x

Author: ricardogarim

ee/packages/federation-matrix/src/api/_matrix/invite.ts

@@ -12,6 +12,8 @@ import { Router } from '@rocket.chat/http-router';
 import { Rooms, Users } from '@rocket.chat/models';
 import { ajv } from '@rocket.chat/rest-typings/dist/v1/Ajv';
 
+import { isAuthenticatedMiddleware, canAccessResourceMiddleware } from '../middlewares';
+
 const EventBaseSchema = {
 	type: 'object',
 	properties: {
@@ -293,59 +295,62 @@ async function startJoiningRoom(...opts: Parameters<typeof joinRoom>) {
 }
 
 export const getMatrixInviteRoutes = (services: HomeserverServices) => {
-	const { invite, state, room } = services;
-
-	return new Router('/federation').put(
-		'/v2/invite/:roomId/:eventId',
-		{
-			body: ajv.compile({ type: 'object' }), // TODO: add schema from room package.
-			params: isProcessInviteParamsProps,
-			response: {
-				200: isProcessInviteResponseProps,
-			},
-			tags: ['Federation'],
-			license: ['federation'],
-		},
-		async (c) => {
-			const { roomId, eventId } = c.req.param();
-			const { event, room_version: roomVersion } = await c.req.json();
-
-			const userToCheck = event.state_key as string;
-
-			if (!userToCheck) {
-				throw new Error('join event has missing state key, unable to determine user to join');
-			}
-
-			const [username /* domain */] = userToCheck.split(':');
-
-			// TODO: check domain
-
-			const ourUser = await Users.findOneByUsername(username.slice(1));
-
-			if (!ourUser) {
-				throw new Error('user not found not processing invite');
-			}
-
-			const inviteEvent = await invite.processInvite(event, roomId, eventId, roomVersion);
-
-			setTimeout(
-				() => {
-					void startJoiningRoom({
-						inviteEvent,
-						user: ourUser,
-						room,
-						state,
-					});
+	const { invite, state, room, federationAuth } = services;
+
+	return new Router('/federation')
+		.use(isAuthenticatedMiddleware(federationAuth))
+		.use(canAccessResourceMiddleware(federationAuth))
+		.put(
+			'/v2/invite/:roomId/:eventId',
+			{
+				body: ajv.compile({ type: 'object' }), // TODO: add schema from room package.
+				params: isProcessInviteParamsProps,
+				response: {
+					200: isProcessInviteResponseProps,
 				},
-				inviteEvent.event.content.is_direct ? 2000 : 0,
-			);
-
-			return {
-				body: {
-					event: inviteEvent.event,
-				},
-				statusCode: 200,
-			};
-		},
-	);
+				tags: ['Federation'],
+				license: ['federation'],
+			},
+			async (c) => {
+				const { roomId, eventId } = c.req.param();
+				const { event, room_version: roomVersion } = await c.req.json();
+
+				const userToCheck = event.state_key as string;
+
+				if (!userToCheck) {
+					throw new Error('join event has missing state key, unable to determine user to join');
+				}
+
+				const [username /* domain */] = userToCheck.split(':');
+
+				// TODO: check domain
+
+				const ourUser = await Users.findOneByUsername(username.slice(1));
+
+				if (!ourUser) {
+					throw new Error('user not found not processing invite');
+				}
+
+				const inviteEvent = await invite.processInvite(event, roomId, eventId, roomVersion);
+
+				setTimeout(
+					() => {
+						void startJoiningRoom({
+							inviteEvent,
+							user: ourUser,
+							room,
+							state,
+						});
+					},
+					inviteEvent.event.content.is_direct ? 2000 : 0,
+				);
+
+				return {
+					body: {
+						event: inviteEvent.event,
+					},
+					statusCode: 200,
+				};
+			},
+		);
 };

ee/packages/federation-matrix/src/api/_matrix/media.ts

@@ -6,7 +6,7 @@ import { Router } from '@rocket.chat/http-router';
 import { ajv } from '@rocket.chat/rest-typings/dist/v1/Ajv';
 
 import { MatrixMediaService } from '../../services/MatrixMediaService';
-import { canAccessMedia } from '../middlewares';
+import { isAuthenticatedMiddleware, canAccessResourceMiddleware } from '../middlewares';
 
