add middlewares on each route due to params visibility

ricardogarim · ricardogarim · commit 3d413f68a86f · 2025-10-06T11:31:01.000-03:00
diff --git a/ee/packages/federation-matrix/src/api/_matrix/invite.ts b/ee/packages/federation-matrix/src/api/_matrix/invite.ts
@@ -319,7 +319,7 @@ export const acceptInvite = async (
 export const getMatrixInviteRoutes = (services: HomeserverServices) => {
 	const { invite, state, room, federationAuth } = services;
 
-	return new Router('/federation').use(canAccessResourceMiddleware(federationAuth, 'room')).put(
+	return new Router('/federation').put(
 		'/v2/invite/:roomId/:eventId',
 		{
 			body: ajv.compile({ type: 'object' }), // TODO: add schema from room package.
@@ -330,6 +330,7 @@ export const getMatrixInviteRoutes = (services: HomeserverServices) => {
 			tags: ['Federation'],
 			license: ['federation'],
 		},
+		canAccessResourceMiddleware(federationAuth, 'room'),
 		async (c) => {
 			const { roomId, eventId } = c.req.param();
 			const { event, room_version: roomVersion } = await c.req.json();
diff --git a/ee/packages/federation-matrix/src/api/_matrix/media.ts b/ee/packages/federation-matrix/src/api/_matrix/media.ts
@@ -76,7 +76,6 @@ async function getMediaFile(mediaId: string, serverName: string): Promise<{ file
 export const getMatrixMediaRoutes = (homeserverServices: HomeserverServices) => {
 	const { config, federationAuth } = homeserverServices;
 	return new Router('/federation')
-		.use(canAccessResourceMiddleware(federationAuth, 'media'))
 		.get(
 			'/v1/media/download/:mediaId',
 			{
@@ -91,6 +90,7 @@ export const getMatrixMediaRoutes = (homeserverServices: HomeserverServices) =>
 				},
 				tags: ['Federation', 'Media'],
 			},
+			canAccessResourceMiddleware(federationAuth, 'media'),
 			async (c) => {
 				try {
 					const { mediaId } = c.req.param();
@@ -138,7 +138,8 @@ export const getMatrixMediaRoutes = (homeserverServices: HomeserverServices) =>
 				},
 				tags: ['Federation', 'Media'],
 			},
-			async () => ({
+			canAccessResourceMiddleware(federationAuth, 'media'),
+			async (_c) => ({
 				statusCode: 404,
 				body: {
 					errcode: 'M_UNRECOGNIZED',
diff --git a/ee/packages/federation-matrix/src/api/_matrix/profiles.ts b/ee/packages/federation-matrix/src/api/_matrix/profiles.ts
@@ -428,7 +428,6 @@ export const getMatrixProfilesRoutes = (services: HomeserverServices) => {
 				};
 			},
 		)
-		.use(canAccessResourceMiddleware(federationAuth, 'room'))
 		.get(
 			'/v1/make_join/:roomId/:userId',
 			{
@@ -440,6 +439,7 @@ export const getMatrixProfilesRoutes = (services: HomeserverServices) => {
 				tags: ['Federation'],
 				license: ['federation'],
 			},
+			canAccessResourceMiddleware(federationAuth, 'room'),
 			async (c) => {
 				const { roomId, userId } = c.req.param();
 				const url = new URL(c.req.url);
@@ -471,6 +471,7 @@ export const getMatrixProfilesRoutes = (services: HomeserverServices) => {
 				tags: ['Federation'],
 				license: ['federation'],
 			},
+			canAccessResourceMiddleware(federationAuth, 'room'),
 			async (c) => {
 				const { roomId } = c.req.param();
 				const body = await c.req.json();
@@ -493,6 +494,7 @@ export const getMatrixProfilesRoutes = (services: HomeserverServices) => {
 				tags: ['Federation'],
 				license: ['federation'],
 			},
+			canAccessResourceMiddleware(federationAuth, 'room'),
 			async (c) => {
 				const { roomId, eventId } = c.req.param();
 
diff --git a/ee/packages/federation-matrix/src/api/_matrix/send-join.ts b/ee/packages/federation-matrix/src/api/_matrix/send-join.ts
@@ -226,7 +226,7 @@ const isSendJoinResponseProps = ajv.compile(SendJoinResponseSchema);
 export const getMatrixSendJoinRoutes = (services: HomeserverServices) => {
 	const { sendJoin, federationAuth } = services;
 
-	return new Router('/federation').use(canAccessResourceMiddleware(federationAuth, 'room')).put(
+	return new Router('/federation').put(
 		'/v2/send_join/:roomId/:stateKey',
 		{
 			params: isSendJoinParamsProps,
@@ -237,6 +237,7 @@ export const getMatrixSendJoinRoutes = (services: HomeserverServices) => {
 			tags: ['Federation'],
 			license: ['federation'],
 		},
+		canAccessResourceMiddleware(federationAuth, 'room'),
 		async (c) => {
 			const { roomId, stateKey } = c.req.param();
 			const body = await c.req.json();
diff --git a/ee/packages/federation-matrix/src/api/_matrix/transactions.ts b/ee/packages/federation-matrix/src/api/_matrix/transactions.ts
@@ -367,7 +367,6 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 			)
 
 			// GET /_matrix/federation/v1/state_ids/{roomId}
-			.use(canAccessResourceMiddleware(federationAuth, 'room'))
 			.get(
 				'/v1/state_ids/:roomId',
 				{
@@ -376,6 +375,7 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 						200: isGetStateIdsResponseProps,
 					},
 				},
+				canAccessResourceMiddleware(federationAuth, 'room'),
 				async (c) => {
 					const roomId = c.req.param('roomId');
 					const eventId = c.req.query('event_id');
@@ -406,6 +406,7 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 						200: isGetStateResponseProps,
 					},
 				},
+				canAccessResourceMiddleware(federationAuth, 'room'),
 				async (c) => {
 					const roomId = c.req.param('roomId');
 					const eventId = c.req.query('event_id');
@@ -427,7 +428,6 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 				},
 			)
 			// GET /_matrix/federation/v1/event/{eventId}
-			.use(canAccessResourceMiddleware(federationAuth, 'event'))
 			.get(
 				'/v1/event/:eventId',
 				{
@@ -438,6 +438,7 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 					tags: ['Federation'],
 					license: ['federation'],
 				},
+				canAccessResourceMiddleware(federationAuth, 'event'),
 				async (c) => {
 					const eventData = await event.getEventById(c.req.param('eventId') as EventID);
 					if (!eventData) {
diff --git a/ee/packages/federation-matrix/src/api/middlewares/canAccessResource.ts b/ee/packages/federation-matrix/src/api/middlewares/canAccessResource.ts
@@ -44,9 +44,13 @@ const canAccessResource = (federationAuth: EventAuthorizationService, entityType
 				return c.json({ errcode: 'M_UNAUTHORIZED', error: 'Missing Authorization header' }, 401);
 			}
 
+			const mediaId = c.req.param('mediaId');
+			const eventId = c.req.param('eventId');
+			const roomId = c.req.param('roomId');
+
 			const resourceAccess = await federationAuth.canAccessResource(
 				entityType,
-				extractEntityId(c.req.param(), entityType),
+				extractEntityId({ mediaId, eventId, roomId }, entityType),
 				authenticatedServer,
 			);
 			if (!resourceAccess) {
