Merge cf45f4d17b into 2c734c3c5b

Clarify the meaning of "public rooms" in the room directory (#2104 )
Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org> Co-authored-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
2026-04-28 13:24:10 +02:00 · 2025-05-21 17:42:38 +01:00 · 2025-05-21 16:43:02 +01:00 · 2025-05-21 16:34:29 +01:00 · 2025-05-15 09:47:41 +02:00 · 2025-05-15 09:46:31 +02:00
17 changed files with 491 additions and 446 deletions
--- a/changelogs/client_server/newsfragments/2104.clarification
+++ b/changelogs/client_server/newsfragments/2104.clarification
@ -0,0 +1 @@
 Rooms published in `/publicRooms` don't necessarily have `public` join rules or `world_readable` history visibility.
--- a/changelogs/client_server/newsfragments/2141.clarification
+++ b/changelogs/client_server/newsfragments/2141.clarification
@ -0,0 +1 @@
 Split account registration and management section and OpenAPI definitions.
--- a/changelogs/client_server/newsfragments/2144.clarification
+++ b/changelogs/client_server/newsfragments/2144.clarification
@ -0,0 +1 @@
 Fix typo: as->has.
--- a/changelogs/server_server/newsfragments/2104.clarification
+++ b/changelogs/server_server/newsfragments/2104.clarification
@ -0,0 +1 @@
 Rooms published in `/publicRooms` don't necessarily have `public` join rules or `world_readable` history visibility.
--- a/content/application-service-api.md
+++ b/content/application-service-api.md
@ -492,10 +492,10 @@ via the query string). It is expected that the application service use
 the transactions pushed to it to handle events rather than syncing with
 the user implied by `sender_localpart`.
-#### Application service room directories
+#### Published room directories
-Application services can maintain their own room directories for their
+Application services can maintain their own published room directories for
-defined third-party protocols. These room directories may be accessed by
+their defined third-party protocols. These directories may be accessed by
 clients through additional parameters on the `/publicRooms`
 client-server endpoint.
--- a/content/client-server-api/_index.md
+++ b/content/client-server-api/_index.md
@ -439,7 +439,7 @@ endpoints it supports.
 Most API endpoints require the user to identify themselves by presenting
 previously obtained credentials in the form of an access token.
 An access token is typically obtained via the [Login](#login) or
-[Registration](#account-registration-and-management) processes. Access tokens
+[Registration](#account-registration) processes. Access tokens
 can expire; a new access token can be generated by using a refresh token.
 {{% boxes/note %}}
@ -494,7 +494,7 @@ used to generate a new access token and refresh token, the new access
 and refresh tokens are now bound to the device associated with the
 initial refresh token.
-By default, the [Login](#login) and [Registration](#account-registration-and-management)
+By default, the [Login](#login) and [Registration](#account-registration)
 processes auto-generate a new `device_id`. A client is also free to
 generate its own `device_id` or, provided the user remains the same,
 reuse a device: in either case the client should pass the `device_id` in
@ -1458,9 +1458,11 @@ forwarded to the login endpoint during the login process. For example:
 ### Account registration and management
 #### Account Registration
 {{% http-api spec="client-server" api="registration" %}}
-#### Notes on password management
+#### Password management
 {{% boxes/warning %}}
 Clients SHOULD enforce that the password provided is suitably complex.
@ -1469,6 +1471,14 @@ number and a symbol and be at a minimum 8 characters in length. Servers
 MAY reject weak passwords with an error code `M_WEAK_PASSWORD`.
 {{% /boxes/warning %}}
 {{% http-api spec="client-server" api="password_management" %}}
 #### Account deactivation
 {{% http-api spec="client-server" api="account_deactivation" %}}
 ### Account moderation
 #### Account locking
 {{% added-in v="1.12" %}}
@ -2846,7 +2856,35 @@ re-invited.
 {{% http-api spec="client-server" api="banning" %}}
-### Listing rooms
+### Published room directory
 Homeservers MAY publish a room directory to allow users to discover rooms. A room
 can have one of two visibility settings in the directory:
 -   `public`: The room will be shown in the published room directory.
 -   `private`: The room will be hidden from the published room directory.
 Clients can define a room's initial visibility in the directory via the `visibility`
 parameter in [`/createRoom`](#post_matrixclientv3createroom). Irrespective of room
 creation, clients can query and change a room's visibility in the directory through
 the endpoints listed below, provided that the server permits this.
 {{% boxes/warning %}}
 The visibility setting merely defines whether a room is included in the published
 room directory or not. It doesn't make any guarantees about the room's
 [join rule](#mroomjoin_rules) or [history visibility](#room-history-visibility).
 In particular, a visibility setting of `public` should not be confused with a `public`
 join rule. Rooms with a join rule of `knock`, for instance, could reasonably be published
 in the directory, too.
 Similarly, a visibility setting of `public` does not necessarily imply a `world_readable`
 history visibility.
 To increase performance or by preference, servers MAY apply additional filters when listing the
 directory, for instance, by automatically excluding rooms with `invite` join rules
 that are not `world_readable` regardless of their visibility.
 {{% /boxes/warning %}}
 {{% http-api spec="client-server" api="list_public_rooms" %}}
--- a/content/client-server-api/modules/end_to_end_encryption.md
+++ b/content/client-server-api/modules/end_to_end_encryption.md
@ -528,7 +528,7 @@ messages, Alice only sends one request event (an event with type
 `m.room.message` with `msgtype: m.key.verification.request`, rather than an
 event with type `m.key.verification.request`), to the room. In addition, Alice
 does not send an `m.key.verification.cancel` event to tell Bob's other devices
-that the request as already been accepted; instead, when Bob's other devices
+that the request has already been accepted; instead, when Bob's other devices
 see his `m.key.verification.ready` event, they will know that the request has
 already been accepted, and that they should ignore the request.
--- a/content/server-server-api.md
+++ b/content/server-server-api.md
@ -1048,11 +1048,10 @@ user's Matrix ID and the token delivered when the invite was stored,
 this verification will prove that the `m.room.member` invite event comes
 from the user owning the invited third-party identifier.
-## Public Room Directory
+## Published Room Directory
-To complement the [Client-Server
+To complement the [room directory in the Client-Server API](/client-server-api#published-room-directory), 
-API](/client-server-api)'s room directory,
+homeservers need a way to query the published rooms of another server.
 homeservers need a way to query the public rooms for another server.
 This can be done by making a request to the `/publicRooms` endpoint for
 the server the room directory should be retrieved for.
--- a/data/api/client-server/account_deactivation.yaml
+++ b/data/api/client-server/account_deactivation.yaml
@ -0,0 +1,141 @@
 # Copyright 2016 OpenMarket Ltd
 # Copyright 2022 The Matrix.org Foundation C.I.C.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 openapi: 3.1.0
 info:
  title: Matrix Client-Server Account Deactivation API
  version: 1.0.0
 paths:
  /account/deactivate:
    post:
      summary: Deactivate a user's account.
      description: |-
        Deactivate the user's account, removing all ability for the user to
        login again.
        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api).
        An access token should be submitted to this endpoint if the client has
        an active session.
        The homeserver may change the flows available depending on whether a
        valid access token is provided.
        Unlike other endpoints, this endpoint does not take an `id_access_token`
        parameter because the homeserver is expected to sign the request to the
        identity server instead.
      security:
        - {}
        - accessTokenQuery: []
        - accessTokenBearer: []
      operationId: deactivateAccount
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                auth:
                  description: Additional authentication information for the user-interactive
                    authentication API.
                  allOf:
                    - $ref: definitions/auth_data.yaml
                id_server:
                  type: string
                  description: |-
                    The identity server to unbind all of the user's 3PIDs from.
                    If not provided, the homeserver MUST use the `id_server`
                    that was originally use to bind each identifier. If the
                    homeserver does not know which `id_server` that was,
                    it must return an `id_server_unbind_result` of
                    `no-support`.
                  example: example.org
                erase:
                  x-addedInMatrixVersion: "1.10"
                  type: boolean
                  description: |-
                    Whether the user would like their content to be erased as
                    much as possible from the server.
                    Erasure means that any users (or servers) which join the
                    room after the erasure request are served redacted copies of
                    the events sent by this account. Users which had visibility
                    on those events prior to the erasure are still able to see
                    unredacted copies. No redactions are sent and the erasure
                    request is not shared over federation, so other servers
                    might still serve unredacted copies.
                    The server should additionally erase any non-event data
                    associated with the user, such as [account data](/client-server-api/#client-config)
                    and [contact 3PIDs](/client-server-api/#adding-account-administrative-contact-information).
                    Defaults to `false` if not present.
        required: true
      responses:
        "200":
          description: The account has been deactivated.
          content:
            application/json:
              schema:
                type: object
                properties:
                  id_server_unbind_result:
                    type: string
                    enum:
                      - success
                      - no-support
                    description: |-
                      An indicator as to whether or not the homeserver was able to unbind
                      the user's 3PIDs from the identity server(s). `success` indicates
                      that all identifiers have been unbound from the identity server while
                      `no-support` indicates that one or more identifiers failed to unbind
                      due to the identity server refusing the request or the homeserver
                      being unable to determine an identity server to unbind from. This
                      must be `success` if the homeserver has no identifiers to unbind
                      for the user.
                    example: success
                required:
                  - id_server_unbind_result
        "401":
          description: The homeserver requires additional authentication information.
          content:
            application/json:
              schema:
                $ref: definitions/auth_response.yaml
        "429":
          description: This request was rate-limited.
