||
rules, but having a `world_readable`, `invite` room does not seem valuable. [↩](#a1) | ||
|
||
<a id="f2"/>[2]: Privacy conscious deployments may wish to limit the metadata | ||
available to users who are not in a room as the trade-off against user experience. | ||
There seems to be no reason to not allow this. [↩](#a2) | ||
|
||
<a id="f3"/>[3]: As updated in [MSC1772](https://github.com/matrix-org/matrix-doc/pull/1772). [↩](#a3) | ||
|
||
<a id="f4"/>[4]: The encryption information (`m.room.encryption`) is already sent | ||
from Synapse and generally seems useful for a user to know before joining a room. | ||
[↩](#a4) | ||
|
||
<a id="f5"/>[5]: The room topic (`m.room.topic`) is included as part of the | ||
[room directory](https://matrix.org/docs/spec/client_server/latest#get-matrix-client-r0-publicrooms) | ||
response for public rooms. It is also planned to be included as part of [MSC2946](https://github.com/matrix-org/matrix-doc/pull/2946) | ||
in the spaces summary response. [↩](#a5) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is “potentially join” recursive? I.e., if I'm in
A
, which allows joiningB
, which allows joiningC
, can I potentially joinC
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for the purposes of this MSC, no. Recursion like that would be determined in another access control MSC.