# Copyright 2016 OpenMarket Ltd
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
swagger: '2.0'
info:
  title: "Matrix Client-Server Registration API"
  version: "1.0.0"
host: localhost:8008
schemes:
  - https
  - http
basePath: /_matrix/client/%CLIENT_MAJOR_VERSION%
consumes:
  - application/json
produces:
  - application/json
paths:
  "/register":
    post:
      summary: Register for an account on this homeserver.
      description: |-
        This API endpoint uses the `User-Interactive Authentication API`_, except in
        the cases where a guest account is being registered.

        Register for an account on this homeserver.

        There are two kinds of user account:

        - `user` accounts. These accounts may use the full API described in this specification.

        - `guest` accounts. These accounts may have limited permissions and may not be supported by all servers.

        If registration is successful, this endpoint will issue an access token
        the client can use to authorize itself in subsequent requests.

        If the client does not supply a ``device_id``, the server must
        auto-generate one.

        The server SHOULD register an account with a User ID based on the
        ``username`` provided, if any. Note that the grammar of Matrix User ID
        localparts is restricted, so the server MUST either map the provided
        ``username`` onto a ``user_id`` in a logical manner, or reject
        ``username``\s which do not comply to the grammar, with
        ``M_INVALID_USERNAME``.

        Matrix clients MUST NOT assume that localpart of the registered
        ``user_id`` matches the provided ``username``.

        The returned access token must be associated with the ``device_id``
        supplied by the client or generated by the server. The server may
        invalidate any access token previously associated with that device. See
        `Relationship between access tokens and devices`_.

        When registering a guest account, all parameters in the request body
        with the exception of ``initial_device_display_name`` MUST BE ignored
        by the server. The server MUST pick a ``device_id`` for the account
        regardless of input.

        Any user ID returned by this API must conform to the grammar given in the
        `Matrix specification <../appendices.html#user-identifiers>`_.
      operationId: register
      parameters:
        - in: query
          name: kind
          type: string
          # swagger-UI overrides the default with the example, so better make the
          # example the default.
          x-example: user
          required: false
          default: user
          enum:
            - guest
            - user
          description: The kind of account to register. Defaults to ``user``.
        - in: body
          name: body
          schema:
            type: object
            properties:
              auth:
                description: |-
                  Additional authentication information for the
                  user-interactive authentication API. Note that this
                  information is *not* used to define how the registered user
                  should be authenticated, but is instead used to
                  authenticate the ``register`` call itself.
                "$ref": "definitions/auth_data.yaml"
              username:
                type: string
                description: |-
                  The basis for the localpart of the desired Matrix ID. If omitted,
                  the homeserver MUST generate a Matrix ID local part.
                example: cheeky_monkey
              password:
                type: string
                description: The desired password for the account.
                example: ilovebananas
              device_id:
                type: string
                description: |-
                  ID of the client device. If this does not correspond to a
                  known client device, a new device will be created. The server
                  will auto-generate a device_id if this is not specified.
                example: GHTYAJCE
              initial_device_display_name:
                type: string
                description: |-
                  A display name to assign to the newly-created device. Ignored
                  if ``device_id`` corresponds to a known device.
                example: Jungle Phone
              inhibit_login:
                type: boolean
                description: |-
                  If true, an ``access_token`` and ``device_id`` should not be
                  returned from this call, therefore preventing an automatic
                  login. Defaults to false.
                example: false
      responses:
        200:
          description: The account has been registered.
          examples:
            application/json: {
                "user_id": "@cheeky_monkey:matrix.org",
                "access_token": "abc123",
                "device_id": "GHTYAJCE"
              }
          schema:
            type: object
            properties:
              user_id:
                type: string
                description: |-
                  The fully-qualified Matrix user ID (MXID) that has been registered.

                  Any user ID returned by this API must conform to the grammar given in the
                  `Matrix specification <../appendices.html#user-identifiers>`_.
              access_token:
                type: string
                description: |-
                  An access token for the account.
                  This access token can then be used to authorize other requests.
                  Required if the ``inhibit_login`` option is false.
              home_server:
                type: string
                description: |-
                  The server_name of the homeserver on which the account has
                  been registered.

                  **Deprecated**. Clients should extract the server_name from
                  ``user_id`` (by splitting at the first colon) if they require
                  it. Note also that ``homeserver`` is not spelt this way.
              device_id:
                type: string
                description: |-
                  ID of the registered device. Will be the same as the
                  corresponding parameter in the request, if one was specified.
                  Required if the ``inhibit_login`` option is false.
            required: ['user_id']
        400:
          description: |-
            Part of the request was invalid. This may include one of the following error codes:

            * ``M_USER_IN_USE`` : The desired user ID is already taken.
            * ``M_INVALID_USERNAME`` : The desired user ID is not a valid user name.
            * ``M_EXCLUSIVE`` : The desired user ID is in the exclusive namespace
              claimed by an application service.

