Merge pull request #758 from the-draupnir-project/gnuxie/synapse-http-antispam

synapse-http-antispam support

Author: Gnuxie

config/default.yaml

@@ -273,6 +273,18 @@ web:
   abuseReporting:
     # Whether to enable this feature.
     enabled: false
+  # Whether to setup a endpoints for synapse-http-antispam
+  # https://github.com/maunium/synapse-http-antispam
+  # this is required for some features of Draupnir,
+  # such as support for room takedown policies.
+  #
+  # Please FOLLOW the instructions here:
+  # https://the-draupnir-project.github.io/draupnir-documentation/bot/synapse-http-antispam
+  synapseHTTPAntispam:
+    enabled: false
+    # This is a secret that you must place into your synapse module config
+    # https://github.com/maunium/synapse-http-antispam?tab=readme-ov-file#configuration
+    authorization: REPLACE_ME
 
 # Whether or not to actively poll synapse for abuse reports, to be used
 # instead of intercepting client calls to synapse's abuse endpoint, when that

config/harness.yaml

@@ -186,3 +186,6 @@ web:
   abuseReporting:
     # Whether to enable this feature.
     enabled: true
+  synapseHTTPAntispam:
+    enabled: true
+    authorization: DEFAULT

mx-tester.yml

@@ -37,12 +37,23 @@ down:
     - docker stop mjolnir-test-reverse-proxy || true
 
 modules:
-  - name: mjolnir
+  - name: HTTPAntispam
     build:
-      - cp -r synapse_antispam $MX_TEST_MODULE_DIR/
+      - git clone https://github.com/maunium/synapse-http-antispam.git
+        $MX_TEST_MODULE_DIR/
     config:
-      module: mjolnir.Module
-      config: {}
+      module: synapse_http_antispam.HTTPAntispam
+      config:
+        base_url: http://host.docker.internal:8082/api/1/spam_check
+        authorization: DEFAULT
+        enabled_callbacks:
+          - user_may_invite
+          - user_may_join_room
+          - check_event_for_spam
+        fail_open:
+          user_may_invite: true
+          user_may_join_room: true
+          check_event_for_spam: true
 
 homeserver:
   # Basic configuration.

src/Draupnir.ts

@@ -81,6 +81,7 @@ import {
   COMMAND_CONFIRMATION_LISTENER,
   makeConfirmationPromptListener,
 } from "./commands/interface-manager/MatrixPromptForConfirmation";
+import { SynapseHttpAntispam } from "./webapis/SynapseHTTPAntispam/SynapseHttpAntispam";
 const log = new Logger("Draupnir");
 
 // webAPIS should not be included on the Draupnir class.
@@ -144,7 +145,8 @@ export class Draupnir implements Client, MatrixAdaptorContext {
     public readonly acceptInvitesFromRoom: MatrixRoomID,
     public readonly acceptInvitesFromRoomIssuer: RoomMembershipRevisionIssuer,
     public readonly safeModeToggle: SafeModeToggle,
-    public readonly synapseAdminClient?: SynapseAdminClient
+    public readonly synapseAdminClient: SynapseAdminClient | undefined,
+    public readonly synapseHTTPAntispam: SynapseHttpAntispam | undefined
   ) {
     this.managementRoomOutput = new ManagementRoomOutput(
       this.managementRoomDetail,
@@ -209,7 +211,8 @@ export class Draupnir implements Client, MatrixAdaptorContext {
     roomMembershipManager: RoomMembershipManager,
     config: IConfig,
     loggableConfigTracker: LoggableConfigTracker,
-    safeModeToggle: SafeModeToggle
+    safeModeToggle: SafeModeToggle,
+    synapseHTTPAntispam: SynapseHttpAntispam | undefined
   ): Promise<ActionResult<Draupnir>> {
     const acceptInvitesFromRoom = await (async () => {
       if (config.autojoinOnlyIfManager) {
@@ -267,7 +270,8 @@ export class Draupnir implements Client, MatrixAdaptorContext {
       acceptInvitesFromRoom.ok,
       acceptInvitesFromRoomIssuer.ok,
       safeModeToggle,
-      new SynapseAdminClient(client, clientUserID)
+      new SynapseAdminClient(client, clientUserID),
+      synapseHTTPAntispam
     );
     const loadResult = await protectedRoomsSet.protections.loadProtections(
       protectedRoomsSet,

src/DraupnirBotMode.ts

@@ -48,6 +48,7 @@ import { SafeModeDraupnir } from "./safemode/DraupnirSafeMode";
 import { ResultError } from "@gnuxie/typescript-result";
 import { SafeModeCause, SafeModeReason } from "./safemode/SafeModeCause";
 import { SafeModeBootOption } from "./safemode/BootOption";
+import { SynapseHttpAntispam } from "./webapis/SynapseHTTPAntispam/SynapseHttpAntispam";
 
 const log = new Logger("DraupnirBotMode");
 
