refactor canAccessResource middleware

Author: ricardogarim

ee/packages/federation-matrix/src/api/_matrix/invite.ts

@@ -14,7 +14,7 @@ import { Rooms, Users } from '@rocket.chat/models';
 import { ajv } from '@rocket.chat/rest-typings/dist/v1/Ajv';
 
 import { createOrUpdateFederatedUser, getUsernameServername } from '../../FederationMatrix';
-import { isAuthenticatedMiddleware, canAccessResourceMiddleware } from '../middlewares';
+import { canAccessResourceMiddleware } from '../middlewares/canAccessResource';
 
 const EventBaseSchema = {
 	type: 'object',
@@ -319,60 +319,57 @@ export const acceptInvite = async (
 export const getMatrixInviteRoutes = (services: HomeserverServices) => {
 	const { invite, state, room, federationAuth } = services;
 
-	return new Router('/federation')
-		.use(isAuthenticatedMiddleware(federationAuth))
-		.use(canAccessResourceMiddleware(federationAuth))
-		.put(
-			'/v2/invite/:roomId/:eventId',
-			{
-				body: ajv.compile({ type: 'object' }), // TODO: add schema from room package.
-				params: isProcessInviteParamsProps,
-				response: {
-					200: isProcessInviteResponseProps,
-				},
-				tags: ['Federation'],
-				license: ['federation'],
+	return new Router('/federation').use(canAccessResourceMiddleware(federationAuth, 'room')).put(
+		'/v2/invite/:roomId/:eventId',
+		{
+			body: ajv.compile({ type: 'object' }), // TODO: add schema from room package.
+			params: isProcessInviteParamsProps,
+			response: {
+				200: isProcessInviteResponseProps,
 			},
-			async (c) => {
-				const { roomId, eventId } = c.req.param();
-				const { event, room_version: roomVersion } = await c.req.json();
+			tags: ['Federation'],
+			license: ['federation'],
+		},
+		async (c) => {
+			const { roomId, eventId } = c.req.param();
+			const { event, room_version: roomVersion } = await c.req.json();
 
-				const userToCheck = event.state_key as string;
+			const userToCheck = event.state_key as string;
 
-				if (!userToCheck) {
-					throw new Error('join event has missing state key, unable to determine user to join');
-				}
+			if (!userToCheck) {
+				throw new Error('join event has missing state key, unable to determine user to join');
+			}
 
-				const [username /* domain */] = userToCheck.split(':');
+			const [username /* domain */] = userToCheck.split(':');
 
-				// TODO: check domain
+			// TODO: check domain
 
-				const ourUser = await Users.findOneByUsername(username.slice(1));
+			const ourUser = await Users.findOneByUsername(username.slice(1));
 
-				if (!ourUser) {
-					throw new Error('user not found not processing invite');
-				}
+			if (!ourUser) {
+				throw new Error('user not found not processing invite');
+			}
 
 			const inviteEvent = await invite.processInvite(event, roomIdSchema.parse(roomId), eventIdSchema.parse(eventId), roomVersion);
 
-				setTimeout(
-					() => {
-						void startJoiningRoom({
-							inviteEvent,
-							user: ourUser,
-							room,
-							state,
-						});
-					},
-					inviteEvent.event.content.is_direct ? 2000 : 0,
-				);
-
-				return {
-					body: {
-						event: inviteEvent.event,
-					},
-					statusCode: 200,
-				};
-			},
-		);
+			setTimeout(
+				() => {
+					void startJoiningRoom({
+						inviteEvent,
+						user: ourUser,
+						room,
+						state,
+					});
+				},
+				inviteEvent.event.content.is_direct ? 2000 : 0,
+			);
+
+			return {
+				body: {
+					event: inviteEvent.event,
+				},
+				statusCode: 200,
+			};
+		},
+	);
 };

ee/packages/federation-matrix/src/api/_matrix/media.ts

@@ -6,7 +6,7 @@ import { Router } from '@rocket.chat/http-router';
 import { ajv } from '@rocket.chat/rest-typings/dist/v1/Ajv';
 
 import { MatrixMediaService } from '../../services/MatrixMediaService';
-import { isAuthenticatedMiddleware, canAccessResourceMiddleware } from '../middlewares';
+import { canAccessResourceMiddleware } from '../middlewares/canAccessResource';
 