            These errors may be returned at any stage of the registration process,
            including after authentication if the requested user ID was registered
            whilst the client was performing authentication.

            Homeservers MUST perform the relevant checks and return these codes before
            performing User-Interactive Authentication, although they may also return
            them after authentication is completed if, for example, the requested user ID
            was registered whilst the client was performing authentication.
          examples:
            application/json: {
                  "errcode": "M_USER_IN_USE",
                  "error": "Desired user ID is already taken."
              }
          schema:
            "$ref": "definitions/errors/error.yaml"
        401:
          description: |-
            The homeserver requires additional authentication information.
          schema:
            "$ref": "definitions/auth_response.yaml"
        403:
          description: |-
            The homeserver does not permit registering the account. This response
            can be used to identify that a particular ``kind`` of account is not
            allowed, or that registration is generally not supported by the homeserver.
          examples:
            application/json: {
                "errcode": "M_FORBIDDEN",
                "error": "Registration is disabled"
            }
          schema:
            "$ref": "definitions/errors/error.yaml"
        429:
          description: This request was rate-limited.
          schema:
            "$ref": "definitions/errors/rate_limited.yaml"
      tags:
        - User data
  "/register/email/requestToken":
    post:
      summary: Begins the validation process for an email to be used during registration.
      description: |-
        The homeserver must check that the given email address is **not**
        already associated with an account on this homeserver. The homeserver
        has the choice of validating the email address itself, or proxying the
        request to the ``/validate/email/requestToken`` Identity Service API. The
        request should be proxied to the domain that is sent by the client in
        the ``id_server``. It is imperative that the homeserver keep a list of
        trusted Identity Servers and only proxies to those it trusts.
      operationId: requestTokenToRegisterEmail
      parameters:
        - in: body
          name: body
          required: true
          schema:
            $ref: "./definitions/request_email_validation.yaml"
      responses:
        200:
          description: |-
            An email has been sent to the specified address. Note that this
            may be an email containing the validation token or it may be
            informing the user of an error.
          schema:
            $ref: "definitions/request_token_response.yaml"
        403:
          description: The homeserver does not permit the address to be bound.
          schema:
            $ref: "definitions/errors/error.yaml"
          examples:
            application/json: {
              "errcode": "M_THREEPID_DENIED",
              "error": "Third party identifier is not allowed"
            }
        400:
          description: |-
            Part of the request was invalid. This may include one of the following error codes:

            * ``M_THREEPID_IN_USE`` : The email address is already registered to an account on this server.
              However, if the homeserver has the ability to send email, it is recommended that the server
              instead send an email to the user with instructions on how to reset their password.
              This prevents malicious parties from being able to determine if a given email address
              has an account on the homeserver in question.
            * ``M_SERVER_NOT_TRUSTED`` : The ``id_server`` parameter refers to an identity server
              that is not trusted by this homeserver.
          examples:
            application/json: {
              "errcode": "M_THREEPID_IN_USE",
              "error": "The specified address is already in use"
            }
          schema:
            "$ref": "definitions/errors/error.yaml"
  "/register/msisdn/requestToken":
    post:
      summary: Requests a validation token be sent to the given phone number for the purpose of registering an account
      description: |-
        The homeserver must check that the given phone number is **not**
        already associated with an account on this homeserver. The homeserver
        has the choice of validating the phone number itself, or proxying the
        request to the ``/validate/msisdn/requestToken`` Identity Service API. The
        request should be proxied to the domain that is sent by the client in
        the ``id_server``. It is imperative that the homeserver keep a list of
        trusted Identity Servers and only proxies to those it trusts.
      operationId: requestTokenToRegisterMSISDN
      parameters:
        - in: body
          name: body
          required: true
          schema:
            $ref: "./definitions/request_msisdn_validation.yaml"
      responses:
        200:
          description: |-
            An SMS message has been sent to the specified phone number. Note
            that this may be an SMS message containing the validation token or
            it may be informing the user of an error.
          schema:
            $ref: "definitions/request_token_response.yaml"
        403:
          description: The homeserver does not permit the address to be bound.
          schema:
            $ref: "definitions/errors/error.yaml"
          examples:
            application/json: {
              "errcode": "M_THREEPID_DENIED",
              "error": "Third party identifier is not allowed"
            }
        400:
          description: |-
            Part of the request was invalid. This may include one of the following error codes:

            * ``M_THREEPID_IN_USE`` : The phone number is already registered to an account on this server.
              However, if the homeserver has the ability to send SMS message, it is recommended that the server
              instead send an SMS message to the user with instructions on how to reset their password.
              This prevents malicious parties from being able to determine if a given phone number
              has an account on the homeserver in question.
            * ``M_SERVER_NOT_TRUSTED`` : The ``id_server`` parameter refers to an identity server
              that is not trusted by this homeserver.
          examples:
            application/json: {
              "errcode": "M_THREEPID_IN_USE",
              "error": "The specified address is already in use"
            }
          schema:
            "$ref": "definitions/errors/error.yaml"
  "/account/password":
    post:
      summary: "Changes a user's password."
      description: |-
        Changes the password for an account on this homeserver.