@@ -73,13 +74,20 @@ interface BotModeTogle extends SafeModeToggle {
     error: ResultError,
     options?: SafeModeToggleOptions
   ): Promise<Result<SafeModeDraupnir>>;
+  // The SynapseHTTPAntispam listeners, if available.
+  // Which they won't be for some bot mode and all application service users.
+  readonly synapseHTTPAntispam: SynapseHttpAntispam | undefined;
 }
 
 export class DraupnirBotModeToggle implements BotModeTogle {
   private draupnir: Draupnir | null = null;
   private safeModeDraupnir: SafeModeDraupnir | null = null;
   private webAPIs: WebAPIs | null = null;
 
+  public get synapseHTTPAntispam() {
+    return this.webAPIs?.synapseHTTPAntispam ?? undefined;
+  }
+
   private constructor(
     private readonly clientUserID: StringUserID,
     private readonly managementRoom: MatrixRoomID,

src/config.ts

@@ -40,6 +40,17 @@ export function getNonDefaultConfigProperties(
   ) {
     nonDefault.pantalaimon.password = "REDACTED";
   }
+  if (
+    "web" in nonDefault &&
+    typeof nonDefault["web"] === "object" &&
+    nonDefault["web"] !== null &&
+    "synapseHTTPAntispam" in nonDefault["web"] &&
+    typeof nonDefault["web"]["synapseHTTPAntispam"] === "object"
+  ) {
+    if (nonDefault["web"]["synapseHTTPAntispam"] !== null) {
+      nonDefault["web"]["synapseHTTPAntispam"].authorization = "REDACTED";
+    }
+  }
   return nonDefault;
 }
 
@@ -147,6 +158,10 @@ export interface IConfig {
     abuseReporting: {
       enabled: boolean;
     };
+    synapseHTTPAntispam: {
+      enabled: boolean;
+      authorization: string;
+    };
   };
   // Store room state using sqlite to improve startup time when Synapse responds
   // slowly to requests for `/state`.
@@ -242,6 +257,10 @@ const defaultConfig: IConfig = {
     abuseReporting: {
       enabled: false,
     },
+    synapseHTTPAntispam: {
+      enabled: false,
+      authorization: "DEFAULT",
+    },
   },
   roomStateBackingStore: {
     enabled: true,

src/draupnirfactory/DraupnirFactory.ts

@@ -29,6 +29,7 @@ import { SafeModeDraupnir } from "../safemode/DraupnirSafeMode";
 import { SafeModeCause } from "../safemode/SafeModeCause";
 import { SafeModeToggle } from "../safemode/SafeModeToggle";
 import { StandardManagementRoomDetail } from "../managementroom/ManagementRoomDetail";
+import { DraupnirBotModeToggle } from "../DraupnirBotMode";
 
 const log = new Logger("DraupnirFactory");
 
@@ -141,7 +142,11 @@ export class DraupnirFactory {
       roomMembershipManager,
       config,
       configLogTracker,
-      toggle
+      toggle,
+      // synapseHTTPAntispam is only available in bot mode.
+      toggle instanceof DraupnirBotModeToggle
+        ? toggle.synapseHTTPAntispam
+        : undefined
     );
   }
 

