avoid to join non-private or encrypted rooms based on settings

Author: ricardogarim

apps/meteor/server/settings/federation-service.ts

@@ -84,5 +84,21 @@ export const createFederationServiceSettings = async (): Promise<void> => {
 			invalidValue: false,
 			alert: 'Federation_Service_EDU_Process_Presence_Alert',
 		});
+
+		await this.add('Federation_Service_Join_Encrypted_Rooms', false, {
+			type: 'boolean',
+			public: false,
+			enterprise: true,
+			modules: ['federation'],
+			invalidValue: false,
+		});
+
+		await this.add('Federation_Service_Join_Non_Private_Rooms', false, {
+			type: 'boolean',
+			public: false,
+			enterprise: true,
+			modules: ['federation'],
+			invalidValue: false,
+		});
 	});
 };

ee/packages/federation-matrix/src/api/_matrix/invite.ts

@@ -1,6 +1,5 @@
 import { FederationMatrix, Room } from '@rocket.chat/core-services';
 import { isUserNativeFederated, type IUser } from '@rocket.chat/core-typings';
-import { eventIdSchema, roomIdSchema } from '@rocket.chat/federation-sdk';
 import type {
 	HomeserverServices,
 	RoomService,
@@ -9,6 +8,7 @@ import type {
 	PersistentEventBase,
 	RoomVersion,
 } from '@rocket.chat/federation-sdk';
+import { eventIdSchema, roomIdSchema, NotAllowedError } from '@rocket.chat/federation-sdk';
 import { Router } from '@rocket.chat/http-router';
 import { Rooms, Users } from '@rocket.chat/models';
 import { ajv } from '@rocket.chat/rest-typings/dist/v1/Ajv';
@@ -355,32 +355,52 @@ export const getMatrixInviteRoutes = (services: HomeserverServices) => {
 				throw new Error('user not found not processing invite');
 			}
 
-			const inviteEvent = await invite.processInvite(
-				event,
-				roomIdSchema.parse(roomId),
-				eventIdSchema.parse(eventId),
-				roomVersion,
-				c.get('authenticatedServer'),
-			);
-
-			setTimeout(
-				() => {
-					void startJoiningRoom({
-						inviteEvent,
-						user: ourUser,
-						room,
-						state,
-					});
-				},
-				inviteEvent.event.content.is_direct ? 2000 : 0,
-			);
-
-			return {
-				body: {
-					event: inviteEvent.event,
-				},
-				statusCode: 200,
-			};
+			try {
+				const inviteEvent = await invite.processInvite(
+					event,
+					roomIdSchema.parse(roomId),
+					eventIdSchema.parse(eventId),
+					roomVersion,
+					c.get('authenticatedServer'),
+				);
+
+				setTimeout(
+					() => {
+						void startJoiningRoom({
+							inviteEvent,
+							user: ourUser,
+							room,
+							state,
+						});
+					},
+					inviteEvent.event.content.is_direct ? 2000 : 0,
+				);
+
+				return {
+					body: {
+						event: inviteEvent.event,
+					},
+					statusCode: 200,
+				};
+			} catch (error) {
+				if (error instanceof NotAllowedError) {
+					return {
+						body: {
+							errcode: 'M_FORBIDDEN',
+							error: 'This server does not allow joining this type of room based on federation settings.',
+						},
+						statusCode: 403,
+					};
+				}
+
+				return {
+					body: {
+						errcode: 'M_UNKNOWN',
+						error: error instanceof Error ? error.message : 'Internal server error while processing request',
+					},
+					statusCode: 500,
+				};
+			}
 		},
 	);
 };

ee/packages/federation-matrix/src/setup.ts

@@ -45,6 +45,8 @@ export async function setupFederationMatrix(instanceId: string): Promise<boolean
 	const signingKey = (await Settings.getValueById<string>('Federation_Service_Matrix_Signing_Key')) || '';
 	const signingAlg = (await Settings.getValueById<string>('Federation_Service_Matrix_Signing_Algorithm')) || '';
 	const signingVersion = (await Settings.getValueById<string>('Federation_Service_Matrix_Signing_Version')) || '';
+	const allowedEncryptedRooms = (await Settings.getValueById<boolean>('Federation_Service_Join_Encrypted_Rooms')) || false;
+	const allowedNonPrivateRooms = (await Settings.getValueById<boolean>('Federation_Service_Join_Non_Private_Rooms')) || false;
 
 	// TODO are these required?
 	const mongoUri = process.env.MONGO_URL || 'mongodb://localhost:3001/meteor';
@@ -83,6 +85,10 @@ export async function setupFederationMatrix(instanceId: string): Promise<boolean
 				downloadPerMinute: Number.parseInt(process.env.MEDIA_DOWNLOAD_RATE_LIMIT || '60', 10),
 			},
 		},
+		invite: {
+			allowedEncryptedRooms,
+			allowedNonPrivateRooms,
+		},
 	});
 
 	const eventHandler = new Emitter<HomeserverEventSignatures>();

packages/i18n/src/locales/en.i18n.json

@@ -2161,7 +2161,7 @@
   "Federation_Service_EDU_Process_Presence": "Process Presence events",
   "Federation_Service_EDU_Process_Presence_Description": "Send and receive events of user presence (online, offline, etc.) between federated servers.",
   "Federation_Service_EDU_Process_Presence_Alert": "Enabling presence events may increase the load on your server and network traffic considerably, especially if you have many users. Only enable this option if you understand the implications and have the necessary resources to handle the additional load.",
-  "Federation_Service_Alert": "<strong>This is an alfa feature not intended for production usage!</strong><br/>It may not be stable and/or performatic. Please be aware that it may change, break, or even be removed in the future without any notice.",
+  "Federation_Service_Alert": "<strong>This is an Alpha feature not intended for production usage!</strong><br/>It may not be stable and/or performatic. Please be aware that it may change, break, or even be removed in the future without any notice.",
   "Federation_Service_Domain": "Federated Domain",
   "Federation_Service_Domain_Description": "The domain that this server should respond to, for example: `acme.com`. This will be used as the suffix for user IDs (e.g., `@user:acme.com`).<br/>If your chat server is accessible from a different domain than the one you want to use for federation, you should follow our documentation to configure the `.well-known` file on your web server.",
   "Federation_Service_Domain_Alert": "Inform only the domain, do not include http(s)://, slashes or any path after it.<br/>Use something like `acme.com` and not `https://acme.com/chat`.",
@@ -2172,6 +2172,8 @@
   "Federation_Service_max_allowed_size_of_public_rooms_to_join": "Maximum number of members when joining a public room in a remote server",
   "Federation_Service_max_allowed_size_of_public_rooms_to_join_Alert": "Keep in mind, that the bigger the room you allow for users to join, the more time it will take to join that room, besides the amount of resource it will use. <a target=\"_blank\" href=\"https://matrix.org/blog/2022/10/18/testing-faster-remote-room-joins\">Read more</a>",
   "Federation_Service_max_allowed_size_of_public_rooms_to_join_Description": "The user limit from a public room in a remote server that can still be joined. Rooms that exceed this setting will still be listed, but users won't be able to join them",
+  "Federation_Service_Join_Encrypted_Rooms": "Allow joining encrypted federated rooms",
+  "Federation_Service_Join_Non_Private_Rooms": "Allow joining non-private rooms",
   "Federation_Service_Allow_List": "Domain Allow List",
   "Federation_Service_Allow_List_Description": "Restrict federation to the given allow list of domains.",
   "Field": "Field",