          content:
            application/json:
              schema:
                $ref: definitions/errors/rate_limited.yaml
      tags:
        - Account management
 servers:
  - url: "{protocol}://{hostname}{basePath}"
    variables:
      protocol:
        enum:
          - http
          - https
        default: https
      hostname:
        default: localhost:8008
      basePath:
        default: /_matrix/client/v3
 components:
  securitySchemes:
    accessTokenQuery:
      $ref: definitions/security.yaml#/accessTokenQuery
    accessTokenBearer:
      $ref: definitions/security.yaml#/accessTokenBearer
--- a/data/api/client-server/appservice_room_directory.yaml
+++ b/data/api/client-server/appservice_room_directory.yaml
@ -13,18 +13,21 @@
 # limitations under the License.
 openapi: 3.1.0
 info:
-  title: Matrix Client-Server Application Service Room Directory API
+  title: Matrix Client-Server Application Service Published Room Directory API
  version: 1.0.0
 paths:
  "/directory/list/appservice/{networkId}/{roomId}":
    put:
-      summary: Updates a room's visibility in the application service's room directory.
+      summary: |-
-      description: |-
+        Updates a room's visibility in the application service's published room
        Updates the visibility of a given room on the application service's room
        directory.
      description: |-
        Updates the visibility of a given room in the application service's
        published room directory.
-        This API is similar to the room directory visibility API used by clients
+        This API is similar to the
-        to update the homeserver's more general room directory.
+        [visibility API](/client-server-api#put_matrixclientv3directorylistroomroomid)
        used by clients to update the homeserver's more general published room directory.
        This API requires the use of an application service access token (`as_token`)
        instead of a typical client's access_token. This API cannot be invoked by
--- a/data/api/client-server/create_room.yaml
+++ b/data/api/client-server/create_room.yaml
@ -87,12 +87,9 @@ paths:
                    - public
                    - private
                  description: |-
-                    A `public` visibility indicates that the room will be shown
+                    The room's visibility in the server's
-                    in the published room list. A `private` visibility will hide
+                    [published room directory](/client-server-api#published-room-directory).
-                    the room from the published room list. Rooms default to
+                    Defaults to `private`.
                    `private` visibility if this key is not included. NB: This
                    should not be confused with `join_rules` which also uses the
                    word `public`.
                room_alias_name:
                  type: string
                  description: |-
--- a/data/api/client-server/definitions/public_rooms_chunk.yaml
+++ b/data/api/client-server/definitions/public_rooms_chunk.yaml
@ -13,7 +13,7 @@
 # limitations under the License.
 type: object
-title: "PublicRoomsChunk"
+title: "PublishedRoomsChunk"
 properties:
  canonical_alias:
    type: string
--- a/data/api/client-server/definitions/public_rooms_response.yaml
+++ b/data/api/client-server/definitions/public_rooms_response.yaml
@ -13,28 +13,15 @@
 # limitations under the License.
 type: object
-description: A list of the rooms on the server.
+description: A list of the published rooms on the server.
 required: ["chunk"]
 properties:
  chunk:
    type: array
    description: |-
-      A paginated chunk of public rooms.
+      A paginated chunk of published rooms.
    items:
-      allOf:
+      $ref: "public_rooms_chunk.yaml"
        - $ref: "public_rooms_chunk.yaml"
        - type: object
          title: PublicRoomsChunk
          properties:
            # Override description of join_rule
            join_rule:
              type: string
              description: |-
                The room's join rule. When not present, the room is assumed to
                be `public`. Note that rooms with `invite` join rules are not
                expected here, but rooms with `knock` rules are given their
                near-public nature.
              example: "public"
  next_batch:
    type: string
    description: |-
@ -50,7 +37,7 @@ properties:
  total_room_count_estimate:
    type: integer
    description: |-
-        An estimate on the total number of public rooms, if the
+        An estimate on the total number of published rooms, if the
        server has an estimate.
 example: {
  "chunk": [
--- a/data/api/client-server/list_public_rooms.yaml
+++ b/data/api/client-server/list_public_rooms.yaml
@ -13,14 +13,15 @@
 # limitations under the License.
 openapi: 3.1.0
 info:
-  title: Matrix Client-Server Room Directory API
+  title: Matrix Client-Server Published Room Directory API
  version: 1.0.0
 paths:
  "/directory/list/room/{roomId}":
    get:
      summary: Gets the visibility of a room in the directory
-      description: Gets the visibility of a given room on the server's public room
+      description: |-
-        directory.
+        Gets the visibility of a given room in the server's
        published room directory.
      operationId: getRoomVisibilityOnDirectory
      parameters:
        - in: path
@ -32,7 +33,7 @@ paths:
            type: string
      responses:
        "200":
-          description: The visibility of the room in the directory
+          description: The visibility of the room in the directory.
          content:
            application/json:
              schema:
@ -50,7 +51,7 @@ paths:
                    "visibility": "public"
                  }
        "404":
-          description: The room is not known to the server
+          description: The room is not known to the server.
          content:
            application/json:
              schema:
@ -64,14 +65,13 @@ paths:
      tags:
        - Room discovery
    put:
-      summary: Sets the visibility of a room in the room directory
+      summary: Sets the visibility of a room in the directory
      description: |-
-        Sets the visibility of a given room in the server's public room
+        Sets the visibility of a given room in the server's published room directory.
        directory.
