Clarify that servers may choose not to use M_USER_DEACTIVATED when they don't know who is asking. (#2246)

Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
2025-12-20 16:38:37 +01:00 · 2025-11-24 17:28:16 +00:00 · 2025-11-24 17:28:16 +00:00 · b1fd2af72c
parent f7a0d8d135
commit b1fd2af72c
2 changed files with 3 additions and 0 deletions
--- a/changelogs/client_server/newsfragments/2246.clarification
+++ b/changelogs/client_server/newsfragments/2246.clarification
@ -0,0 +1 @@
+Clarify that servers may choose not to use `M_USER_DEACTIVATED` at login time, for example for privacy reasons when they can't authenticate deactivated users.
--- a/data/api/client-server/login.yaml
+++ b/data/api/client-server/login.yaml
@ -262,6 +262,8 @@ paths:
                or the requested device ID is the same as a cross-signing key
                ID.
              * `M_USER_DEACTIVATED`: The user has been deactivated.
+                Servers MAY instead use `M_FORBIDDEN` when they can no longer authenticate
+                the deactivated user (e.g. their password has been wiped).
          content:
            application/json:
              schema:
				`@ -0,0 +1 @@`
				Clarify that servers may choose not to use `M_USER_DEACTIVATED` at login time, for example for privacy reasons when they can't authenticate deactivated users.