@@ -150,14 +150,15 @@ async def check_state_independent_auth_rules(
150150 # 1.5 Otherwise, allow
151151 return
152152
153- # Check the auth events .
153+ # 2. Reject if event has auth_events that: .. .
154154 auth_events = await store .get_events (
155155 event .auth_event_ids (),
156156 redact_behaviour = EventRedactBehaviour .as_is ,
157157 allow_rejected = True ,
158158 )
159159 room_id = event .room_id
160160 auth_dict : MutableStateMap [str ] = {}
161+ expected_auth_types = auth_types_for_event (event .room_version , event )
161162 for auth_event_id in event .auth_event_ids ():
162163 auth_event = auth_events .get (auth_event_id )
163164
@@ -179,6 +180,24 @@ async def check_state_independent_auth_rules(
179180 % (event .event_id , room_id , auth_event_id , auth_event .room_id ),
180181 )
181182
183+ k = (auth_event .type , auth_event .state_key )
184+
185+ # 2.1 ... have duplicate entries for a given type and state_key pair
186+ if k in auth_dict :
187+ raise AuthError (
188+ 403 ,
189+ f"Event { event .event_id } { k } { auth_dict [k ]} { auth_event_id } ,
190+ )
191+
192+ # 2.2 ... have entries whose type and state_key don’t match those specified by
193+ # the auth events selection algorithm described in the server
194+ # specification.
195+ if k not in expected_auth_types :
196+ raise AuthError (
197+ 403 ,
198+ f"Event { event .event_id } { k } { auth_event_id } ,
199+ )
200+
182201 # We also need to check that the auth event itself is not rejected.
183202 if auth_event .rejected_reason :
184203 raise AuthError (
@@ -187,7 +206,7 @@ async def check_state_independent_auth_rules(
187206 % (event .event_id , auth_event .event_id ),
188207 )
189208
190- auth_dict [( auth_event . type , auth_event . state_key ) ] = auth_event_id
209+ auth_dict [k ] = auth_event_id
191210
192211 # 3. If event does not have a m.room.create in its auth_events, reject.
193212 creation_event = auth_dict .get ((EventTypes .Create , "" ), None )
0 commit comments