-        Servers may choose to implement additional access control checks
+        Servers MAY implement additional access control checks, for instance,
-        here, for instance that room visibility can only be changed by
+        to ensure that a room's visibility can only be changed by the room creator
-        the room creator or a server administrator.
+        or a server administrator.
      operationId: setRoomVisibilityOnDirectory
      security:
        - accessTokenQuery: []
@ -97,11 +97,11 @@ paths:
                    - public
                  description: |-
                    The new visibility setting for the room.
-                    Defaults to 'public'.
+                    Defaults to `public`.
              example: {
                "visibility": "public"
              }
-        description: The new visibility for the room on the room directory.
+        description: The new visibility for the room in the published room directory.
        required: true
      responses:
        "200":
@ -114,7 +114,7 @@ paths:
                response:
                  value: {}
        "404":
-          description: The room is not known to the server
+          description: The room is not known to the server.
          content:
            application/json:
              schema:
@ -129,9 +129,9 @@ paths:
        - Room discovery
  /publicRooms:
    get:
-      summary: Lists the public rooms on the server.
+      summary: Lists a server's published room directory
      description: |-
-        Lists the public rooms on the server.
+        Lists a server's published room directory.
        This API returns paginated responses. The rooms are ordered by the number
        of joined members, with the largest rooms first.
@ -154,13 +154,13 @@ paths:
        - in: query
          name: server
          description: |-
-            The server to fetch the public room lists from. Defaults to the
+            The server to fetch the published room directory from. Defaults
-            local server. Case sensitive.
+            to the local server. Case sensitive.
          schema:
            type: string
      responses:
        "200":
-          description: A list of the rooms on the server.
+          description: A list of the published rooms on the server.
          content:
            application/json:
              schema:
@ -168,9 +168,9 @@ paths:
      tags:
        - Room discovery
    post:
-      summary: Lists the public rooms on the server with optional filter.
+      summary: Lists a server's published room directory with an optional filter
      description: |-
-        Lists the public rooms on the server, with optional filter.
+        Lists a server's published room directory with an optional filter.
        This API returns paginated responses. The rooms are ordered by the number
        of joined members, with the largest rooms first.
@ -182,8 +182,8 @@ paths:
        - in: query
          name: server
          description: |-
-            The server to fetch the public room lists from. Defaults to the
+            The server to fetch the published room directory from. Defaults
-            local server. Case sensitive.
+            to the local server. Case sensitive.
          schema:
            type: string
      requestBody:
@ -253,7 +253,7 @@ paths:
        required: true
      responses:
        "200":
-          description: A list of the rooms on the server.
+          description: A filtered list of the published rooms on the server.
          content:
            application/json:
              schema:
--- a/data/api/client-server/password_management.yaml
+++ b/data/api/client-server/password_management.yaml
@ -0,0 +1,242 @@
 # Copyright 2016 OpenMarket Ltd
 # Copyright 2022 The Matrix.org Foundation C.I.C.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 openapi: 3.1.0
 info:
  title: Matrix Client-Server Password Management API
  version: 1.0.0
 paths:
  /account/password:
    post:
      summary: Changes a user's password.
      description: |-
        Changes the password for an account on this homeserver.
        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api) to
        ensure the user changing the password is actually the owner of the
        account.
        An access token should be submitted to this endpoint if the client has
        an active session.
        The homeserver may change the flows available depending on whether a
        valid access token is provided. The homeserver SHOULD NOT revoke the
        access token provided in the request. Whether other access tokens for
        the user are revoked depends on the request parameters.
      security:
        - {}
        - accessTokenQuery: []
        - accessTokenBearer: []
      operationId: changePassword
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                new_password:
                  type: string
                  description: The new password for the account.
                  example: ihatebananas
                logout_devices:
                  type: boolean
                  description: |-
                    Whether the user's other access tokens, and their associated devices, should be
                    revoked if the request succeeds. Defaults to true.
                    When `false`, the server can still take advantage of the [soft logout method](/client-server-api/#soft-logout)
                    for the user's remaining devices.
                  example: true
                auth:
                  description: Additional authentication information for the user-interactive
                    authentication API.
                  allOf:
                    - $ref: definitions/auth_data.yaml
              required:
                - new_password
        required: true
      responses:
        "200":
          description: The password has been changed.
          content:
            application/json:
              schema:
                type: object
              examples:
                response:
                  value: {}
        "401":
          description: The homeserver requires additional authentication information.
          content:
            application/json:
              schema:
                $ref: definitions/auth_response.yaml
        "429":
          description: This request was rate-limited.
          content:
            application/json:
              schema:
                $ref: definitions/errors/rate_limited.yaml
      tags:
        - Account management
  /account/password/email/requestToken:
    post:
      summary: Requests a validation token be sent to the given email address for the
        purpose of resetting a user's password
      description: |-
        The homeserver must check that the given email address **is
        associated** with an account on this homeserver. This API should be
        used to request validation tokens when authenticating for the
        `/account/password` endpoint.
