MSC4140: Cancellable delayed events #4140
Open
+831
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Timo K <toger5@hotmail.de>
Signed-off-by: Timo K <toger5@hotmail.de>
toger5
force-pushed
the
toger5/expiring-events-keep-alive
branch
from
2bc07c4
to
0eb1abc
Compare
Signed-off-by: Timo K <toger5@hotmail.de>
toger5
force-pushed
the
toger5/expiring-events-keep-alive
branch
from
0eb1abc
to
8bf6db7
Compare
Signed-off-by: Timo K <toger5@hotmail.de>
AndrewFerr
reviewed
May 8, 2024
Signed-off-by: Timo K <toger5@hotmail.de>
turt2live
changed the title
turt2live
added
proposal
toger5
force-pushed
the
toger5/expiring-events-keep-alive
branch
from
3e54c2a
to
c82adf7
Compare
Signed-off-by: Timo K <toger5@hotmail.de>
toger5
force-pushed
the
toger5/expiring-events-keep-alive
branch
from
c82adf7
to
54fff99
Compare
…is used to trigger on of the actions Signed-off-by: Timo K <toger5@hotmail.de>
Signed-off-by: Timo K <toger5@hotmail.de>
Add event type to the body Add event id template variable
MatMaul
reviewed
May 20, 2024
toger5
commented
May 20, 2024
AndrewFerr
reviewed
May 22, 2024
AndrewFerr
reviewed
May 23, 2024
AndrewFerr
reviewed
May 30, 2024
Co-authored-by: Andrew Ferrazzutti <af_0_af@hotmail.com>
toger5
commented
Jul 25, 2024
zecakeh
reviewed
Jul 25, 2024
ara4n
reviewed
Aug 5, 2024
| of this proposal. | ||
|
|
||
| The proposal here allows a Matrix client to schedule a "hangup" state event to be sent after a specified time period. | ||
| The client can then periodically restarts the timer whilst it is running. If the client is no longer running or able |
There was a problem hiding this comment.
Suggested change
| The client can then periodically restarts the timer whilst it is running. If the client is no longer running or able | |
| The client can then periodically restart the timer whilst it is running. If the client is no longer running or able |
ara4n
reviewed
Aug 5, 2024
|
|
||
| - Update the room state every x seconds. | ||
| This allows clients to check how long an event has not been updated and ignore it if it's expired. | ||
| - Use Future events with a 10s timeout to send the disconnected from call |
There was a problem hiding this comment.
references to futures & /update_future are presumably stale now?
| A limit on the maximum number of delayed events that can be outstanding at one time could also provide some mitigation against | ||
| this attack. | ||
|
|
||
| ## Use case specific considerations |
There was a problem hiding this comment.
This feature could also be useful for temporary mutes/bans/kicks, temporary invites, etc.
AndrewFerr
reviewed
Sep 6, 2024
This reverts commit 772590f. Clients should keep track of transaction IDs themselves.
toger5
commented
Sep 11, 2024
toger5
commented
Sep 11, 2024
Comment on lines
+262
to
+275
| #### Delayed state events are cancelled by a more recent state event | ||
|
|
||
| If a new state event is sent to the same room with the same (event type, state key) pair as a delayed event, the delayed | ||
| event is cancelled. | ||
|
|
||
| There is no race condition here since a possible race between timeout and the _new state event_ will always converge to | ||
| the _new state event_: | ||
|
|
||
| - timeout for _delayed event_ followed by _new state event_: the room state will be updated twice: once by the content of | ||
| the delayed event but later with the content of _new state event_. | ||
| - _new state event_ followed by timeout for _delayed event_: the _new state event_ will cancel the outstanding _delayed event_. | ||
|
|
||
| Note that this behaviour does not apply to regular (non-state) events as there is no concept of a `(type, state_key)` | ||
| pair that could be overwritten. |
There was a problem hiding this comment.
This might not be the best way to treat this. Here are my reasons why:
- It is very easy to emulate this behavior by just cancelling the delayed event before sending a new state event.
- In the matrixRTC spec I would like to argue that the order should be: send the delayed leave event FIRST and afterwards the active membership event. This guarantees that only expiring call memberships will be sent.
- I would like to replace this section with:
Suggested change
| #### Delayed state events are cancelled by a more recent state event | |
| If a new state event is sent to the same room with the same (event type, state key) pair as a delayed event, the delayed | |
| event is cancelled. | |
| There is no race condition here since a possible race between timeout and the _new state event_ will always converge to | |
| the _new state event_: | |
| - timeout for _delayed event_ followed by _new state event_: the room state will be updated twice: once by the content of | |
| the delayed event but later with the content of _new state event_. | |
| - _new state event_ followed by timeout for _delayed event_: the _new state event_ will cancel the outstanding _delayed event_. | |
| Note that this behaviour does not apply to regular (non-state) events as there is no concept of a `(type, state_key)` | |
| pair that could be overwritten. | |
| #### State which is effected by delayed events will be marked in the unsigned field | |
| If a state event is sent for a state key where there is already a delayed event scheduled the homeserver will add a: | |
| `has_delayed_overwrite: true` property to the unsigned section of the state event. | |
| This is not required if the delayed event is received after a normal state event. | |
| This allows client to check if a state event is temporal: `has_delayed_overwrite: true`. | |
| `m.call.member` events for instance will only be valid if they are temporal (It allows the receiving clients to evaluate if the sending client did not forget to schedule the delayed leave event.) | |
| The `has_delayed_overwrite: true` unsigned property is also added to delayed state events that timeout or are send into the DAG while there is another delayed event scheduled for the same state key. |
There was a problem hiding this comment.
- It is very easy to emulate this behavior by just cancelling the delayed event before sending a new state event.
This isn't true for state that can be set by other users, who don't have the option to cancel (or even know about) delayed state from someone else.
- In the matrixRTC spec I would like to argue that the order should be: send the delayed leave event FIRST and afterwards the active membership event. This guarantees that only expiring call memberships will be sent.
This is a good idea, but I believe it will work regardless of what the behaviour is for overwritten delayed state.
AndrewFerr
reviewed
Sep 18, 2024
Comment on lines
+190
to
+192
| The endpoint accepts a query parameter `from` which is a token that can be used to paginate the list of delayed events as | ||
| per the [pagination convention](https://spec.matrix.org/v1.11/appendices/#pagination). The homeserver can choose a suitable | ||
| page size. |
There was a problem hiding this comment.
This should also define how the response should order the returned delayed events, lest the paginated results are jumbled & difficult to navigate through.
I propose sorting in order of increasing send time, i.e. running_since + delay.
|
As suggested during a review of Complement tests, this MSC should specify what happens when a user leaves a room they have pending delayed messages for. The most "unexpected" thing to do is to cancel all delayed events for a room when leaving it. On the other hand, not cancelling them is an option as well:
The latter is in the same vein as evaluating power levels at the point of sending. Note that the Synapse implementation does not cancel delayed events for left rooms. |
AndrewFerr
reviewed
Sep 19, 2024
Comment on lines
+255
to
+256
| Power levels are evaluated for each event only once the delay has occurred and it will be distributed/inserted into the | ||
| DAG. This implies a delayed event can fail if it violates power levels at the time the delay passes. |
There was a problem hiding this comment.
Should users be notified of delayed events that hit power level failures (or any 400-class error) upon being sent?
If so, perhaps delayed event send failures can be included in /sync responses, for clients to handle however they like.
If not, then this spec should make it explicit that delayed event send failures are effectively unhandled.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Rendered
This could also supersede MSC2228 (by making it possible to send a redaction with the
/sendendpoint. This is the case as mentioned here)Implementations: