Clarify that servers may choose not to use M_USER_DEACTIVATED when they don't know who is asking. (#2246 )

Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
secrets.md: trivial grammar fix (#2250 )
2026-04-17 16:44:09 +02:00 · 2025-11-24 17:28:16 +00:00 · 2025-11-24 17:16:38 +00:00
4 changed files with 5 additions and 1 deletions
--- a/changelogs/client_server/newsfragments/2246.clarification
+++ b/changelogs/client_server/newsfragments/2246.clarification
@ -0,0 +1 @@
+Clarify that servers may choose not to use `M_USER_DEACTIVATED` at login time, for example for privacy reasons when they can't authenticate deactivated users.
--- a/changelogs/client_server/newsfragments/2250.clarification
+++ b/changelogs/client_server/newsfragments/2250.clarification
@ -0,0 +1 @@
+Minor grammatical fix in the Secrets module description.
--- a/content/client-server-api/modules/secrets.md
+++ b/content/client-server-api/modules/secrets.md
@ -59,7 +59,7 @@ clients will try to use the default key to decrypt secrets.

 Clients that want to present a simplified interface to users by not supporting
 multiple keys should use the default key if one is specified. If no default
-key is specified, the client may behave as if there is no key is present at
+key is specified, the client may behave as if no key is present at
 all. When such a client creates a key, it should mark that key as being the
 default key.

--- a/data/api/client-server/login.yaml
+++ b/data/api/client-server/login.yaml
@ -262,6 +262,8 @@ paths:
                or the requested device ID is the same as a cross-signing key
                ID.
              * `M_USER_DEACTIVATED`: The user has been deactivated.
+                Servers MAY instead use `M_FORBIDDEN` when they can no longer authenticate
+                the deactivated user (e.g. their password has been wiped).
          content:
            application/json:
              schema:
Author	SHA1	Message	Date
reivilibre	b1fd2af72c	Clarify that servers may choose not to use `M_USER_DEACTIVATED` when they don't know who is asking. (#2246 ) Some checks failed Spec / 🔎 Validate OpenAPI specifications (push) Has been cancelled Details Spec / 🔎 Check Event schema examples (push) Has been cancelled Details Spec / 🔎 Check OpenAPI definitions examples (push) Has been cancelled Details Spec / 🔎 Check JSON Schemas inline examples (push) Has been cancelled Details Spec / ⚙️ Calculate baseURL for later jobs (push) Has been cancelled Details Spec / 📢 Run towncrier for changelog (push) Has been cancelled Details Spell Check / Spell Check with Typos (push) Has been cancelled Details Spec / 🐍 Build OpenAPI definitions (push) Has been cancelled Details Spec / 📖 Build the spec (push) Has been cancelled Details Spec / 🔎 Validate generated HTML (push) Has been cancelled Details Spec / 📖 Build the historical backup spec (push) Has been cancelled Details Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>	2025-11-24 17:28:16 +00:00
Forest	f7a0d8d135	secrets.md: trivial grammar fix (#2250 ) Co-authored-by: Andrew Morgan <andrew@amorgan.xyz>	2025-11-24 17:16:38 +00:00
				`@ -0,0 +1 @@`
				Clarify that servers may choose not to use `M_USER_DEACTIVATED` at login time, for example for privacy reasons when they can't authenticate deactivated users.
				`@ -0,0 +1 @@`
				`Minor grammatical fix in the Secrets module description.`