add allowedEncryptedRooms and allowedNonPrivateRooms support

Author: ricardogarim

packages/federation-sdk/src/index.ts

@@ -90,6 +90,7 @@ export {
 	type BaseEventType,
 } from './utils/event-schemas';
 export { errCodes } from './utils/response-codes';
+export { NotAllowedError } from './services/invite.service';
 
 export { EventRepository } from './repositories/event.repository';
 export { RoomRepository } from './repositories/room.repository';

packages/federation-sdk/src/services/config.service.ts

@@ -31,6 +31,10 @@ export interface AppConfig {
 			downloadPerMinute: number;
 		};
 	};
+	invite: {
+		allowedEncryptedRooms: boolean;
+		allowedNonPrivateRooms: boolean;
+	};
 }
 
 export const AppConfigSchema = z.object({
@@ -69,6 +73,10 @@ export const AppConfigSchema = z.object({
 				.min(1, 'Download rate limit must be at least 1'),
 		}),
 	}),
+	invite: z.object({
+		allowedEncryptedRooms: z.boolean(),
+		allowedNonPrivateRooms: z.boolean(),
+	}),
 });
 
 export class ConfigService {
@@ -113,6 +121,10 @@ export class ConfigService {
 		return this.config.media;
 	}
 
+	getInviteConfig(): AppConfig['invite'] {
+		return this.config.invite;
+	}
+
 	async getSigningKey() {
 		// If config contains a signing key, use it
 		if (!this.config.signingKey) {

packages/federation-sdk/src/services/invite.service.ts

@@ -25,6 +25,13 @@ export type ProcessInviteEvent = {
 	room_version: string;
 };
 
+export class NotAllowedError extends Error {
+	constructor(message: string) {
+		super(message);
+		this.name = 'NotAllowedError';
+	}
+}
+
 @singleton()
 export class InviteService {
 	private readonly logger = createLogger('InviteService');
@@ -142,6 +149,42 @@ export class InviteService {
 		};
 	}
 
+	private async shouldProcessInvite(
+		event: PduForType<'m.room.member'>,
+	): Promise<void> {
+		const isRoomNonPrivate = event.unsigned.invite_room_state.some(
+			(
+				stateEvent: PersistentEventBase<
+					RoomVersion,
+					'm.room.join_rules'
+				>['event'],
+			) =>
+				stateEvent.type === 'm.room.join_rules' &&
+				stateEvent.content.join_rule === 'public',
+		);
+
+		const isRoomEncrypted = event.unsigned.invite_room_state.some(
+			(
+				stateEvent: PersistentEventBase<
+					RoomVersion,
+					'm.room.encryption'
+				>['event'],
+			) => stateEvent.type === 'm.room.encryption',
+		);
+
+		const { allowedEncryptedRooms, allowedNonPrivateRooms } =
+			this.configService.getInviteConfig();
+
+		const shouldRejectInvite =
+			(!allowedEncryptedRooms && isRoomEncrypted) ||
+			(!allowedNonPrivateRooms && isRoomNonPrivate);
+		if (shouldRejectInvite) {
+			throw new NotAllowedError(
+				`Could not process invite due to room being ${isRoomEncrypted ? 'encrypted' : 'public'}`,
+			);
+		}
+	}
+
 	async processInvite(
 		event: PduForType<'m.room.member'>,
 		roomId: RoomID,
@@ -150,6 +193,7 @@ export class InviteService {
 		authenticatedServer: string,
 	) {
 		// SPEC: when a user invites another user on a different homeserver, a request to that homeserver to have the event signed and verified must be made
+		await this.shouldProcessInvite(event);
 
 		const residentServer = roomId.split(':').pop();
 		if (!residentServer) {

packages/federation-sdk/src/services/room.service.ts

@@ -21,6 +21,7 @@ import {
 	type EventID,
 	PduForType,
 	PduJoinRuleEventContent,
+	PduMembershipEventContent,
 	PduType,
 	PersistentEventBase,
 	PersistentEventFactory,
@@ -845,7 +846,7 @@ export class RoomService {
 
 		// trying to join room from another server
 		const makeJoinResponse = await federationService.makeJoin(
-			residentServer as string,
+			residentServer,
 			roomId,
 			userId,
 			roomVersion, // NOTE: check the comment in the called method

packages/homeserver/src/homeserver.module.ts

@@ -88,6 +88,12 @@ export async function setup(options?: HomeserverSetupOptions) {
 				),
 			},
 		},
+		invite: {
+			allowedEncryptedRooms:
+				process.env.INVITE_ALLOWED_ENCRYPTED_ROOMS === 'true' || true,
+			allowedNonPrivateRooms:
+				process.env.INVITE_ALLOWED_NON_PRIVATE_ROOMS === 'true' || true,
+		},
 	});
 
 	const containerOptions: FederationContainerOptions = {