        This API's parameters and response are identical to that of the
        [`/register/email/requestToken`](/client-server-api/#post_matrixclientv3registeremailrequesttoken)
        endpoint, except that
        `M_THREEPID_NOT_FOUND` may be returned if no account matching the
        given email address could be found. The server may instead send an
        email to the given address prompting the user to create an account.
        `M_THREEPID_IN_USE` may not be returned.
        The homeserver should validate the email itself, either by sending a
        validation email itself or by using a service it has control over.
      operationId: requestTokenToResetPasswordEmail
      requestBody:
        content:
          application/json:
            schema:
              $ref: definitions/request_email_validation.yaml
        required: true
      responses:
        "200":
          description: An email was sent to the given address.
          content:
            application/json:
              schema:
                $ref: definitions/request_token_response.yaml
        "400":
          description: |-
            The referenced third-party identifier is not recognised by the
            homeserver, or the request was invalid. The error code `M_SERVER_NOT_TRUSTED`
            can be returned if the server does not trust/support the identity server
            provided in the request.
          content:
            application/json:
              schema:
                $ref: definitions/errors/error.yaml
              examples:
                response:
                  value: {
                    "errcode": "M_THREEPID_NOT_FOUND",
                    "error": "Email not found"
                  }
        "403":
          description: |-
            The homeserver does not allow the third-party identifier as a
            contact option.
          content:
            application/json:
              schema:
                $ref: definitions/errors/error.yaml
              examples:
                response:
                  value: {
                    "errcode": "M_THREEPID_DENIED",
                    "error": "Third-party identifier is not allowed"
                  }
      tags:
        - Account management
  /account/password/msisdn/requestToken:
    post:
      summary: Requests a validation token be sent to the given phone number for the
        purpose of resetting a user's password.
      description: |-
        The homeserver must check that the given phone number **is
        associated** with an account on this homeserver. This API should be
        used to request validation tokens when authenticating for the
        `/account/password` endpoint.
        This API's parameters and response are identical to that of the
        [`/register/msisdn/requestToken`](/client-server-api/#post_matrixclientv3registermsisdnrequesttoken)
        endpoint, except that
        `M_THREEPID_NOT_FOUND` may be returned if no account matching the
        given phone number could be found. The server may instead send the SMS
        to the given phone number prompting the user to create an account.
        `M_THREEPID_IN_USE` may not be returned.
        The homeserver should validate the phone number itself, either by sending a
        validation message itself or by using a service it has control over.
      operationId: requestTokenToResetPasswordMSISDN
      requestBody:
        content:
          application/json:
            schema:
              $ref: definitions/request_msisdn_validation.yaml
        required: true
      responses:
        "200":
          description: An SMS message was sent to the given phone number.
          content:
            application/json:
              schema:
                $ref: definitions/request_token_response.yaml
        "400":
          description: |-
            The referenced third-party identifier is not recognised by the
            homeserver, or the request was invalid. The error code `M_SERVER_NOT_TRUSTED`
            can be returned if the server does not trust/support the identity server
            provided in the request.
          content:
            application/json:
              schema:
                $ref: definitions/errors/error.yaml
              examples:
                response:
                  value: {
                    "errcode": "M_THREEPID_NOT_FOUND",
                    "error": "Phone number not found"
                  }
        "403":
          description: |-
            The homeserver does not allow the third-party identifier as a
            contact option.
          content:
            application/json:
              schema:
                $ref: definitions/errors/error.yaml
              examples:
                response:
                  value: {
                    "errcode": "M_THREEPID_DENIED",
                    "error": "Third-party identifier is not allowed"
                  }
      tags:
        - Account management
 servers:
  - url: "{protocol}://{hostname}{basePath}"
    variables:
      protocol:
        enum:
          - http
          - https
        default: https
      hostname:
        default: localhost:8008
      basePath:
        default: /_matrix/client/v3
 components:
  securitySchemes:
    accessTokenQuery:
      $ref: definitions/security.yaml#/accessTokenQuery
    accessTokenBearer:
      $ref: definitions/security.yaml#/accessTokenBearer
--- a/data/api/client-server/registration.yaml
+++ b/data/api/client-server/registration.yaml
@ -373,315 +373,6 @@ paths:
                  }
      tags:
        - Account management
  /account/password:
    post:
      summary: Changes a user's password.
      description: |-
        Changes the password for an account on this homeserver.
