|
| 1 | +# MSC3760: State sub-keys |
| 2 | + |
| 3 | +## Problem |
| 4 | + |
| 5 | +Currently there are three main ways to limit who can overwrite a state event: |
| 6 | + |
| 7 | + * If a user's PL is greater than the `m.room.power_levels` `state_default` field |
| 8 | + * If a user's PL is greater than the `m.room.power_levels` `events` field for that event type |
| 9 | + * If a state event has a state key which begins with an `@`, then the sender's mxid must match that state key. |
| 10 | + |
| 11 | +This is problematic if an unprivileged user needs to publish multiple state events of the same type in a room, but would like to set access control so that only they can subsequently update the event. An example of this is if a user wishes to publish multiple live location share beacons as per [MSC3489](https://github.com/matrix-org/matrix-spec-proposals/pull/3489) and [MSC3672](https://github.com/matrix-org/matrix-spec-proposals/pull/3672). They will typically not want other users in the room to be able to overwrite the state event, so we need a mechanism to prevent other peers from doing so. |
| 12 | + |
| 13 | +## Proposal |
| 14 | + |
| 15 | +We propose adding an optional `state_subkey` top-level field that allows multiple state events to exist which all have the same `state_key` but represent different pieces of state. |
| 16 | + |
| 17 | +This means that the existing rules around access control to state events can be unchanged, but now one user can own multiple pieces of state that have the same `type`. |
| 18 | + |
| 19 | +For example, to post a live location sharing beacon from [MSC3672](https://github.com/matrix-org/matrix-spec-proposals/pull/3672): |
| 20 | + |
| 21 | +```json= |
| 22 | +{ |
| 23 | + "type": "m.beacon_info", |
| 24 | + "state_key": "@stefan:matrix.org", // Ensures the sender has control |
| 25 | + "state_subkey": "asset1", // Does not clash with other events |
| 26 | + "content": { |
| 27 | + "m.beacon_info": { |
| 28 | + "description": "Stefan's live location", |
| 29 | + "timeout": 600000, |
| 30 | + "live": true |
| 31 | + }, |
| 32 | + "m.ts": 1436829458432, |
| 33 | + "m.asset": { |
| 34 | + "type": "m.self.live" |
| 35 | + } |
| 36 | + } |
| 37 | +} |
| 38 | +``` |
| 39 | + |
| 40 | +State events that are missing `state_subkey` should behave exactly as if `state_subkey` had a value of `""`. |
| 41 | + |
| 42 | +Two state events with identical `type` and `state_key` should be treated as independent if they have different values of `state_subkey`. |
| 43 | + |
| 44 | +## Potential issues |
| 45 | + |
| 46 | +This change involves modifying the way the keys in a room's state map are constructed, so may be complex to implement. |
| 47 | + |
| 48 | +This will require a new room version. |
| 49 | + |
| 50 | +## Alternatives |
| 51 | + |
| 52 | +We could add a suffix to the `event_type`, as originally proposed in [MSC3489](https://github.com/matrix-org/matrix-spec-proposals/pull/3489). This can make life difficult for clients who expect a fixed type, and it makes it hard to control power levels for event types. |
| 53 | + |
| 54 | +We could stuff the mxid and subtype into the `state_key` field as proposed in [MSC3757](https://github.com/matrix-org/matrix-spec-proposals/pull/3757). This would involve changing the access control logic for state events, and objections were raised about the need to parse the state key's contents. |
| 55 | + |
| 56 | +We could allow additional events that set up access control on a state event. |
| 57 | + |
| 58 | +We could add a flag on the contents of the event (as originally proposed in [MSC3757](https://github.com/matrix-org/matrix-spec-proposals/pull/3757)), called e.g. `m.peer_unwritable: true` to say other users were prohibited from overwriting the event. However, this is impractical because there isn't a good value for the state_key, which needs to be unique and not subject to races from other malicious users. |
| 59 | + |
| 60 | +## Security considerations |
| 61 | + |
| 62 | +The rules on who can modify a state event are unchanged by this proposal, which should simplify security concerns relative to the alternatives. |
| 63 | + |
| 64 | +Server implementors will need to ensure that the state_subkey has no effect on the access control of state events. |
| 65 | + |
| 66 | +This will require a new room version, meaning it will not affect old events. |
| 67 | + |
| 68 | +## Unstable prefix |
| 69 | + |
| 70 | + * `state_subkey` should be referred to as `org.matrix.mscxxxx.state_subkey` until this MSC lands. |
| 71 | + |
| 72 | +## Dependencies |
| 73 | + |
| 74 | +None |
0 commit comments