|
| 1 | +# MSC4323: User suspension & locking endpoints |
| 2 | + |
| 3 | +Currently the specification outlines error codes for suspended and locked users, |
| 4 | +even going as far as to suggest which endpoints can and cannot be executed by suspended users. |
| 5 | +However, it does not currently define an endpoint which server administrators can call to suspend |
| 6 | +and unsuspend users on their server. |
| 7 | +As a result, moderation tooling such as Draupnir and Meowlnir have to implement |
| 8 | +implementation-specific calls, which is not sustainable as more implementations other than Synapse |
| 9 | +integrate this feature. |
| 10 | + |
| 11 | +This proposal will outline new endpoints that will allow server administrators to |
| 12 | +suspend, unsuspend, lock, and unlock given users. |
| 13 | + |
| 14 | +## Proposal |
| 15 | + |
| 16 | +> [!IMPORTANT] |
| 17 | +> What defines a "server administrator" is left up to the implementation itself as most already have |
| 18 | +> their own systems for defining administrators (e.g. Synapse has a database flag, Conduit has room |
| 19 | +> membership) which rarely has a reason to be exposed outside of their respective management |
| 20 | +> interfaces. |
| 21 | +
|
| 22 | +Complementing [section 10.22 (Server Administration)][p1] of the client-to-server specification, |
| 23 | +four new endpoints are introduced: |
| 24 | + |
| 25 | +- `GET /_matrix/client/v1/admin/suspend/{userId}` |
| 26 | +- `PUT /_matrix/client/v1/admin/suspend/{userId}` |
| 27 | +- `GET /_matrix/client/v1/admin/lock/{userId}` |
| 28 | +- `PUT /_matrix/client/v1/admin/lock/{userId}` |
| 29 | + |
| 30 | +These new endpoints are similar to [`GET /_matrix/client/v3/admin/whois/{userId}`][p2] in that they |
| 31 | +are clearly defined as administration endpoints, however are restricted to only permitting |
| 32 | +execution on local server users. |
| 33 | + |
| 34 | +### New endpoint definitions |
| 35 | + |
| 36 | +The response body of both the `GET` and `PUT` endpoints, as well as the request body of the |
| 37 | +`PUT` endpoints, are defined below. Custom properties may be used provided they utilise |
| 38 | +[proper namespacing][p3] in their fields. |
| 39 | + |
| 40 | +**Suspend**: |
| 41 | + |
| 42 | +A single key, `suspended`, with a boolean indicating if the target account is suspended: |
| 43 | + |
| 44 | +```json |
| 45 | +{"suspended": true} |
| 46 | +``` |
| 47 | + |
| 48 | +**Lock**: |
| 49 | + |
| 50 | +A single key, `locked`, with a boolean indicating if the target account is locked: |
| 51 | + |
| 52 | +```json |
| 53 | +{"locked": false} |
| 54 | +``` |
| 55 | + |
| 56 | +### New capability definition |
| 57 | + |
| 58 | +The server should advertise that these new endpoints are available for the authenticated user |
| 59 | +to use by including the following new capability: |
| 60 | + |
| 61 | +```json5 |
| 62 | +{ |
| 63 | + "capabilities": { |
| 64 | + "m.account_moderation": { |
| 65 | + "suspend": true, // or false if unavailable/unimplemented |
| 66 | + "lock": true // or false if unavailable/unimplemented |
| 67 | + } |
| 68 | + } |
| 69 | +} |
| 70 | +``` |
| 71 | + |
| 72 | +This allows clients to determine whether they are able to suspend/lock users on this homeserver, |
| 73 | +allowing them to do things like dynamically show or hide a "suspend user" button, etc. |
| 74 | + |
| 75 | +The capability should not be advertised at all if both `suspend` and `lock` would be `false`. |
| 76 | +Omitting a key is equivalent to it being `false`. |
| 77 | + |
| 78 | +### Errors and restrictions |
| 79 | + |
| 80 | +Sending a request to the respective endpoints returns: |
| 81 | + |
| 82 | +- `400 / M_INVALID_PARAM`: The user ID does not belong to the local server. |
| 83 | +- `403 / M_FORBIDDEN`: The requesting user is not a server administrator, is trying to suspend/lock |
| 84 | + their own account, or the target user is another administrator. |
| 85 | +- `404 / M_NOT_FOUND`: The user ID is not found, or is deactivated. |