 const MediaDownloadParamsSchema = {
 	type: 'object',
@@ -76,8 +76,7 @@ async function getMediaFile(mediaId: string, serverName: string): Promise<{ file
 export const getMatrixMediaRoutes = (homeserverServices: HomeserverServices) => {
 	const { config, federationAuth } = homeserverServices;
 	return new Router('/federation')
-		.use(isAuthenticatedMiddleware(federationAuth))
-		.use(canAccessResourceMiddleware(federationAuth))
+		.use(canAccessResourceMiddleware(federationAuth, 'media'))
 		.get(
 			'/v1/media/download/:mediaId',
 			{

ee/packages/federation-matrix/src/api/_matrix/profiles.ts

@@ -2,7 +2,8 @@ import { eventIdSchema, roomIdSchema, userIdSchema, type HomeserverServices, typ
 import { Router } from '@rocket.chat/http-router';
 import { ajv } from '@rocket.chat/rest-typings/dist/v1/Ajv';
 
-import { canAccessResourceMiddleware, isAuthenticatedMiddleware } from '../middlewares';
+import { canAccessResourceMiddleware } from '../middlewares/canAccessResource';
+import { isAuthenticatedMiddleware } from '../middlewares/isAuthenticated';
 
 const UsernameSchema = {
 	type: 'string',
@@ -356,7 +357,6 @@ export const getMatrixProfilesRoutes = (services: HomeserverServices) => {
 
 	return new Router('/federation')
 		.use(isAuthenticatedMiddleware(federationAuth))
-		.use(canAccessResourceMiddleware(federationAuth))
 		.get(
 			'/v1/query/profile',
 			{
@@ -418,17 +418,17 @@ export const getMatrixProfilesRoutes = (services: HomeserverServices) => {
 				tags: ['Federation'],
 				license: ['federation'],
 			},
-			async (c) => {
-				const { userId } = c.req.param();
-
-				const response = await profile.getDevices(userId);
-
+			async (_c) => {
 				return {
-					body: response,
-					statusCode: 200,
+					body: {
+						errcode: 'M_UNRECOGNIZED',
+						error: 'This endpoint is not implemented on the homeserver side',
+					},
+					statusCode: 501,
 				};
 			},
 		)
+		.use(canAccessResourceMiddleware(federationAuth, 'room'))
 		.get(
 			'/v1/make_join/:roomId/:userId',
 			{

ee/packages/federation-matrix/src/api/_matrix/send-join.ts

@@ -2,7 +2,7 @@ import type { HomeserverServices, EventID } from '@rocket.chat/federation-sdk';
 import { Router } from '@rocket.chat/http-router';
 import { ajv } from '@rocket.chat/rest-typings/dist/v1/Ajv';
 
-import { isAuthenticatedMiddleware, canAccessResourceMiddleware } from '../middlewares';
+import { canAccessResourceMiddleware } from '../middlewares/canAccessResource';
 
 const UsernameSchema = {
 	type: 'string',
@@ -226,30 +226,27 @@ const isSendJoinResponseProps = ajv.compile(SendJoinResponseSchema);
 export const getMatrixSendJoinRoutes = (services: HomeserverServices) => {
 	const { sendJoin, federationAuth } = services;
 
-	return new Router('/federation')
-		.use(isAuthenticatedMiddleware(federationAuth))
-		.use(canAccessResourceMiddleware(federationAuth))
-		.put(
-			'/v2/send_join/:roomId/:stateKey',
-			{
-				params: isSendJoinParamsProps,
-				body: isSendJoinEventProps,
-				response: {
-					200: isSendJoinResponseProps,
-				},
-				tags: ['Federation'],
-				license: ['federation'],
+	return new Router('/federation').use(canAccessResourceMiddleware(federationAuth, 'room')).put(
+		'/v2/send_join/:roomId/:stateKey',
+		{
+			params: isSendJoinParamsProps,
+			body: isSendJoinEventProps,
+			response: {
+				200: isSendJoinResponseProps,
 			},
-			async (c) => {
-				const { roomId, stateKey } = c.req.param();
-				const body = await c.req.json();
+			tags: ['Federation'],
+			license: ['federation'],
+		},
+		async (c) => {
+			const { roomId, stateKey } = c.req.param();
+			const body = await c.req.json();
 
-				const response = await sendJoin.sendJoin(roomId, stateKey as EventID, body);
+			const response = await sendJoin.sendJoin(roomId, stateKey as EventID, body);
 
-				return {
-					body: response,
-					statusCode: 200,
-				};
-			},
-		);
+			return {
+				body: response,
+				statusCode: 200,
+			};
+		},
+	);
 };

ee/packages/federation-matrix/src/api/_matrix/transactions.ts

@@ -2,7 +2,8 @@ import type { HomeserverServices, EventID } from '@rocket.chat/federation-sdk';
 import { Router } from '@rocket.chat/http-router';
 import { ajv } from '@rocket.chat/rest-typings/dist/v1/Ajv';
 