        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api) to
        ensure the user changing the password is actually the owner of the
        account.
        An access token should be submitted to this endpoint if the client has
        an active session.
        The homeserver may change the flows available depending on whether a
        valid access token is provided. The homeserver SHOULD NOT revoke the
        access token provided in the request. Whether other access tokens for
        the user are revoked depends on the request parameters.
      security:
        - {}
        - accessTokenQuery: []
        - accessTokenBearer: []
      operationId: changePassword
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                new_password:
                  type: string
                  description: The new password for the account.
                  example: ihatebananas
                logout_devices:
                  type: boolean
                  description: |-
                    Whether the user's other access tokens, and their associated devices, should be
                    revoked if the request succeeds. Defaults to true.
                    When `false`, the server can still take advantage of the [soft logout method](/client-server-api/#soft-logout)
                    for the user's remaining devices.
                  example: true
                auth:
                  description: Additional authentication information for the user-interactive
                    authentication API.
                  allOf:
                    - $ref: definitions/auth_data.yaml
              required:
                - new_password
        required: true
      responses:
        "200":
          description: The password has been changed.
          content:
            application/json:
              schema:
                type: object
              examples:
                response:
                  value: {}
        "401":
          description: The homeserver requires additional authentication information.
          content:
            application/json:
              schema:
                $ref: definitions/auth_response.yaml
        "429":
          description: This request was rate-limited.
          content:
            application/json:
              schema:
                $ref: definitions/errors/rate_limited.yaml
      tags:
        - Account management
  /account/password/email/requestToken:
    post:
      summary: Requests a validation token be sent to the given email address for the
        purpose of resetting a user's password
      description: |-
        The homeserver must check that the given email address **is
        associated** with an account on this homeserver. This API should be
        used to request validation tokens when authenticating for the
        `/account/password` endpoint.
        This API's parameters and response are identical to that of the
        [`/register/email/requestToken`](/client-server-api/#post_matrixclientv3registeremailrequesttoken)
        endpoint, except that
        `M_THREEPID_NOT_FOUND` may be returned if no account matching the
        given email address could be found. The server may instead send an
        email to the given address prompting the user to create an account.
        `M_THREEPID_IN_USE` may not be returned.
        The homeserver should validate the email itself, either by sending a
        validation email itself or by using a service it has control over.
      operationId: requestTokenToResetPasswordEmail
      requestBody:
        content:
          application/json:
            schema:
              $ref: definitions/request_email_validation.yaml
        required: true
      responses:
        "200":
          description: An email was sent to the given address.
          content:
            application/json:
              schema:
                $ref: definitions/request_token_response.yaml
        "400":
          description: |-
            The referenced third-party identifier is not recognised by the
            homeserver, or the request was invalid. The error code `M_SERVER_NOT_TRUSTED`
            can be returned if the server does not trust/support the identity server
            provided in the request.
          content:
            application/json:
              schema:
                $ref: definitions/errors/error.yaml
              examples:
                response:
                  value: {
                    "errcode": "M_THREEPID_NOT_FOUND",
                    "error": "Email not found"
                  }
        "403":
          description: |-
            The homeserver does not allow the third-party identifier as a
            contact option.
          content:
            application/json:
              schema:
                $ref: definitions/errors/error.yaml
              examples:
                response:
                  value: {
                    "errcode": "M_THREEPID_DENIED",
                    "error": "Third-party identifier is not allowed"
                  }
      tags:
        - Account management
  /account/password/msisdn/requestToken:
    post:
      summary: Requests a validation token be sent to the given phone number for the
        purpose of resetting a user's password.
      description: |-
        The homeserver must check that the given phone number **is
        associated** with an account on this homeserver. This API should be
        used to request validation tokens when authenticating for the
        `/account/password` endpoint.
        This API's parameters and response are identical to that of the
        [`/register/msisdn/requestToken`](/client-server-api/#post_matrixclientv3registermsisdnrequesttoken)
        endpoint, except that
        `M_THREEPID_NOT_FOUND` may be returned if no account matching the
        given phone number could be found. The server may instead send the SMS
        to the given phone number prompting the user to create an account.
        `M_THREEPID_IN_USE` may not be returned.
        The homeserver should validate the phone number itself, either by sending a
        validation message itself or by using a service it has control over.
      operationId: requestTokenToResetPasswordMSISDN
      requestBody:
        content:
          application/json:
            schema:
              $ref: definitions/request_msisdn_validation.yaml
        required: true
      responses:
        "200":
          description: An SMS message was sent to the given phone number.
          content:
            application/json:
              schema:
                $ref: definitions/request_token_response.yaml
        "400":
          description: |-
            The referenced third-party identifier is not recognised by the
            homeserver, or the request was invalid. The error code `M_SERVER_NOT_TRUSTED`
            can be returned if the server does not trust/support the identity server
            provided in the request.
          content:
            application/json:
              schema:
                $ref: definitions/errors/error.yaml
              examples:
                response:
                  value: {
                    "errcode": "M_THREEPID_NOT_FOUND",
                    "error": "Phone number not found"
                  }
        "403":
          description: |-
            The homeserver does not allow the third-party identifier as a
            contact option.
          content:
            application/json:
              schema:
                $ref: definitions/errors/error.yaml
              examples:
                response:
                  value: {
                    "errcode": "M_THREEPID_DENIED",
                    "error": "Third-party identifier is not allowed"
                  }
      tags:
        - Account management
  /account/deactivate:
    post:
      summary: Deactivate a user's account.
      description: |-
        Deactivate the user's account, removing all ability for the user to
        login again.
