MSC3550: Allow HTTP 403 as a response to profile lookups (#3550)

* add 403 proposal * add msc number to file and filename * correctly use markdown * requested changes * add links * specify error code * Update proposals/3550-allow-403-response-profile-lookup.md Co-authored-by: Travis Ralston <travisr@matrix.org> * fix formatting typo Co-authored-by: Travis Ralston <travisr@matrix.org> Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
matrix-org · Dec 26, 2021 · 3ce9c1d · 3ce9c1d
1 parent 87fcb7c
commit 3ce9c1d
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/proposals/3550-allow-403-response-profile-lookup.md b/proposals/3550-allow-403-response-profile-lookup.md
@@ -0,0 +1,31 @@
+# MSC3550: Add HTTP 403 to possible profile lookup responses
+
+# Background
+In the current spec, the only response codes listed for [GET /_matrix/client/v3/profile/{userId}](https://spec.matrix.org/v1.1/client-server-api/#get_matrixclientv3profileuserid)
+are `200` and `404`. However, some servers may not allow profile lookup over federation, and thus
+respond to [GET /_matrix/client/v3/profile/{userId}](https://spec.matrix.org/v1.1/client-server-api/#get_matrixclientv3profileuserid) with an HTTP 403.
+
+For example, Synapse can be configured to behave in this way by setting:
+
+```
+allow_profile_lookup_over_federation=false
+```
+
+Thus, this behavior already exists in Synapse, and may cause issues for
+clients such as [vector-im/element-web#17269](https://github.com/vector-im/element-web/issues/17269).
+
+# Proposal
+The proposal is to allow HTTP 403 as an option for responding to [GET /_matrix/client/v3/profile/{userId}](https://spec.matrix.org/v1.1/client-server-api/#get_matrixclientv3profileuserid)
+requests. Allowing HTTP 403 gives clients more specific information as to why a request has 
+failed, thus enabling more precise error handling. The 403 would be accompanied by an
+`M_FORBIDDEN` error code. 
+
+# Potential Issues
+The change to the spec may conflict with other existing server implementations.
+
+# Alternatives
+The spec could remain as-is and Synapse could alter its current behavior and return an HTTP 
+404 rather than 403 in this case. 
+
+# Security Considerations
+None at this time.