gitlord
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Code Issues 0 Releases 671 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
842 Branches
288 MiB
 
 
 
 
 
 
Tree: 4f475c7697
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4f475c7697'
${ noResults }
synapse/docs/model/profiles

233 lines
9.7 KiB
Raw Blame History 

  1. ========

  2. Profiles

  3. ========

  4. 

  5. A description of Synapse user profile metadata support.

  6. 

  7. 

  8. Overview

  9. ========

  10. 

  11. Internally within Synapse users are referred to by an opaque ID, which consists

  12. of some opaque localpart combined with the domain name of their home server.

  13. Obviously this does not yield a very nice user experience; users would like to

  14. see readable names for other users that are in some way meaningful to them.

  15. Additionally, users like to be able to publish "profile" details to inform other

  16. users of other information about them.

  17. 

  18. It is also conceivable that since we are attempting to provide a

  19. worldwide-applicable messaging system, that users may wish to present different

  20. subsets of information in their profile to different other people, from a

  21. privacy and permissions perspective.

  22. 

  23. A Profile consists of a display name, an (optional?) avatar picture, and a set

  24. of other metadata fields that the user may wish to publish (email address, phone

  25. numbers, website URLs, etc...). We put no requirements on the display name other

  26. than it being a valid Unicode string. Since it is likely that users will end up

  27. having multiple accounts (perhaps by necessity of being hosted in multiple

  28. places, perhaps by choice of wanting multiple distinct identifies), it would be

  29. useful that a metadata field type exists that can refer to another Synapse User

  30. ID, so that clients and HSes can make use of this information.

  31. 

  32. Metadata Fields

  33. ---------------

  34. 

  35. [[TODO(paul): Likely this list is incomplete; more fields can be defined as we

  36. think of them. At the very least, any sort of supported ID for the 3rd Party ID

  37. servers should be accounted for here.]]

  38. 

  39.  * Synapse Directory Server username(s)

  40. 

  41.  * Email address

  42. 

  43.  * Phone number - classify "home"/"work"/"mobile"/custom?

  44.  

  45.  * Twitter/Facebook/Google+/... social networks

  46. 

  47.  * Location - keep this deliberately vague to allow people to choose how

  48.      granular it is

  49.  

  50.  * "Bio" information - date of birth, etc...

  51. 

  52.  * Synapse User ID of another account

  53. 

  54.  * Web URL

  55. 

  56.  * Freeform description text

  57. 

  58. 

  59. Visibility Permissions

  60. ======================

  61. 

  62. A home server implementation could offer the ability to set permissions on

  63. limited visibility of those fields. When another user requests access to the

  64. target user's profile, their own identity should form part of that request. The

  65. HS implementation can then decide which fields to make available to the

  66. requestor.

  67. 

  68. A particular detail of implementation could allow the user to create one or more

  69. ACLs; where each list is granted permission to see a given set of non-public

  70. fields (compare to Google+ Circles) and contains a set of other people allowed

  71. to use it. By giving these ACLs strong identities within the HS, they can be

  72. referenced in communications with it, granting other users who encounter these

  73. the "ACL Token" to use the details in that ACL.

  74. 

  75. If we further allow an ACL Token to be present on Room join requests or stored

  76. by 3PID servers, then users of these ACLs gain the extra convenience of not

  77. having to manually curate people in the access list; anyone in the room or with

  78. knowledge of the 3rd Party ID is automatically granted access. Every HS and

  79. client implementation would have to be aware of the existence of these ACL

  80. Token, and include them in requests if present, but not every HS implementation

  81. needs to actually provide the full permissions model. This can be used as a

  82. distinguishing feature among competing implementations. However, servers MUST

  83. NOT serve profile information from a cache if there is a chance that its limited

  84. understanding could lead to information leakage.

  85. 

  86. 

  87. Client Concerns of Multiple Accounts

  88. ====================================

  89. 

  90. Because a given person may want to have multiple Synapse User accounts, client

  91. implementations should allow the use of multiple accounts simultaneously

  92. (especially in the field of mobile phone clients, which generally don't support

  93. running distinct instances of the same application). Where features like address

  94. books, presence lists or rooms are presented, the client UI should remember to

  95. make distinct with user account is in use for each.

  96. 

  97. 

  98. Directory Servers

  99. =================

  100. 

  101. Directory Servers can provide a forward mapping from human-readable names to

  102. User IDs. These can provide a service similar to giving domain-namespaced names

  103. for Rooms; in this case they can provide a way for a user to reference their

  104. User ID in some external form (e.g. that can be printed on a business card).

  105. 

  106. The format for Synapse user name will consist of a localpart specific to the

  107. directory server, and the domain name of that directory server:

  108. 

  109.   @localname:some.domain.name

  110. 

  111. The localname is separated from the domain name using a colon, so as to ensure

  112. the localname can still contain periods, as users may want this for similarity

  113. to email addresses or the like, which typically can contain them. The format is

  114. also visually quite distinct from email addresses, phone numbers, etc... so

  115. hopefully reasonably "self-describing" when written on e.g. a business card

  116. without surrounding context.

