|
| 1 | +# MSC4026: Allow /versions to optionally accept authentication |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +Synapse is implementing the ability to turn some unstable features on per-user. Once this is |
| 6 | +implemented, certain experimental features will be available to be enabled per-user via the [Admin API](https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/index.html). |
| 7 | +The intention is to allow certain users to test the experimental feature without making it available to |
| 8 | +all users before it is stable. |
| 9 | +This is in addition to the current ability to toggle on/off those features system-wide in the configuration. |
| 10 | + |
| 11 | +However, this poses a problem when considering how to advertise that those features are enabled to clients. |
| 12 | +Traditionally, to determine what unstable features were available from a server clients checked the [`/_matrix/client/versions`](https://spec.matrix.org/v1.7/client-server-api/#get_matrixclientversions) |
| 13 | +endpoint, which in turn checked the Synapse configuration to determine what experimental features were enabled. With the |
| 14 | +changes being implemented this is no longer possible, as some experimental features may be enabled per-user. As the |
| 15 | +`/_matrix/client/versions` endpoint does not require authentication there is no way to know which experimental features |
| 16 | +are enabled - there is no access token that we can extract user info from to determine which unstable features are |
| 17 | +currently enabled (as they may only be enabled for some users) - and thus there is no way to correctly communicate to |
| 18 | +clients which experimental features are enabled. |
| 19 | + |
| 20 | +## Proposal |
| 21 | + |
| 22 | +The proposal to remedy this is to make `/_matrix/client/versions` optionally accept authentication, and ask clients |
| 23 | +to use the authenticated version when determining which experimental features are enabled. |
| 24 | + |
| 25 | +## Potential issues |
| 26 | + |
| 27 | +This does raise the question of what the non-authenticated version of `/_matrix/client/versions` should return with |
| 28 | +regard to unstable features if the proposal is accepted. |
| 29 | + |
| 30 | +## Alternatives |
| 31 | + |
| 32 | +An alternative to the proposal would be to move advertising the unstable features to the [`/_matrix/client/v3/capabilities`](https://spec.matrix.org/v1.7/client-server-api/#get_matrixclientv3capabilities) |
| 33 | +endpoint, which does require authentication. However, the spec is clear that `/_matrix/client/v3/capabilities` "should |
| 34 | +not be used to advertise unstable or experimental features - this is better done by the `/versions` endpoint." Thus, |
| 35 | +this seems like a less desirable option than the proposed solution. |
| 36 | + |
| 37 | +## Security considerations |
| 38 | + |
| 39 | +None that I am currently aware of. |
0 commit comments