|
| 1 | +# MSC5000: Federated User Directory |
| 2 | + |
| 3 | +Currently user search can only be done locally, which would at best get a list of all users known to the server. |
| 4 | + |
| 5 | +This proposal aims at introducing a federation endpoint allowing servers to broadcast the search to the current federating servers and get results among all their known users. |
| 6 | + |
| 7 | +Improvement of the client API is also proposed to accommodate the fact that results will arrive asynchronously and to allow users to manage their visibility on search results. |
| 8 | + |
| 9 | + |
| 10 | +## Proposal |
| 11 | + |
| 12 | +### Federation endpoint |
| 13 | + |
| 14 | +We first propose a new federation endpoint similar to the [current client API](https://spec.matrix.org/v1.12/client-server-api#post_matrixclientv3user_directorysearch). |
| 15 | +It would be authenticated and rate limited. |
| 16 | + |
| 17 | +#### `POST /_matrix/federation/v3/user_directory/search` |
| 18 | + |
| 19 | +#### Request |
| 20 | +```json |
| 21 | +{ |
| 22 | + "limit": 10, |
| 23 | + "search_term": "foo" |
| 24 | +} |
| 25 | +``` |
| 26 | + |
| 27 | +#### Response |
| 28 | +```json |
| 29 | +{ |
| 30 | + "limited": false, |
| 31 | + "results": [ |
| 32 | + { |
| 33 | + "avatar_url": "mxc://bar.com/foo", |
| 34 | + "display_name": "Foo", |
| 35 | + "m.user_directory.visibility": "local", |
| 36 | + "user_id": "@foo:bar.com" |
| 37 | + } |
| 38 | + ] |
| 39 | +} |
| 40 | +``` |
| 41 | + |
| 42 | +All profile fields (cf [MSC4133](https://github.com/matrix-org/matrix-spec-proposals/pull/4133)) should be returned here. |
| 43 | + |
| 44 | +When an user calls the client user search API, the server should send a federated user search request to all known servers. It would then receive the results and return them to the user. |
| 45 | +Servers must not forward this request to other servers and only return results known locally. This is to avoid infinite loop between servers knowing each other. |
| 46 | + |
| 47 | +However we have a problem here: we can't have expectation on when and even if servers will answer to the search request. |
| 48 | + |
| 49 | +We are hence proposing some changes to the client API to accommodate the need to have a way to stream new results to the client. |
| 50 | + |
| 51 | +Note that `m.user_directory.visibility` is defined further down this proposal. |
| 52 | + |
| 53 | +### Client endpoint changes |
| 54 | + |
| 55 | +We propose to introduce a reactive mechanism to allow the server to stream new results to the client. |
| 56 | + |
| 57 | +#### POST /_matrix/client/v3/user_directory/search |
| 58 | + |
| 59 | +#### Request |
| 60 | +```json |
| 61 | +{ |
| 62 | + "limit": 10, |
| 63 | + "search_term": "foo", |
| 64 | + "search_token": "a1d29g4f73" |
| 65 | +} |
| 66 | +``` |
| 67 | + |
| 68 | +For that we introduce a `search_token` to the request coming from the response of a previous search(`search_token`). A request containing a `search_token` will stall until new results are available to the server. If some more results are expected to be returned, it may include another `search_token`, and hence. |
| 69 | + |
| 70 | +`search_token` is optional within the request so proposed changes are retro-compatible. |
| 71 | + |
| 72 | +#### Response |
| 73 | +```json |
| 74 | +{ |
| 75 | + "search_token": "a1d29g4f73", |
| 76 | + "limited": true, |
| 77 | + "results": [ |
| 78 | + { |
| 79 | + "avatar_url": "mxc://bar.com/foo", |
| 80 | + "display_name": "Foo", |
| 81 | + "m.user_directory.visibility": "local", |
| 82 | + "user_id": "@foo:bar.com" |
| 83 | + } |
| 84 | + ] |
| 85 | +} |
| 86 | +``` |
| 87 | +`search_token` : is a unique identifier that means that more results can be retrieved by querying with this `search_token`. `limited` should be `true` when `search_token` is returned. |
| 88 | + |
| 89 | +#### New profile field to control user visibility in the directory |
| 90 | + |
| 91 | +We propose to add a new field in the profile (MSC4133) `m.user_directory.visibility` to give the user the ability to control their visibility in the user directory. |
| 92 | + |
| 93 | +Differents values are possible : |
| 94 | +- `hidden` : not visible to anyone |
| 95 | +- `local` : visible only to local homeserver users |
| 96 | +- `restricted`: visible to any user sharing a room with |
| 97 | +- `remote` (or federated or public ?): visible to users on local and remote homeservers |
| 98 | + |
| 99 | +If no value is provided (or it is null), the user hasn't set a preference and the server should follow the current expected behavior (visible if sharing a room in common or in public room). |
| 100 | + |
| 101 | +```json |
| 102 | +{ |
| 103 | + "avatar_url": "…", |
| 104 | + "displayname": "…", |
| 105 | + "m.user_directory.visibility": "local" |
| 106 | +} |
| 107 | +``` |
| 108 | + |
| 109 | +## Potential issues |
| 110 | + |
| 111 | +We may have requests lost or getting timeout from intermediary network equipments, especially since we are using some kind of long polling. |
| 112 | +We think the fact that we use a `search_token` that changes on each request allow the server to track correctly if new search results were already received by the client or not. |
| 113 | + |
| 114 | +## Alternatives |
| 115 | + |
| 116 | +We first thought about using an account data, however it has a big caveat: remote servers can't access it, hence remote servers will not be able to honor the visibility when trying to return remote users that are already visible locally to them. |
| 117 | + |
| 118 | +Rather than using a `search_token`, we could use a `search_id` that will be the same for all subsequent calls. |
| 119 | +This solution is less informative about the progression of the search from the server perspective, cf `Potential issues` section. |
| 120 | + |
| 121 | +## Security considerations |
| 122 | + |
| 123 | +### Sensitive Data Exposure |
| 124 | + |
| 125 | +A malicious server could list all user matrix ids that are defined in `remote` or `restricted`. |
| 126 | + |
| 127 | +#### Data Exposure Mitigation recommendations |
| 128 | + |
| 129 | +The federation search endpoint should be rate limited. |
| 130 | + |
| 131 | +We recommend to not answer for `search_term` with less than 3 characters like "a" or "at". |
| 132 | + |
| 133 | +#### Trust & Safety recommendations |
| 134 | + |
| 135 | +We recommend to log requests (or at least their count) from each server in order to be able to identify and ban the malicious servers who are trying to scrap all visible (including `restricted` ones) users profiles of the federation. |
| 136 | + |
| 137 | +Before, a server needed to join a room to list the users in a room (`restricted`). This scenario is logged in the room state. |
| 138 | +Now with this change, it is possible to list all the restricted users from other servers with no trace left at the protocol level. |
| 139 | + |
| 140 | + |
| 141 | +## Unstable prefix |
| 142 | + |
| 143 | +`fr.tchap.user_directory.visibility` should be used as an unstable identifier for the profile field. |
| 144 | + |
| 145 | +`/_matrix/federation/unstable/fr.tchap/user_directory/search` should be used as an unstable federation endpoint. |
| 146 | + |
| 147 | + |
| 148 | +## Dependencies |
| 149 | + |
| 150 | +This MSC builds on [MSC4133](https://github.com/matrix-org/matrix-spec-proposals/pull/4133) |
0 commit comments