        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api).
        An access token should be submitted to this endpoint if the client has
        an active session.
        The homeserver may change the flows available depending on whether a
        valid access token is provided.
        Unlike other endpoints, this endpoint does not take an `id_access_token`
        parameter because the homeserver is expected to sign the request to the
        identity server instead.
      security:
        - {}
        - accessTokenQuery: []
        - accessTokenBearer: []
      operationId: deactivateAccount
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                auth:
                  description: Additional authentication information for the user-interactive
                    authentication API.
                  allOf:
                    - $ref: definitions/auth_data.yaml
                id_server:
                  type: string
                  description: |-
                    The identity server to unbind all of the user's 3PIDs from.
                    If not provided, the homeserver MUST use the `id_server`
                    that was originally use to bind each identifier. If the
                    homeserver does not know which `id_server` that was,
                    it must return an `id_server_unbind_result` of
                    `no-support`.
                  example: example.org
                erase:
                  x-addedInMatrixVersion: "1.10"
                  type: boolean
                  description: |-
                    Whether the user would like their content to be erased as
                    much as possible from the server.
                    Erasure means that any users (or servers) which join the
                    room after the erasure request are served redacted copies of
                    the events sent by this account. Users which had visibility
                    on those events prior to the erasure are still able to see
                    unredacted copies. No redactions are sent and the erasure
                    request is not shared over federation, so other servers
                    might still serve unredacted copies.
                    The server should additionally erase any non-event data
                    associated with the user, such as [account data](/client-server-api/#client-config)
                    and [contact 3PIDs](/client-server-api/#adding-account-administrative-contact-information).
                    Defaults to `false` if not present.
        required: true
      responses:
        "200":
          description: The account has been deactivated.
          content:
            application/json:
              schema:
                type: object
                properties:
                  id_server_unbind_result:
                    type: string
                    enum:
                      - success
                      - no-support
                    description: |-
                      An indicator as to whether or not the homeserver was able to unbind
                      the user's 3PIDs from the identity server(s). `success` indicates
                      that all identifiers have been unbound from the identity server while
                      `no-support` indicates that one or more identifiers failed to unbind
                      due to the identity server refusing the request or the homeserver
                      being unable to determine an identity server to unbind from. This
                      must be `success` if the homeserver has no identifiers to unbind
                      for the user.
                    example: success
                required:
                  - id_server_unbind_result
        "401":
          description: The homeserver requires additional authentication information.
          content:
            application/json:
              schema:
                $ref: definitions/auth_response.yaml
        "429":
          description: This request was rate-limited.
          content:
            application/json:
              schema:
                $ref: definitions/errors/rate_limited.yaml
      tags:
        - Account management
  /register/available:
    get:
      summary: Checks to see if a username is available on the server.
--- a/data/api/server-server/public_rooms.yaml
+++ b/data/api/server-server/public_rooms.yaml
@ -13,16 +13,20 @@
 # limitations under the License.
 openapi: 3.1.0
 info:
-  title: Matrix Federation Public Rooms API
+  title: Matrix Federation Published Room Directory API
  version: 1.0.0
 paths:
  /publicRooms:
    get:
-      summary: Get all the public rooms for a homeserver
+      summary: Lists the server's published room directory
      description: |-
-        Gets all the public rooms for the homeserver. This should not return
+        Lists the server's published room directory.
-        rooms that are listed on another homeserver's directory, just those
+
-        listed on the receiving homeserver's directory.
+        This API returns paginated responses. The rooms are ordered by the number
        of joined members, with the largest rooms first.
        This SHOULD not return rooms that are listed on another homeserver's directory,
        just those listed on the receiving homeserver's directory.
      operationId: getPublicRooms
      security:
        - signedRequest: []
@ -62,21 +66,18 @@ paths:
            type: string
      responses:
        "200":
-          description: The public room list for the homeserver.
+          description: A list of the published rooms on the server.
          content:
            application/json:
              schema:
                $ref: ../client-server/definitions/public_rooms_response.yaml
    post:
-      summary: Gets the public rooms on the server with optional filter.
+      summary: Lists the server's published room directory with an optional filter
      description: |-
-        Lists the public rooms on the server, with optional filter.
