Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSC2457: Invalidating devices during password modification #2457

Merged
merged 4 commits into from
May 2, 2020
Merged

MSC2457: Invalidating devices during password modification #2457

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1facf7f
Add an MSC proposal for how to handle sessions when modifying a passw…
clokep Mar 12, 2020
61b306f
Remove concerns about backwards compatibility.
clokep Mar 13, 2020
2d2731e
Remove duplicated word.
clokep Mar 16, 2020
745f8c0
Fix incorrect statement about the current spec's guidance.
clokep Mar 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions proposals/2457-password-modification-invalidating-devices.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# Invalidating devices during password modification

There are multiple use cases for why a user might want to modify their password:

* Adopting a password manager (to use a unique password or more secure password).
* Password rotation.
* Re-secure a compromised account.
* ... probably tons of others ...

These can be summarized into two groups:

1. "My account has been compromised and I need to re-secure it."
2. "I just want to change my password."

The [current Matrix specification](https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-account-password)
does not provide a way to differentiate between these use cases. It currently
specifies behavior that fits well into the first use-case above: that the
sessions except the current session should be revoked.

It is reasonable for a client to want to specify this behavior to offer two
different workflows:

1. Modify a password and log all other devices out (for use when an account has
been compromised).
2. Modify a password and do not touch any session data (for use in a
non-malicious situations).

Alternately a client may default to whichever workflow is best for their users.

## Proposal

An optional field is added to the JSON body of the [password reset endpoint](https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-account-password)
called `logout_devices`. This is a boolean flag (defaulting to `true`) that
signals to whether other devices and sessions should be invalidated after
modifying the password.

## Potential issues

The specification states:

> The homeserver SHOULD NOT revoke the access token provided in the request,
> however all other access tokens for the user should be revoked if the request
> succeeds.

Defaulting `logout_devices` to `true` should be backwards compatible.

## Alternatives

A new endpoint could be provided in a future version of the specification that
supports an additional field (as described above).

## Security considerations

By defaulting to invalidating devices and sessions the security considerations
of this endpoint should remain intact. A client will need to be modified to
choose to keep other devices active.