| RFC 9425 | JMAP Quotas | June 2023 |
| Cordier | Standards Track | [Page] |
This document specifies a data model for handling quotas on accounts with a server using the JSON Meta Application Protocol (JMAP).¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9425.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The JSON Meta Application Protocol (JMAP)[RFC8620] is ageneric protocol for synchronizing data, such as mails, calendars, or contactsbetween a client and a server. It is optimized for mobile and web environmentsand aims to provide a consistent interface to different data types.¶
This specification defines a data model for handling quotas over JMAP,allowing a user to obtain details about a certain quota.¶
This specification does not address quota administration, which should be handled by other means.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Type signatures, examples, and property descriptions in this documentfollow the conventions established inSection 1.1 of [RFC8620]. Data types defined in the corespecification are also used in this document.¶
This document reuses the terminology from the core JMAP specification established inSection 1.6 of [RFC8620].¶
The term "Quota" (when capitalized) is used to refer to the data typedefined inSection 4 and instance of thatdata type.¶
The capabilities object is returned as part of the JMAP Session object; see[RFC8620],Section 2.¶
This document defines one additional capability URI.¶
This represents support for the Quota data type and associated API methods. Servers supporting this specificationMUST add a property called "urn:ietf:params:jmap:quota" to the capabilities object.¶
The value of this property is an empty object in both the JMAP Session capabilities property and an account's accountCapabilities property.¶
There are two fields within the Quota data type, which have an enumerated set of possible values. These are:¶
The Scope data type is used to represent the entities the quota applies to. It is defined as a "String" with values from the following set:¶
The ResourceType data type is used to act as a unit of measure for the quota usage. It is defined as a "String" with values from the following set:¶
The Quota is an object that displays the limit set to an account usage. It then shows as well the current usage in regard to that limit.¶
The Quota objectMUST contain the following fields:¶
id:Id¶
The unique identifier for this object.¶
resourceType:String¶
The resource type of the quota as defined inSection 3.2.¶
used:UnsignedInt¶
The current usage of the defined quota, using the "resourceType" defined as unit of measure. Computation of this value is handled by the server.¶
hardLimit:UnsignedInt¶
The hard limit set by this quota, using the "resourceType" defined as unit of measure. Objects in scope may not be created or updated if this limit is reached.¶
scope:String¶
The "Scope" of this quota as defined inSection 3.1.¶
name:String¶
The name of the quota. Useful for managing quotas and using queries for searching.¶
types:String[]¶
A list of all the type names as defined in the "JMAP Types Names" registry (e.g., Email, Calendar, etc.) to which this quota applies. This allows the quotas to be assigned to distinct or shared data types.¶
The serverMUST filter out any types for which the client did not request the associated capability in the "using" section of the request. Further, the serverMUST NOT return Quota objects for which there are no types recognized by the client.¶
The Quota objectMAY contain the following fields:¶
warnLimit:UnsignedInt|null¶
The warn limit set by this quota, using the "resourceType" defined as unit of measure. It can be used to send a warning to an entity about to reach the hard limit soon, but with no action taken yet. If set, itSHOULD be lower than the "softLimit" (if present and different from null) and the "hardLimit".¶
softLimit:UnsignedInt|null¶
The soft limit set by this quota, using the "resourceType" defined as unit of measure. It can be used to still allow some operations but refuse some others. What is allowed or not is up to the server. For example, it could be used for blocking outgoing events of an entity (sending emails, creating calendar events, etc.) while still receiving incoming events (receiving emails, receiving calendars events, etc.). If set, itSHOULD be higher than the "warnLimit" (if present and different from null) but lower than the "hardLimit".¶
description:String|null¶
Arbitrary, free, human-readable description of this quota. It might be used to explain where the different limits come from and explain the entities and data types this quota applies to. The descriptionMUST be encoded in UTF-8[RFC3629] as described in[RFC8620],Section 1.5, and selected based on an Accept-Language header in the request (as defined in[RFC9110],Section 12.5.4) or out-of-band information about the user's language or locale.¶
The following JMAP methods are supported.¶
Standard "/get" method as described in[RFC8620],Section 5.1. Theid's argument may be "null"to fetch all quotas of the account at once, as demonstrated inSection 5.1.¶
Standard "/changes" method as described in[RFC8620],Section 5.2, but with one extra argument in the response:¶
updatedProperties:String[]|null¶
