pair route middlewares with rc and matrix protocol

ricardogarim · ricardogarim · commit 9500b55147b3 · 2025-10-08T18:11:09.000-03:00
diff --git a/packages/federation-sdk/src/services/event-authorization.service.ts b/packages/federation-sdk/src/services/event-authorization.service.ts
@@ -251,6 +251,23 @@ export class EventAuthorizationService {
 		return false;
 	}
 
+	async checkAclForInvite(roomId: string, senderServer: string): Promise<void> {
+		const state = await this.stateService.getLatestRoomState(roomId);
+
+		const aclEvent = state.get('m.room.server_acl:');
+		if (!aclEvent) {
+			return;
+		}
+
+		const isAllowed = await this.checkServerAcl(aclEvent, senderServer);
+		if (!isAllowed) {
+			this.logger.warn(
+				`ACL check failed: sender server ${senderServer} is denied by room ACL for room ${roomId}`,
+			);
+			throw new Error('Sender server denied by room ACL');
+		}
+	}
+
 	async serverHasAccessToResource(
 		roomId: string,
 		serverName: string,
diff --git a/packages/federation-sdk/src/services/invite.service.ts b/packages/federation-sdk/src/services/invite.service.ts
@@ -10,6 +10,7 @@ import {
 } from '@rocket.chat/federation-room';
 import { singleton } from 'tsyringe';
 import { ConfigService } from './config.service';
+import { EventAuthorizationService } from './event-authorization.service';
 import { EventService } from './event.service';
 import { FederationService } from './federation.service';
 import { StateService } from './state.service';
@@ -30,6 +31,7 @@ export class InviteService {
 		private readonly federationService: FederationService,
 		private readonly stateService: StateService,
 		private readonly configService: ConfigService,
+		private readonly eventAuthorizationService: EventAuthorizationService,
 	) {}
 
 	/**
@@ -145,6 +147,7 @@ export class InviteService {
 		roomId: RoomID,
 		eventId: EventID,
 		roomVersion: RoomVersion,
+		authenticatedServer: string,
 	) {
 		// SPEC: when a user invites another user on a different homeserver, a request to that homeserver to have the event signed and verified must be made
 
@@ -165,8 +168,12 @@ export class InviteService {
 
 		await this.stateService.signEvent(inviteEvent);
 
+		// we are the host of the server
 		if (residentServer === this.configService.serverName) {
-			// we are the host of the server
+			await this.eventAuthorizationService.checkAclForInvite(
+				roomId,
+				authenticatedServer,
+			);
 
 			// attempt to persist the invite event as we already have the state
 
@@ -184,14 +191,24 @@ export class InviteService {
 
 		// are we already in the room?
 		try {
-			await this.stateService.getRoomInformation(roomId);
+			await this.eventAuthorizationService.checkAclForInvite(
+				roomId,
+				authenticatedServer,
+			);
 
 			// if we have the state we try to persist the invite event
 			await this.stateService.handlePdu(inviteEvent);
 			if (inviteEvent.rejected) {
 				throw new Error(inviteEvent.rejectReason);
 			}
-		} catch {
+		} catch (error) {
+			// check if this is an ACL error or authorization error, rethrow if so
+			if (
+				error instanceof Error &&
+				error.message.includes('Sender server denied by room ACL')
+			) {
+				throw error;
+			}
 			// don't have state copy yet
 			// console.error(e);
 			// typical noop, we sign and return the event, nothing to do
diff --git a/packages/homeserver/src/controllers/federation/invite.controller.ts b/packages/homeserver/src/controllers/federation/invite.controller.ts
@@ -14,12 +14,17 @@ export const invitePlugin = (app: Elysia) => {
 
 	return app.use(isAuthenticatedMiddleware(eventAuthService)).put(
 		'/_matrix/federation/v2/invite/:roomId/:eventId',
-		async ({ body, params: { roomId, eventId } }) => {
+		async ({ body, params: { roomId, eventId }, authenticatedServer }) => {
+			if (!authenticatedServer) {
+				throw new Error('Missing authenticated server from request');
+			}
+
 			return inviteService.processInvite(
 				body.event,
 				roomId as RoomID,
 				eventId as EventID,
 				body.room_version,
+				authenticatedServer,
 			);
 		},
 		{
diff --git a/packages/homeserver/src/controllers/federation/transactions.controller.ts b/packages/homeserver/src/controllers/federation/transactions.controller.ts
@@ -75,7 +75,7 @@ export const transactionsPlugin = (app: Elysia) => {
 				};
 			},
 			{
-				use: isAuthenticatedMiddleware(eventAuthService),
+				use: canAccessResourceMiddleware(eventAuthService, 'event'),
 				params: GetEventParamsDto,
 				response: {
 					200: GetEventResponseDto,
@@ -124,7 +124,7 @@ export const transactionsPlugin = (app: Elysia) => {
 				}
 			},
 			{
-				use: isAuthenticatedMiddleware(eventAuthService),
+				use: canAccessResourceMiddleware(eventAuthService, 'room'),
 				params: BackfillParamsDto,
 				query: BackfillQueryDto,
 				response: {
diff --git a/packages/homeserver/src/middlewares/isAuthenticated.ts b/packages/homeserver/src/middlewares/isAuthenticated.ts
@@ -16,7 +16,7 @@ export const isAuthenticatedMiddleware = (
 			if (!authorizationHeader) {
 				set.status = 401;
 				return {
-					authenticatedServer: null,
+					authenticatedServer: undefined,
 				};
 			}
 
@@ -42,7 +42,7 @@ export const isAuthenticatedMiddleware = (
 				if (!isValid) {
 					set.status = 401;
 					return {
-						authenticatedServer: null,
+						authenticatedServer: undefined,
 					};
 				}
 
@@ -53,7 +53,7 @@ export const isAuthenticatedMiddleware = (
 				console.error('Authentication error:', error);
 				set.status = 500;
 				return {
-					authenticatedServer: null,
+					authenticatedServer: undefined,
 				};
 			}
 		})

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ export const transactionsPlugin = (app: Elysia) => {`
`75`	`75`	`};`
`76`	`76`	`},`
`77`	`77`	`{`
`78`		`- use: isAuthenticatedMiddleware(eventAuthService),`
	`78`	`+ use: canAccessResourceMiddleware(eventAuthService, 'event'),`
`79`	`79`	`params: GetEventParamsDto,`
`80`	`80`	`response: {`
`81`	`81`	`200: GetEventResponseDto,`
`@@ -124,7 +124,7 @@ export const transactionsPlugin = (app: Elysia) => {`
`124`	`124`	`}`
`125`	`125`	`},`
`126`	`126`	`{`
`127`		`- use: isAuthenticatedMiddleware(eventAuthService),`
	`127`	`+ use: canAccessResourceMiddleware(eventAuthService, 'room'),`
`128`	`128`	`params: BackfillParamsDto,`
`129`	`129`	`query: BackfillQueryDto,`
`130`	`130`	`response: {`