src/webapis/SynapseHTTPAntispam/CheckEventForSpamEndpoint.ts

@@ -0,0 +1,86 @@
+// SPDX-FileCopyrightText: 2025 Gnuxie <[email protected]>
+//
+// SPDX-License-Identifier: AFL-3.0
+
+import { Type } from "@sinclair/typebox";
+import {
+  EDStatic,
+  isError,
+  Logger,
+  RoomEvent,
+  Task,
+  Value,
+} from "matrix-protection-suite";
+import { SpamCheckEndpointPluginManager } from "./SpamCheckEndpointPluginManager";
+import { Request, Response } from "express";
+
+const log = new Logger("CheckEventForSpamEndpoint");
+
+export type CheckEventForSpamListenerArguments = Parameters<
+  (details: CheckEventForSpamRequestBody) => void
+>;
+
+type CheckEventForSpamRequestBody = EDStatic<
+  typeof CheckEventForSpamRequestBody
+>;
+const CheckEventForSpamRequestBody = Type.Object({
+  event: RoomEvent(Type.Unknown()),
+});
+
+export class CheckEventForSpamEndpoint {
+  public constructor(
+    private readonly pluginManager: SpamCheckEndpointPluginManager<CheckEventForSpamListenerArguments>
+  ) {
+    // nothing to do.
+  }
+
+  private async handleCheckEventForSpamAsync(
+    request: Request,
+    response: Response,
+    isResponded: boolean
+  ): Promise<void> {
+    const decodedBody = Value.Decode(
+      CheckEventForSpamRequestBody,
+      request.body
+    );
+    if (isError(decodedBody)) {
+      log.error("Error decoding request body:", decodedBody.error);
+      if (!isResponded && this.pluginManager.isBlocking()) {
+        response
+          .status(400)
+          .send({ errcode: "M_INVALID_PARAM", error: "Error handling event" });
+      }
+      return;
+    }
+    if (!isResponded && this.pluginManager.isBlocking()) {
+      const blockingResult = await this.pluginManager.callBlockingHandles(
+        decodedBody.ok
+      );
+      if (blockingResult === "NOT_SPAM") {
+        response.status(200);
+        response.send({});
+      } else {
+        response.status(400);
+        response.send(blockingResult);
+      }
+    } else if (!isResponded) {
+      response.status(200);
+      response.send({});
+    }
+    this.pluginManager.callNonBlockingHandlesInTask(decodedBody.ok);
+  }
+
+  public handleCheckEventForSpam(request: Request, response: Response): void {
+    if (!this.pluginManager.isBlocking()) {
+      response.status(200);
+      response.send({});
+    }
+    void Task(
+      this.handleCheckEventForSpamAsync(
+        request,
+        response,
+        !this.pluginManager.isBlocking()
+      )
+    );
+  }
+}

src/webapis/SynapseHTTPAntispam/SpamCheckEndpointPluginManager.ts

@@ -0,0 +1,93 @@
+// SPDX-FileCopyrightText: 2025 Gnuxie <[email protected]>
+//
+// SPDX-License-Identifier: AFL-3.0
+
+import { Logger, Task } from "matrix-protection-suite";
+
+type BlockingResponse =
+  | "NOT_SPAM"
+  | {
+      errcode: string;
+      error: string;
+    };
+
+const log = new Logger("SpamCheckEndpointPluginManager");
+
+export type BlockingCallback<CBArguments extends unknown[]> = (
+  ...args: CBArguments
+) => Promise<BlockingResponse>;
+export type NonBlockingCallback<CBArguments extends unknown[]> = (
+  ...args: CBArguments
+) => void;
+
+export class SpamCheckEndpointPluginManager<CBArguments extends unknown[]> {
+  private readonly blockingHandles = new Set<BlockingCallback<CBArguments>>();
+  private readonly nonBlockingHandles = new Set<
+    NonBlockingCallback<CBArguments>
+  >();
+
+  public registerBlockingHandle(handle: BlockingCallback<CBArguments>): void {
+    this.blockingHandles.add(handle);
+  }
+
+  public registerNonBlockingHandle(
+    handle: NonBlockingCallback<CBArguments>
+  ): void {
+    this.nonBlockingHandles.add(handle);
+  }
+
+  public unregisterHandle(
+    handle: BlockingCallback<CBArguments> | NonBlockingCallback<CBArguments>
+  ): void {
+    this.blockingHandles.delete(handle as BlockingCallback<CBArguments>);
+    this.nonBlockingHandles.delete(handle as NonBlockingCallback<CBArguments>);
+  }
+
+  public unregisterListeners(): void {
+    this.blockingHandles.clear();
+    this.nonBlockingHandles.clear();
+  }
+
+  public isBlocking(): boolean {
+    return this.blockingHandles.size > 0;
+  }
+
+  public async callBlockingHandles(
+    ...args: CBArguments
+  ): ReturnType<BlockingCallback<CBArguments>> {
+    const results = await Promise.allSettled(
+      [...this.blockingHandles.values()].map((handle) => handle(...args))
+    );
+    for (const result of results) {
+      if (result.status === "rejected") {
+        log.error(
+          "Error processing a blocking spam check callback:",
+          result.reason
+        );
+      } else {
+        if (result.value !== "NOT_SPAM") {
+          return result.value;
+        }
+      }
+    }
+    return "NOT_SPAM";
+  }
+
+  public callNonBlockingHandles(...args: CBArguments): void {
+    for (const handle of this.nonBlockingHandles) {
+      try {
+        handle(...args);
+      } catch (e) {
+        log.error("Error processing a non blocking spam check callback:", e);
+      }
+    }
+  }
+
+  public callNonBlockingHandlesInTask(...args: CBArguments): void {
+    void Task(
+      (async () => {
+        this.callNonBlockingHandles(...args);
+      })()
+    );
+  }
+}