If only the "used" Quota property has changed since the old state, this will be a list containing only that property. If the server is unable to tell if only "used" has changed, itMUST be null.¶
Since "used" frequently changes, but other properties are generally onlychanged rarely, the server can help the client optimize data transfer bykeeping track of changes to quota usage separate from other state changes. TheupdatedProperties array may be used directly via a back-reference in asubsequent Quota/get call in the same request, so only these properties arereturned if nothing else has changed.¶
ServersMAY decide to add other properties to the list thatthey judge to be changing frequently.¶
This method's usage is demonstrated inSection 5.2.¶
This is a standard "/query" method as described in[RFC8620],Section 5.5.¶
A FilterCondition object has the following properties, any of which may be included or omitted:¶
name:String¶
The Quotaname property contains the given string.¶
scope:String¶
The Quotascope property must match the given value exactly.¶
resourceType:String¶
The QuotaresourceType property must match the given value exactly.¶
type:String¶
The Quotatypes property contains the given value.¶
A Quota object matches the FilterCondition if, and only if, all the given conditionsmatch. If zero properties are specified, it is automatically true for all objects.¶
The following Quota propertiesMUST be supported for sorting:¶
This is a standard "/queryChanges" method as described in[RFC8620],Section 5.6.¶
Request fetching all quotas related to an account:¶
[[ "Quota/get", { "accountId": "u33084183", "ids": null}, "0" ]]¶With response:¶
[[ "Quota/get", { "accountId": "u33084183", "state": "78540", "list": [{ "id": "2a06df0d-9865-4e74-a92f-74dcc814270e", "resourceType": "count", "used": 1056, "warnLimit": 1600, "softLimit": 1800, "hardLimit": 2000, "scope": "account", "name": "bob@example.com", "description": "Personal account usage. When the soft limit is reached, the user is not allowed to send mails or create contacts and calendar events anymore.", "types" : [ "Mail", "Calendar", "Contact" ] }, { "id": "3b06df0e-3761-4s74-a92f-74dcc963501x", "resourceType": "octets", ... }, ...], "notFound": []}, "0" ]]¶Request fetching the changes for a specific quota:¶
[[ "Quota/changes", { "accountId": "u33084183", "sinceState": "78540", "maxChanges": 20}, "0" ],[ "Quota/get", { "accountId": "u33084183", "#ids": { "resultOf": "0", "name": "Quota/changes", "path": "/updated" }, "#properties": { "resultOf": "0", "name": "Quota/changes", "path": "/updatedProperties" }}, "1" ]]¶With response:¶
[[ "Quota/changes", { "accountId": "u33084183", "oldState": "78540", "newState": "78542", "hasMoreChanges": false, "updatedProperties": ["used"], "created": [], "updated": ["2a06df0d-9865-4e74-a92f-74dcc814270e"], "destroyed": []}, "0" ],[ "Quota/get", { "accountId": "u33084183", "state": "10826", "list": [{ "id": "2a06df0d-9865-4e74-a92f-74dcc814270e", "used": 1246 }], "notFound": []}, "1" ]]¶ServersMUST support the JMAP push mechanisms, as specifiedin[RFC8620],Section 7, to allowclients to receive notifications when the state changes for the Quota typedefined in this specification.¶
IANA has registered the "quota" JMAP Capability as follows:¶
All security considerations of JMAP[RFC8620] apply to thisspecification.¶
Implementors should be careful to make sure the implementation of theextension specified in this document does not violate the site's securitypolicy. The resource usage of other users is likely to be consideredconfidential information and should not be divulged to unauthorizedpersons.¶
As for any resource shared across users (for example, a quota with the"domain" or "global" scope), a user that can consume the resource can affectthe resources available to the other users. For example, a user could spamthemselves with events and make the shared resource hit the limit and unusablefor others (implementors could mitigate that with some rate-limitingimplementation on the server).¶
Also, revealing domain and global quota counts to all users may causeprivacy leakage of other sensitive data, or at least the existence of othersensitive data. For example, some users are part of a private list belongingto the server, so they shouldn't know how many users are in there. However, bycomparing the quota count before and after sending a message to the list, itcould reveal the number of people of the list, as the domain or global quotacount would go up by the number of people subscribed. In order to limit thoseattacks, quotas with "domain" or "global" scopeSHOULD only bevisible to server administrators and not to general users.¶
Thank you toMichael Bailly, who co-wrote the firstdraft version of this document, before deciding to turn to other matters.¶
Thank you toBenoit Tellier for his constant help andsupport on writing this document.¶
Thank you toRaphael Ouazana for sharing his ownexperience on how to write an RFC after finalizing his own document:[RFC9007].¶
Thank you toBron Gondwana,Neil Jenkins,Alexey Melnikov,Joris Baum, and the people from the IETF JMAP working group in general, whohelped with extensive discussions, reviews, and feedback.¶
Thank you to the people in the IETF organization, who took the time toread, understand, comment, and give great feedback in the last rounds.¶