  117. 

  118. [[TODO(paul): we might have to think about this one - too close to email?

  119.   Twitter? Also it suggests a format scheme for room names of

  120.   #localname:domain.name, which I quite like]]

  121. 

  122. Directory server administrators should be able to make some kind of policy

  123. decision on how these are allocated. Servers within some "closed" domain (such

  124. as company-specific ones) may wish to verify the validity of a mapping using

  125. their own internal mechanisms; "public" naming servers can operate on a FCFS

  126. basis. There are overlapping concerns here with the idea of the 3rd party

  127. identity servers as well, though in this specific case we are creating a new

  128. namespace to allocate names into.

  129. 

  130. It would also be nice from a user experience perspective if the profile that a

  131. given name links to can also declare that name as part of its metadata.

  132. Furthermore as a security and consistency perspective it would be nice if each

  133. end (the directory server and the user's home server) check the validity of the

  134. mapping in some way. This needs investigation from a security perspective to

  135. ensure against spoofing.

  136. 

  137. One such model may be that the user starts by declaring their intent to use a

  138. given user name link to their home server, which then contacts the directory

  139. service. At some point later (maybe immediately for "public open FCFS servers",

  140. maybe after some kind of human intervention for verification) the DS decides to

  141. honour this link, and includes it in its served output. It should also tell the

  142. HS of this fact, so that the HS can present this as fact when requested for the

  143. profile information. For efficiency, it may further wish to provide the HS with

  144. a cryptographically-signed certificate as proof, so the HS serving the profile

  145. can provide that too when asked, avoiding requesting HSes from constantly having

  146. to contact the DS to verify this mapping. (Note: This is similar to the security

  147. model often applied in DNS to verify PTR <-> A bidirectional mappings).

  148. 

  149. 

  150. Identity Servers

  151. ================

  152. 

  153. The identity servers should support the concept of pointing a 3PID being able to

  154. store an ACL Token as well as the main User ID. It is however, beyond scope to

  155. do any kind of verification that any third-party IDs that the profile is

  156. claiming match up to the 3PID mappings.

  157. 

  158. 

  159. User Interface and Expectations Concerns

  160. ========================================

  161. 

  162. Given the weak "security" of some parts of this model as compared to what users

  163. might expect, some care should be taken on how it is presented to users,

  164. specifically in the naming or other wording of user interface components.

  165. 

  166. Most notably mere knowledge of an ACL Pointer is enough to read the information

  167. stored in it. It is possible that Home or Identity Servers could leak this

  168. information, allowing others to see it. This is a security-vs-convenience

  169. balancing choice on behalf of the user who would choose, or not, to make use of

  170. such a feature to publish their information.

  171. 

  172. Additionally, unless some form of strong end-to-end user-based encryption is

  173. used, a user of ACLs for information privacy has to trust other home servers not

  174. to lie about the identify of the user requesting access to the Profile.

  175. 

  176. 

  177. API Requirements

  178. ================

  179. 

  180. The data model presented here puts the following requirements on the APIs:

  181. 

  182. Client-Server

  183. -------------

  184. 

  185. Requests that a client can make to its Home Server

  186. 

  187.  * get/set my Display Name

  188.    This should return/take a simple "text/plain" field

  189. 

  190.  * get/set my Avatar URL

  191.    The avatar image data itself is not stored by this API; we'll just store a

  192.    URL to let the clients fetch it. Optionally HSes could integrate this with

  193.    their generic content attacmhent storage service, allowing a user to set

  194.    upload their profile Avatar and update the URL to point to it.

  195. 

  196.  * get/add/remove my metadata fields

  197.    Also we need to actually define types of metadata

  198. 

  199.  * get another user's Display Name / Avatar / metadata fields

  200. 

  201. [[TODO(paul): At some later stage we should consider the API for:

  202. 

  203.  * get/set ACL permissions on my metadata fields

  204. 

  205.  * manage my ACL tokens

  206. ]]

  207. 

  208. Server-Server

  209. -------------

  210. 

  211. Requests that Home Servers make to others

  212. 

  213.  * get a user's Display Name / Avatar

  214. 

  215.  * get a user's full profile - name/avatar + MD fields

  216.    This request must allow for specifying the User ID of the requesting user,

  217.    for permissions purposes. It also needs to take into account any ACL Tokens

  218.    the requestor has.

  219. 

  220.  * push a change of Display Name to observers (overlaps with the presence API)

  221. 

  222. Room Event PDU Types

  223. --------------------

  224. 

  225. Events that are pushed from Home Servers to other Home Servers or clients.

  226. 

  227.  * user Display Name change

  228.  

  229.  * user Avatar change

  230.    [[TODO(paul): should the avatar image itself be stored in all the room

  231.    histories? maybe this event should just be a hint to clients that they should

  232.    re-fetch the avatar image]]