-import { isAuthenticatedMiddleware, canAccessResourceMiddleware } from '../middlewares';
+import { canAccessResourceMiddleware } from '../middlewares/canAccessResource';
+import { isAuthenticatedMiddleware } from '../middlewares/isAuthenticated';
 
 const SendTransactionParamsSchema = {
 	type: 'object',
@@ -320,7 +321,6 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 	return (
 		new Router('/federation')
 			.use(isAuthenticatedMiddleware(federationAuth))
-			.use(canAccessResourceMiddleware(federationAuth))
 			.put(
 				'/v1/send/:txnId',
 				{
@@ -367,7 +367,7 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 			)
 
 			// GET /_matrix/federation/v1/state_ids/{roomId}
-
+			.use(canAccessResourceMiddleware(federationAuth, 'room'))
 			.get(
 				'/v1/state_ids/:roomId',
 				{
@@ -427,6 +427,7 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 				},
 			)
 			// GET /_matrix/federation/v1/event/{eventId}
+			.use(canAccessResourceMiddleware(federationAuth, 'event'))
 			.get(
 				'/v1/event/:eventId',
 				{

ee/packages/federation-matrix/src/api/middlewares/canAccessResource.ts

@@ -1,42 +1,55 @@
 import { errCodes } from '@rocket.chat/federation-sdk';
 import type { EventAuthorizationService } from '@rocket.chat/federation-sdk';
+import { every } from 'hono/combine';
 import { createMiddleware } from 'hono/factory';
 
-function extractEntityId(params: {
-	eventId?: string;
-	mediaId?: string;
-	roomId?: string;
-}): { type: 'event' | 'media' | 'room'; id: string } | undefined {
-	if (params.eventId) {
-		return { type: 'event', id: params.eventId };
+import { isAuthenticatedMiddleware } from './isAuthenticated';
+
+function extractEntityId(params: { eventId?: string; mediaId?: string; roomId?: string }, entityType: 'event' | 'media' | 'room'): string {
+	if (entityType === 'room') {
+		const { roomId } = params;
+		if (!roomId) {
+			throw new Error('Room ID is required');
+		}
+
+		return roomId;
 	}
 
-	if (params.mediaId) {
-		return { type: 'media', id: params.mediaId };
+	if (entityType === 'media') {
+		const { mediaId } = params;
+		if (!mediaId) {
+			throw new Error('Media ID is required');
+		}
+
+		return mediaId;
 	}
 
-	if (params.roomId) {
-		return { type: 'room', id: params.roomId };
+	if (entityType === 'event') {
+		const { eventId } = params;
+		if (!eventId) {
+			throw new Error('Event ID is required');
+		}
+
+		return eventId;
 	}
+
+	throw new Error('Invalid entity type');
 }
 
-export const canAccessResourceMiddleware = (federationAuth: EventAuthorizationService) =>
+const canAccessResource = (federationAuth: EventAuthorizationService, entityType: 'event' | 'media' | 'room') =>
 	createMiddleware(async (c, next) => {
 		try {
 			const authenticatedServer = c.get('authenticatedServer');
 			if (!authenticatedServer) {
 				return c.json({ errcode: 'M_UNAUTHORIZED', error: 'Missing Authorization header' }, 401);
 			}
 
-			const entity = extractEntityId(c.req.param());
-			if (!entity) {
-				// we're assuming there's no entity ID to get from route path params, so we're skipping the middleware
-				// seems secure cause in case you don't have entity ID on the path the router will end up with 404 or routing to a different resource
-				return next();
-			}
-
-			const verificationResult = await federationAuth.canAccessResource(entity.type, entity.id, authenticatedServer);
-			if (!verificationResult) {
+			const resourceAccess = await federationAuth.canAccessResource(
+				entityType,
+				extractEntityId(c.req.param(), entityType),
+				authenticatedServer,
+			);
+			if (!resourceAccess) {
 				return c.json(
 					{
 						errcode: 'M_FORBIDDEN',
@@ -51,3 +64,6 @@ export const canAccessResourceMiddleware = (federationAuth: EventAuthorizationSe
 			return c.json(errCodes.M_UNKNOWN, 500);
 		}
 	});
+
+export const canAccessResourceMiddleware = (federationAuth: EventAuthorizationService, entityType: 'event' | 'media' | 'room') =>
+	every(isAuthenticatedMiddleware(federationAuth), canAccessResource(federationAuth, entityType));