From 010a6b05cda80ab32bd6716e61f54af2011e1e4c Mon Sep 17 00:00:00 2001
From: Olivier 'reivilibre <oliverw@matrix.org>
Date: Fri, 14 Nov 2025 11:36:46 +0000
Subject: [PATCH 1/3] Clarify that servers may not use M_USER_DEACTIVATED when
 they don't know who is asking

See: https://github.com/element-hq/synapse/issues/15747
---
 data/api/client-server/login.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/data/api/client-server/login.yaml b/data/api/client-server/login.yaml
index 28de0be1..95d24ad8 100644
--- a/data/api/client-server/login.yaml
+++ b/data/api/client-server/login.yaml
@@ -262,6 +262,8 @@ paths:
                 or the requested device ID is the same as a cross-signing key
                 ID.
               * `M_USER_DEACTIVATED`: The user has been deactivated.
+                Note that servers MAY choose not to use this error code and instead use `M_FORBIDDEN`,
+                particularly when the server can't authenticate the deactivated user.
           content:
             application/json:
               schema:

From afc58cd8dbc18d000e52f69ab9a5a46fa3bddb8d Mon Sep 17 00:00:00 2001
From: Olivier 'reivilibre <oliverw@matrix.org>
Date: Fri, 14 Nov 2025 11:39:13 +0000
Subject: [PATCH 2/3] Newsfile

Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
---
 changelogs/client_server/newsfragments/2246.clarification | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelogs/client_server/newsfragments/2246.clarification

diff --git a/changelogs/client_server/newsfragments/2246.clarification b/changelogs/client_server/newsfragments/2246.clarification
new file mode 100644
index 00000000..7d2625a6
--- /dev/null
+++ b/changelogs/client_server/newsfragments/2246.clarification
@@ -0,0 +1 @@
+Clarify that servers may choose not to use `M_USER_DEACTIVATED` at login time, for example for privacy reasons when they can't authenticate deactivated users.

From 910340a98b0eaa859a449411646b13aebff3895c Mon Sep 17 00:00:00 2001
From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Date: Tue, 18 Nov 2025 13:19:11 +0000
Subject: [PATCH 3/3] Update wording

---
 data/api/client-server/login.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/api/client-server/login.yaml b/data/api/client-server/login.yaml
index 95d24ad8..3295a046 100644
--- a/data/api/client-server/login.yaml
+++ b/data/api/client-server/login.yaml
@@ -262,8 +262,8 @@ paths:
                 or the requested device ID is the same as a cross-signing key
                 ID.
               * `M_USER_DEACTIVATED`: The user has been deactivated.
-                Note that servers MAY choose not to use this error code and instead use `M_FORBIDDEN`,
-                particularly when the server can't authenticate the deactivated user.
+                Servers MAY instead use `M_FORBIDDEN` when they can no longer authenticate
+                the deactivated user (i.e. their password has been wiped).
           content:
             application/json:
               schema: