add middlewares on each route due to params visibility

ricardogarim · ricardogarim · commit f533048bdf20 · 2025-09-30T17:32:03.000-03:00
diff --git a/ee/packages/federation-matrix/src/api/_matrix/invite.ts b/ee/packages/federation-matrix/src/api/_matrix/invite.ts
@@ -297,9 +297,10 @@ async function startJoiningRoom(...opts: Parameters<typeof joinRoom>) {
 export const getMatrixInviteRoutes = (services: HomeserverServices) => {
 	const { invite, state, room, federationAuth } = services;
 
-	return new Router('/federation').use(canAccessResourceMiddleware(federationAuth, 'room')).put(
+	return new Router('/federation').put(
 		'/v2/invite/:roomId/:eventId',
 		{
+			use: canAccessResourceMiddleware(federationAuth, 'room'),
 			body: ajv.compile({ type: 'object' }), // TODO: add schema from room package.
 			params: isProcessInviteParamsProps,
 			response: {
diff --git a/ee/packages/federation-matrix/src/api/_matrix/media.ts b/ee/packages/federation-matrix/src/api/_matrix/media.ts
@@ -76,10 +76,10 @@ async function getMediaFile(mediaId: string, serverName: string): Promise<{ file
 export const getMatrixMediaRoutes = (homeserverServices: HomeserverServices) => {
 	const { config, federationAuth } = homeserverServices;
 	return new Router('/federation')
-		.use(canAccessResourceMiddleware(federationAuth, 'media'))
 		.get(
 			'/v1/media/download/:mediaId',
 			{
+				use: canAccessResourceMiddleware(federationAuth, 'media'),
 				params: isMediaDownloadParamsProps,
 				response: {
 					200: isBufferResponseProps,
@@ -132,6 +132,7 @@ export const getMatrixMediaRoutes = (homeserverServices: HomeserverServices) =>
 		.get(
 			'/v1/media/thumbnail/:mediaId',
 			{
+				use: canAccessResourceMiddleware(federationAuth, 'media'),
 				params: isMediaDownloadParamsProps,
 				response: {
 					404: isErrorResponseProps,
diff --git a/ee/packages/federation-matrix/src/api/_matrix/profiles.ts b/ee/packages/federation-matrix/src/api/_matrix/profiles.ts
@@ -420,10 +420,10 @@ export const getMatrixProfilesRoutes = (services: HomeserverServices) => {
 				};
 			},
 		)
-		.use(canAccessResourceMiddleware(federationAuth, 'room'))
 		.get(
 			'/v1/make_join/:roomId/:userId',
 			{
+				use: canAccessResourceMiddleware(federationAuth, 'room'),
 				params: isMakeJoinParamsProps,
 				query: isMakeJoinQueryProps,
 				response: {
@@ -451,6 +451,7 @@ export const getMatrixProfilesRoutes = (services: HomeserverServices) => {
 		.post(
 			'/v1/get_missing_events/:roomId',
 			{
+				use: canAccessResourceMiddleware(federationAuth, 'room'),
 				params: isGetMissingEventsParamsProps,
 				body: isGetMissingEventsBodyProps,
 				response: {
@@ -474,6 +475,7 @@ export const getMatrixProfilesRoutes = (services: HomeserverServices) => {
 		.get(
 			'/v1/event_auth/:roomId/:eventId',
 			{
+				use: canAccessResourceMiddleware(federationAuth, 'room'),
 				params: isEventAuthParamsProps,
 				response: {
 					200: isEventAuthResponseProps,
diff --git a/ee/packages/federation-matrix/src/api/_matrix/send-join.ts b/ee/packages/federation-matrix/src/api/_matrix/send-join.ts
@@ -226,9 +226,10 @@ const isSendJoinResponseProps = ajv.compile(SendJoinResponseSchema);
 export const getMatrixSendJoinRoutes = (services: HomeserverServices) => {
 	const { sendJoin, federationAuth } = services;
 
-	return new Router('/federation').use(canAccessResourceMiddleware(federationAuth, 'room')).put(
+	return new Router('/federation').put(
 		'/v2/send_join/:roomId/:stateKey',
 		{
+			use: canAccessResourceMiddleware(federationAuth, 'room'),
 			params: isSendJoinParamsProps,
 			body: isSendJoinEventProps,
 			response: {
diff --git a/ee/packages/federation-matrix/src/api/_matrix/transactions.ts b/ee/packages/federation-matrix/src/api/_matrix/transactions.ts
@@ -306,10 +306,10 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 			)
 
 			// GET /_matrix/federation/v1/state_ids/{roomId}
-			.use(canAccessResourceMiddleware(federationAuth, 'room'))
 			.get(
 				'/v1/state_ids/:roomId',
 				{
+					use: canAccessResourceMiddleware(federationAuth, 'room'),
 					params: isGetStateIdsParamsProps,
 					response: {
 						200: isGetStateIdsResponseProps,
@@ -340,6 +340,7 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 			.get(
 				'/v1/state/:roomId',
 				{
+					use: canAccessResourceMiddleware(federationAuth, 'room'),
 					params: isGetStateParamsProps,
 					response: {
 						200: isGetStateResponseProps,
@@ -366,10 +367,10 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {
 				},
 			)
 			// GET /_matrix/federation/v1/event/{eventId}
-			.use(canAccessResourceMiddleware(federationAuth, 'event'))
 			.get(
 				'/v1/event/:eventId',
 				{
+					use: canAccessResourceMiddleware(federationAuth, 'event'),
 					params: isGetEventParamsProps,
 					response: {
 						200: isGetEventResponseProps,
diff --git a/ee/packages/federation-matrix/src/api/middlewares/canAccessResource.ts b/ee/packages/federation-matrix/src/api/middlewares/canAccessResource.ts
@@ -44,9 +44,13 @@ const canAccessResource = (federationAuth: EventAuthorizationService, entityType
 				return c.json({ errcode: 'M_UNAUTHORIZED', error: 'Missing Authorization header' }, 401);
 			}
 
+			const mediaId = c.req.param('mediaId');
+			const eventId = c.req.param('eventId');
+			const roomId = c.req.param('roomId');
+
 			const resourceAccess = await federationAuth.canAccessResource(
 				entityType,
-				extractEntityId(c.req.param(), entityType),
+				extractEntityId({ mediaId, eventId, roomId }, entityType),
 				authenticatedServer,
 			);
 			if (!resourceAccess) {

Original file line number	Diff line number	Diff line change
`@@ -306,10 +306,10 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {`
`306`	`306`	`)`
`307`	`307`
`308`	`308`	`// GET /_matrix/federation/v1/state_ids/{roomId}`
`309`		`- .use(canAccessResourceMiddleware(federationAuth, 'room'))`
`310`	`309`	`.get(`
`311`	`310`	`'/v1/state_ids/:roomId',`
`312`	`311`	`{`
	`312`	`+ use: canAccessResourceMiddleware(federationAuth, 'room'),`
`313`	`313`	`params: isGetStateIdsParamsProps,`
`314`	`314`	`response: {`
`315`	`315`	`200: isGetStateIdsResponseProps,`
`@@ -340,6 +340,7 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {`
`340`	`340`	`.get(`
`341`	`341`	`'/v1/state/:roomId',`
`342`	`342`	`{`
	`343`	`+ use: canAccessResourceMiddleware(federationAuth, 'room'),`
`343`	`344`	`params: isGetStateParamsProps,`
`344`	`345`	`response: {`
`345`	`346`	`200: isGetStateResponseProps,`
`@@ -366,10 +367,10 @@ export const getMatrixTransactionsRoutes = (services: HomeserverServices) => {`
`366`	`367`	`},`
`367`	`368`	`)`
`368`	`369`	`// GET /_matrix/federation/v1/event/{eventId}`
`369`		`- .use(canAccessResourceMiddleware(federationAuth, 'event'))`
`370`	`370`	`.get(`
`371`	`371`	`'/v1/event/:eventId',`
`372`	`372`	`{`
	`373`	`+ use: canAccessResourceMiddleware(federationAuth, 'event'),`
`373`	`374`	`params: isGetEventParamsProps,`
`374`	`375`	`response: {`
`375`	`376`	`200: isGetEventResponseProps,`