 const MediaDownloadParamsSchema = {
 	type: 'object',
@@ -75,79 +75,76 @@ async function getMediaFile(mediaId: string, serverName: string): Promise<{ file
 
 export const getMatrixMediaRoutes = (homeserverServices: HomeserverServices) => {
 	const { config, federationAuth } = homeserverServices;
-	const router = new Router('/federation');
-
-	router.get(
-		'/v1/media/download/:mediaId',
-		{
-			params: isMediaDownloadParamsProps,
-			response: {
-				200: isBufferResponseProps,
-				401: isErrorResponseProps,
-				403: isErrorResponseProps,
-				404: isErrorResponseProps,
-				429: isErrorResponseProps,
-				500: isErrorResponseProps,
+	return new Router('/federation')
+		.use(isAuthenticatedMiddleware(federationAuth))
+		.use(canAccessResourceMiddleware(federationAuth))
+		.get(
+			'/v1/media/download/:mediaId',
+			{
+				params: isMediaDownloadParamsProps,
+				response: {
+					200: isBufferResponseProps,
+					401: isErrorResponseProps,
+					403: isErrorResponseProps,
+					404: isErrorResponseProps,
+					429: isErrorResponseProps,
+					500: isErrorResponseProps,
+				},
+				tags: ['Federation', 'Media'],
 			},
-			tags: ['Federation', 'Media'],
-		},
-		canAccessMedia(federationAuth),
-		async (c) => {
-			try {
-				const { mediaId } = c.req.param();
-				const { serverName } = config;
-
-				// TODO: Add file streaming support
-				const result = await getMediaFile(mediaId, serverName);
-				if (!result) {
+			async (c) => {
+				try {
+					const { mediaId } = c.req.param();
+					const { serverName } = config;
+
+					// TODO: Add file streaming support
+					const result = await getMediaFile(mediaId, serverName);
+					if (!result) {
+						return {
+							statusCode: 404,
+							body: { errcode: 'M_NOT_FOUND', error: 'Media not found' },
+						};
+					}
+
+					const { file, buffer } = result;
+
+					const mimeType = file.type || 'application/octet-stream';
+					const fileName = file.name || mediaId;
+
+					const multipartResponse = createMultipartResponse(buffer, mimeType, fileName);
+
 					return {
-						statusCode: 404,
-						body: { errcode: 'M_NOT_FOUND', error: 'Media not found' },
+						statusCode: 200,
+						headers: {
+							...SECURITY_HEADERS,
+							'content-type': multipartResponse.contentType,
+							'content-length': String(multipartResponse.body.length),
+						},
+						body: multipartResponse.body,
+					};
+				} catch (error) {
+					return {
+						statusCode: 500,
+						body: { errcode: 'M_UNKNOWN', error: 'Internal server error' },
 					};
 				}
-
-				const { file, buffer } = result;
-
-				const mimeType = file.type || 'application/octet-stream';
-				const fileName = file.name || mediaId;
-
-				const multipartResponse = createMultipartResponse(buffer, mimeType, fileName);
-
-				return {
-					statusCode: 200,
-					headers: {
-						...SECURITY_HEADERS,
-						'content-type': multipartResponse.contentType,
-						'content-length': String(multipartResponse.body.length),
-					},
-					body: multipartResponse.body,
-				};
-			} catch (error) {
-				return {
-					statusCode: 500,
-					body: { errcode: 'M_UNKNOWN', error: 'Internal server error' },
-				};
-			}
-		},
-	);
-
-	router.get(
-		'/v1/media/thumbnail/:mediaId',
-		{
-			params: isMediaDownloadParamsProps,
-			response: {
-				404: isErrorResponseProps,
 			},
-			tags: ['Federation', 'Media'],
-		},
-		async () => ({
-			statusCode: 404,
-			body: {
-				errcode: 'M_UNRECOGNIZED',
-				error: 'This endpoint is not implemented on the homeserver side',
+		)
+		.get(
+			'/v1/media/thumbnail/:mediaId',
+			{
+				params: isMediaDownloadParamsProps,
+				response: {
+					404: isErrorResponseProps,
+				},
+				tags: ['Federation', 'Media'],
 			},
-		}),
-	);
-
-	return router;
+			async () => ({
+				statusCode: 404,
+				body: {
+					errcode: 'M_UNRECOGNIZED',
+					error: 'This endpoint is not implemented on the homeserver side',
+				},
+			}),
+		);
 };