        This API endpoint uses the `User-Interactive Authentication API`_ to
        ensure the user changing the password is actually the owner of the
        account.

        An access token should be submitted to this endpoint if the client has
        an active session.

        The homeserver may change the flows available depending on whether a
        valid access token is provided. The homeserver SHOULD NOT revoke the
        access token provided in the request, however all other access tokens
        for the user should be revoked if the request succeeds.
      security:
        - accessToken: []
      operationId: changePassword
      parameters:
        - in: body
          name: body
          schema:
            type: object
            properties:
              new_password:
                type: string
                description: The new password for the account.
                example: "ihatebananas"
              auth:
                description: |-
                  Additional authentication information for the user-interactive authentication API.
                "$ref": "definitions/auth_data.yaml"
            required: ["new_password"]
      responses:
        200:
          description: The password has been changed.
          examples:
            application/json: {}
          schema:
            type: object
        401:
          description: |-
            The homeserver requires additional authentication information.
          schema:
            "$ref": "definitions/auth_response.yaml"
        429:
          description: This request was rate-limited.
          schema:
            "$ref": "definitions/errors/rate_limited.yaml"
      tags:
        - User data
  "/account/password/email/requestToken":
    post:
      summary: Requests a validation token be sent to the given email address for the purpose of resetting a user's password
      description: |-
        The homeserver must check that the given email address **is
        associated** with an account on this homeserver. This API should be
        used to request validation tokens when authenticating for the
        ``/account/password`` endpoint.

        This API's parameters and response are identical to that of the
        |/register/email/requestToken|_ endpoint, except that
        ``M_THREEPID_NOT_FOUND`` may be returned if no account matching the
        given email address could be found. The server may instead send an
        email to the given address prompting the user to create an account.
        ``M_THREEPID_IN_USE`` may not be returned.

        The homeserver has the choice of validating the email address itself,
        or proxying the request to the ``/validate/email/requestToken``
        Identity Service API. The request should be proxied to the domain that
        is sent by the client in the ``id_server``. It is imperative that the
        homeserver keep a list of trusted Identity Servers and only proxies to
        those that it trusts.


        .. |/register/email/requestToken| replace:: ``/register/email/requestToken``

        .. _/register/email/requestToken: #post-matrix-client-%CLIENT_MAJOR_VERSION%-register-email-requesttoken
      operationId: requestTokenToResetPasswordEmail
      parameters:
        - in: body
          name: body
          required: true
          schema:
            $ref: "./definitions/request_email_validation.yaml"
      responses:
        200:
          description: An email was sent to the given address.
          schema:
            $ref: "definitions/request_token_response.yaml"
        403:
          description: |-
            The homeserver does not allow the third party identifier as a
            contact option.
          schema:
            $ref: "definitions/errors/error.yaml"
          examples:
            application/json: {
              "errcode": "M_THREEPID_DENIED",
              "error": "Third party identifier is not allowed"
            }
        400:
          description: |-
            The referenced third party identifier is not recognised by the
            homeserver, or the request was invalid
          schema:
            $ref: "definitions/errors/error.yaml"
          examples:
            application/json: {
              "errcode": "M_THREEPID_NOT_FOUND",
              "error": "Email not found"
            }
  "/account/password/msisdn/requestToken":
    post:
      summary: Requests a validation token be sent to the given phone number for the purpose of resetting a user's password.
      description: |-
        The homeserver must check that the given phone number **is
        associated** with an account on this homeserver. This API should be
        used to request validation tokens when authenticating for the
        ``/account/password`` endpoint.

        This API's parameters and response are identical to that of the
        |/register/msisdn/requestToken|_ endpoint, except that
        ``M_THREEPID_NOT_FOUND`` may be returned if no account matching the
        given phone number could be found. The server may instead send the SMS
        to the given phone number prompting the user to create an account.
        ``M_THREEPID_IN_USE`` may not be returned.

        The homeserver has the choice of validating the phone number itself, or
        proxying the request to the ``/validate/msisdn/requestToken`` Identity
        Service API. The request should be proxied to the domain that is sent
        by the client in the ``id_server``. It is imperative that the
        homeserver keep a list of trusted Identity Servers and only proxies to
        those that it trusts.