+        Lists the server's published room directory with an optional filter.
        This API returns paginated responses. The rooms are ordered by the number
        of joined members, with the largest rooms first.
        Note that this endpoint receives and returns the same format that is seen
        in the Client-Server API's `POST /publicRooms` endpoint.
      operationId: queryPublicRooms
      security:
        - signedRequest: []
@ -147,69 +148,11 @@ paths:
        required: true
      responses:
        "200":
-          description: A list of the rooms on the server.
+          description: A filtered list of the published rooms on the server.
          content:
            application/json:
              schema:
-                type: object
+                $ref: ../client-server/definitions/public_rooms_response.yaml
                description: A list of the rooms on the server.
                required:
                  - chunk
                properties:
                  chunk:
                    title: PublicRoomsChunks
                    type: array
                    description: A paginated chunk of public rooms.
                    items:
                      allOf:
                        - $ref: ../client-server/definitions/public_rooms_chunk.yaml
                        - type: object
                          properties:
                            # Override description of join_rule
                            join_rule:
                              type: string
                              description: |-
                                The room's join rule. When not present, the room is assumed to
                                be `public`. Note that rooms with `invite` join rules are not
                                expected here, but rooms with `knock` rules are given their
                                near-public nature.
                  next_batch:
                    type: string
                    description: |-
                      A pagination token for the response. The absence of this token
                      means there are no more results to fetch and the client should
                      stop paginating.
                  prev_batch:
                    type: string
                    description: |-
                      A pagination token that allows fetching previous results. The
                      absence of this token means there are no results before this
                      batch, i.e. this is the first batch.
                  total_room_count_estimate:
                    type: integer
                    description: |-
                      An estimate on the total number of public rooms, if the
                      server has an estimate.
              examples:
                response:
                  value: {
                    "chunk": [
                      {
                        "avatar_url": "mxc://bleecker.street/CHEDDARandBRIE",
                        "guest_can_join": false,
                        "name": "CHEESE",
                        "num_joined_members": 37,
                        "room_id": "!ol19s:bleecker.street",
                        "topic": "Tasty tasty cheese",
                        "world_readable": true,
                        "join_rule": "public",
                        "room_type": "m.space"
                      }
                    ],
                    "next_batch": "p190q",
                    "prev_batch": "p1902",
                    "total_room_count_estimate": 115
                  }
 servers:
  - url: "{protocol}://{hostname}{basePath}"
    variables:
Author	SHA1	Message	Date
Kévin Commaille	6f4caf5e1e	Merge `cf45f4d17b` into `2c734c3c5b`	2025-05-21 17:42:38 +01:00
Johannes Marbach	2c734c3c5b	Clarify the meaning of "public rooms" in the room directory (#2104 ) Some checks failed Spec / 🔎 Validate OpenAPI specifications (push) Has been cancelled Details Spec / 🔎 Check Event schema examples (push) Has been cancelled Details Spec / 🔎 Check OpenAPI definitions examples (push) Has been cancelled Details Spec / 🔎 Check JSON Schemas inline examples (push) Has been cancelled Details Spec / ⚙️ Calculate baseURL for later jobs (push) Has been cancelled Details Spec / 📢 Run towncrier for changelog (push) Has been cancelled Details Spell Check / Spell Check with Typos (push) Has been cancelled Details Spec / 🐍 Build OpenAPI definitions (push) Has been cancelled Details Spec / 📖 Build the spec (push) Has been cancelled Details Spec / 🔎 Validate generated HTML (push) Has been cancelled Details Spec / 📖 Build the historical backup spec (push) Has been cancelled Details Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org> Co-authored-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>	2025-05-21 16:43:02 +01:00
Andy Balaam	075d203ecd	Fix typo: as->has (#2144 ) Signed-off-by: Andy Balaam <andy.balaam@matrix.org>	2025-05-21 16:34:29 +01:00
Kévin Commaille	cf45f4d17b	Fix title name Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>	2025-05-15 09:47:41 +02:00
Kévin Commaille	3e7736e0f6	Re-group registration Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>	2025-05-15 09:46:31 +02:00
Kévin Commaille	c68a87cded	Fix links Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>	2025-05-14 13:11:52 +02:00
Kévin Commaille	4e51949ad6	Add changelog Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>	2025-05-14 13:06:39 +02:00
Kévin Commaille	2b0119e0b0	Split account registration and management section Since account locking and suspension are authentication API agnostic, this is a pre-requisite to adding the new OAuth 2.0-based API. This also splits the endpoints that where all included in the registration OpenAPI data, to separate them cleanly in the spec, and avoid having deactivation show before registration. Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>	2025-05-14 12:59:10 +02:00
		`@ -0,0 +1 @@`
							Rooms published in `/publicRooms` don't necessarily have `public` join rules or `world_readable` history visibility.
		`@ -0,0 +1 @@`
							`Split account registration and management section and OpenAPI definitions.`