| 86 | + |
| 87 | +In order to prevent user enumeration, implementations have to ensure that authorization is checked |
| 88 | +prior to trying to do account lookups. |
| 89 | +As this endpoint requires authentication with an administrator account, guest access is not |
| 90 | +permitted. Additionally, no rate-limiting is imposed. |
| 91 | + |
| 92 | +[p1]: https://spec.matrix.org/v1.15/client-server-api/#server-administration |
| 93 | +[p2]: https://spec.matrix.org/v1.15/client-server-api/#get_matrixclientv3adminwhoisuserid |
| 94 | +[p3]: https://spec.matrix.org/v1.15/appendices/#common-namespaced-identifier-grammar |
| 95 | + |
| 96 | +## Potential issues |
| 97 | + |
| 98 | +This proposal does not outline any metadata fields for management, such as action reasons, |
| 99 | +temporary actions, authors, etc, which implementation-specific methods may currently have. |
| 100 | +This is for the sake of brevity and simplicity, and may be expanded upon by a future proposal. |
| 101 | + |
| 102 | +This proposal is also written under the assumption that all server administrators are equal, and |
| 103 | +cannot be suspended or locked. If a server permits such actions against a privileged user, without |
| 104 | +stripping their privileges, conflicting behaviours may be encountered. |
| 105 | + |
| 106 | +## Alternatives |
| 107 | + |
| 108 | +A full "user-info" endpoint has been suggested, which would include more information about a user's |
| 109 | +account that could interest server administrators. This proposal focuses solely on providing |
| 110 | +tooling with the capability to suspend and lock without needing to maintain several |
| 111 | +implementation-specific versions of their code, and adding a full-fleged user-info endpoint is |
| 112 | +almost entirely out of scope. |
| 113 | + |
| 114 | +## Security considerations |
| 115 | + |
| 116 | +Adding these new endpoints may provide a path to circumvent restrictions previously imposed on |
| 117 | +implementation-specific versions of the suspend and lock endpoints (such as them being blocked off |
| 118 | +at the reverse proxy) - server developers will likely want to ensure that their users are made |
| 119 | +appropriate aware of this (via release notes or some other similar high-visibility channel) so that |
| 120 | +they can apply those same restrictions to these new endpoints if necessary. |
| 121 | + |
| 122 | +These endpoints also increase the compromise value of an administrator account, as an attacker who |
| 123 | +breaches one of these accounts will be able to suspend or lock other users on the server. While |
| 124 | +the attacker would not be able to lock out other administrators, a single-administrator homeserver |
| 125 | +may be vulnerable to a temporary takeover if the sole administrator account is breached and |
| 126 | +the deployment cannot be secured & have the change reverted quickly. |
| 127 | +It may possibly also allow an attacker to disable other room-level moderation tooling, such as |
| 128 | +moderation bots, assuming those tools are not also server administrators. |
| 129 | + |
| 130 | +## Unstable prefix |
| 131 | + |
| 132 | +| Stable | Unstable | |
| 133 | +| ------ | -------- | |
| 134 | +| `/_matrix/client/v1/admin/...` | `/_matrix/client/unstable/uk.timedout.msc4323/admin/...` | |
| 135 | +| `m.account_moderation` | `uk.timedout.msc4323` | |
| 136 | + |
| 137 | +`locked` and `suspended` in the request/response bodies do not require an unstable prefix |
| 138 | +as the entire body is new. |
| 139 | + |
| 140 | +Servers should advertise `"uk.timedout.msc4323":true` in their `/versions` response while this |
| 141 | +proposal is unstable in order to advertise support for this new feature. |
| 142 | +It is left as an implementation detail whether to require authentication to view this version flag |
| 143 | +or not, as the capabilities endpoint requires authentication regardless. |
| 144 | + |
| 145 | +## Dependencies |
| 146 | + |
| 147 | +None |
0 commit comments