        .. |/register/msisdn/requestToken| replace:: ``/register/msisdn/requestToken``

        .. _/register/msisdn/requestToken: #post-matrix-client-%CLIENT_MAJOR_VERSION%-register-email-requesttoken
      operationId: requestTokenToResetPasswordMSISDN
      parameters:
        - in: body
          name: body
          required: true
          schema:
            $ref: "../identity/definitions/request_msisdn_validation.yaml"
      responses:
        200:
          description: An SMS message was sent to the given phone number.
          schema:
            $ref: "definitions/request_token_response.yaml"
        403:
          description: |-
            The homeserver does not allow the third party identifier as a
            contact option.
          schema:
            $ref: "definitions/errors/error.yaml"
          examples:
            application/json: {
              "errcode": "M_THREEPID_DENIED",
              "error": "Third party identifier is not allowed"
            }
        400:
          description: |-
            The referenced third party identifier is not recognised by the
            homeserver, or the request was invalid
          schema:
            $ref: "definitions/errors/error.yaml"
          examples:
            application/json: {
              "errcode": "M_THREEPID_NOT_FOUND",
              "error": "Phone number not found"
            }
  "/account/deactivate":
    post:
      summary: "Deactivate a user's account."
      description: |-
        Deactivate the user's account, removing all ability for the user to
        login again.

        This API endpoint uses the `User-Interactive Authentication API`_.

        An access token should be submitted to this endpoint if the client has
        an active session.

        The homeserver may change the flows available depending on whether a
        valid access token is provided.

        Unlike other endpoints, this endpoint does not take an ``id_access_token``
        parameter because the homeserver is expected to sign the request to the
        identity server instead.
      security:
        - accessToken: []
      operationId: deactivateAccount
      parameters:
        - in: body
          name: body
          schema:
            type: object
            properties:
              auth:
                description: |-
                  Additional authentication information for the user-interactive authentication API.
                "$ref": "definitions/auth_data.yaml"
              id_server:
                type: string
                description: |-
                  The identity server to unbind all of the user's 3PIDs from.
                  If not provided, the homeserver MUST use the ``id_server``
                  that was originally use to bind each identifier. If the
                  homeserver does not know which ``id_server`` that was,
                  it must return an ``id_server_unbind_result`` of
                  ``no-support``.
                example: "example.org"
      responses:
        200:
          description: The account has been deactivated.
          schema:
            type: object
            properties:
              id_server_unbind_result:
                type: string
                enum:
                  - "success"
                  - "no-support"
                description: |-
                  An indicator as to whether or not the homeserver was able to unbind
                  the user's 3PIDs from the identity server(s). ``success`` indicates
                  that all identifiers have been unbound from the identity server while
                  ``no-support`` indicates that one or more identifiers failed to unbind
                  due to the identity server refusing the request or the homeserver
                  being unable to determine an identity server to unbind from. This
                  must be ``success`` if the homeserver has no identifiers to unbind
                  for the user.
                example: "success"
            required:
              - id_server_unbind_result
        401:
          description: |-
            The homeserver requires additional authentication information.
          schema:
            "$ref": "definitions/auth_response.yaml"
        429:
          description: This request was rate-limited.
          schema:
            "$ref": "definitions/errors/rate_limited.yaml"
      tags:
        - User data
  "/register/available":
    get:
      summary: Checks to see if a username is available on the server.
      description: |-
        Checks to see if a username is available, and valid, for the server.

        The server should check to ensure that, at the time of the request, the
        username requested is available for use. This includes verifying that an
        application service has not claimed the username and that the username
        fits the server's desired requirements (for example, a server could dictate
        that it does not permit usernames with underscores).

        Matrix clients may wish to use this API prior to attempting registration,
        however the clients must also be aware that using this API does not normally
        reserve the username. This can mean that the username becomes unavailable
        between checking its availability and attempting to register it.
      operationId: checkUsernameAvailability
      parameters:
        - in: query
          name: username
          type: string
          x-example: my_cool_localpart
          required: true
          default: my_cool_localpart
          description: The username to check the availability of.
      responses:
        200:
          description: The username is available
          examples:
            application/json: {
              "available": true
            }
          schema:
            type: object
            properties:
              available:
                type: boolean
                description: |-
                  A flag to indicate that the username is available. This should always
                  be ``true`` when the server replies with 200 OK.
        400:
          description: |-
            Part of the request was invalid or the username is not available. This may
            include one of the following error codes:

            * ``M_USER_IN_USE`` : The desired username is already taken.
            * ``M_INVALID_USERNAME`` : The desired username is not a valid user name.
            * ``M_EXCLUSIVE`` : The desired username is in the exclusive namespace
              claimed by an application service.
          examples:
            application/json: {
              "errcode": "M_USER_IN_USE",
              "error": "Desired user ID is already taken."
            }
          schema:
            "$ref": "definitions/errors/error.yaml"
        429:
          description: This request was rate-limited.
          schema:
            "$ref": "definitions/errors/rate_limited.yaml"
      tags:
        - User data