Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC3550: Allow HTTP 403 as a response to profile lookups #3550

Merged
merged 9 commits into from
Dec 26, 2021
Merged
31 changes: 31 additions & 0 deletions proposals/3550-allow-403-response-profile-lookup.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# MSC3550: Add HTTP 403 to possible profile lookup responses

# Background
In the current spec, the only response codes listed for [GET /_matrix/client/v3/profile/{userId}](https://spec.matrix.org/v1.1/client-server-api/#get_matrixclientv3profileuserid)
are `200` and `404`. However, some servers may not allow profile lookup over federation, and thus
respond to [GET /_matrix/client/v3/profile/{userId}](https://spec.matrix.org/v1.1/client-server-api/#get_matrixclientv3profileuserid) with an HTTP 403.

For example, Synapse can be configured to behave in this way by setting:

```
allow_profile_lookup_over_federation=false
```

Thus, this behavior already exists in Synapse, and may cause issues for
clients such as [vector-im/element-web#17269](https://github.com/vector-im/element-web/issues/17269).

# Proposal
The proposal is to allow HTTP 403 as an option for responding to [GET /_matrix/client/v3/profile/{userId}](https://spec.matrix.org/v1.1/client-server-api/#get_matrixclientv3profileuserid)
requests. Allowing HTTP 403 gives clients more specific information as to why a request has
failed, thus enabling more precise error handling. The 403 would be accompanied by an
`M_FORBIDDEN` error code.

# Potential Issues
The change to the spec may conflict with other existing server implementations.

# Alternatives
The spec could remain as-is and Synapse could alter its current behavior and return an HTTP
404 rather than 403 in this case.

# Security Considerations
None at this time.