ee/packages/federation-matrix/src/api/_matrix/profiles.ts

@@ -342,9 +342,11 @@ const EventAuthResponseSchema = {
 const isEventAuthResponseProps = ajv.compile(EventAuthResponseSchema);
 
 export const getMatrixProfilesRoutes = (services: HomeserverServices) => {
-	const { profile } = services;
+	const { profile, federationAuth } = services;
 
 	return new Router('/federation')
+		.use(isAuthenticatedMiddleware(federationAuth))
+		.use(canAccessResource(federationAuth))
 		.get(
 			'/v1/query/profile',
 			{

ee/packages/federation-matrix/src/api/_matrix/send-join.ts

@@ -2,6 +2,8 @@ import type { HomeserverServices, EventID } from '@rocket.chat/federation-sdk';
 import { Router } from '@rocket.chat/http-router';
 import { ajv } from '@rocket.chat/rest-typings/dist/v1/Ajv';
 
+import { isAuthenticatedMiddleware, canAccessResourceMiddleware } from '../middlewares';
+
 const UsernameSchema = {
 	type: 'string',
 	pattern: '^@[A-Za-z0-9_=\\/.+-]+:(.+)$',
@@ -222,29 +224,32 @@ const SendJoinResponseSchema = {
 const isSendJoinResponseProps = ajv.compile(SendJoinResponseSchema);
 
 export const getMatrixSendJoinRoutes = (services: HomeserverServices) => {
-	const { sendJoin } = services;
-
-	return new Router('/federation').put(
-		'/v2/send_join/:roomId/:stateKey',
-		{
-			params: isSendJoinParamsProps,
-			body: isSendJoinEventProps,
-			response: {
-				200: isSendJoinResponseProps,
+	const { sendJoin, federationAuth } = services;
+
+	return new Router('/federation')
+		.use(isAuthenticatedMiddleware(federationAuth))
+		.use(canAccessResourceMiddleware(federationAuth))
+		.put(
+			'/v2/send_join/:roomId/:stateKey',
+			{
+				params: isSendJoinParamsProps,
+				body: isSendJoinEventProps,
+				response: {
+					200: isSendJoinResponseProps,
+				},
+				tags: ['Federation'],
+				license: ['federation'],
 			},
-			tags: ['Federation'],
-			license: ['federation'],
-		},
-		async (c) => {
-			const { roomId, stateKey } = c.req.param();
-			const body = await c.req.json();
+			async (c) => {
+				const { roomId, stateKey } = c.req.param();
+				const body = await c.req.json();
 
-			const response = await sendJoin.sendJoin(roomId, stateKey as EventID, body);
+				const response = await sendJoin.sendJoin(roomId, stateKey as EventID, body);
 
-			return {
-				body: response,
-				statusCode: 200,
-			};
-		},
-	);
+				return {
+					body: response,
+					statusCode: 200,
+				};
+			},
+		);
 };

ee/packages/federation-matrix/src/api/_matrix/transactions.ts

@@ -2,7 +2,7 @@ import type { HomeserverServices, EventID } from '@rocket.chat/federation-sdk';
 import { Router } from '@rocket.chat/http-router';
 import { ajv } from '@rocket.chat/rest-typings/dist/v1/Ajv';
 
-import { canAccessEvent } from '../middlewares';
+import { isAuthenticatedMiddleware, canAccessResourceMiddleware } from '../middlewares';
 
 const SendTransactionParamsSchema = {
 	type: 'object',
@@ -258,6 +258,8 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 	// PUT /_matrix/federation/v1/send/{txnId}
 	return (
 		new Router('/federation')
+			.use(isAuthenticatedMiddleware(federationAuth))
+			.use(canAccessResourceMiddleware(federationAuth))
 			.put(
 				'/v1/send/:txnId',
 				{
@@ -374,7 +376,6 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 					tags: ['Federation'],
 					license: ['federation'],
 				},
-				canAccessEvent(federationAuth),
 				async (c) => {
 					const eventData = await event.getEventById(c.req.param('eventId') as EventID);
 					if (!eventData) {