feat: add authentication validation for federation endpoints

packages/homeserver/src/index.ts

@@ -11,7 +11,19 @@ const app = new Elysia({
 		standardHostname: false,
 	},
 })
-	.use(swagger())
+	.use(swagger({
+		documentation: {
+			components: {
+				securitySchemes: {
+					matrixAuth: {
+						type: 'apiKey',
+						name: 'Authorization',
+						in: 'header'
+					}
+				}
+			}
+		}
+	}))
 	.get("/", () => "")
 	.onError(async ({ error, request }) => {
 		if (!request.body) {

packages/homeserver/src/routes/federation/getMissingEvents.ts

@@ -68,5 +68,10 @@ export const getMissingEventsRoute = new Elysia().post(
 				],
 			},
 		),
+		detail: {
+			security: [{
+				'matrixAuth': []
+			}],
+		}
 	},
 );

packages/homeserver/src/routes/federation/index.ts

@@ -7,11 +7,13 @@ import { versionEndpoints } from "./version";
 import { makeJoinEndpoint } from "./makeJoin";
 import { sendJoinEndpoint } from "./sendJoin";
 import { getMissingEventsRoute } from "./getMissingEvents";
+import validateHeaderSignature from "../../plugins/validateHeaderSignature";
 
 const federationV1Endpoints = new Elysia({
 	prefix: "/_matrix/federation/v1",
 })
 	.use(versionEndpoints)
+	.onBeforeHandle(validateHeaderSignature)
 	.use(usersEndpoints)
 	.use(queryEndpoints)
 	.use(makeJoinEndpoint)

packages/homeserver/src/routes/federation/invite.ts

@@ -244,6 +244,9 @@ export const inviteEndpoint = new Elysia().put(
 			description:
 				'**Note:**\nThis API is nearly identical to the v1 API with the exception of the request\nbody being different, and the response format fixed.\n\nInvites a remote user to a room. Once the event has been  signed by both the inviting\nhomeserver and the invited homeserver, it can be sent to all of the servers in the\nroom by the inviting homeserver.\n\nThis endpoint is preferred over the v1 API as it is more useful for servers. Senders\nwhich receive a 400 or 404 response to this endpoint should retry using the v1\nAPI as the server may be older, if the room version is "1" or "2".\n\nNote that events have a different format depending on the room version - check the\nroom version specification for precise event formats. **The request and response\nbodies here describe the common event fields in more detail and may be missing other\nrequired fields for a PDU.**',
 			operationId: "sendInviteV2",
+			security: [{
+				'matrixAuth': []
+			}],
 		},
 	},
 );

packages/homeserver/src/routes/federation/makeJoin.ts

@@ -73,5 +73,10 @@ export const makeJoinEndpoint = new Elysia().get(
 				],
 			},
 		),
+		detail: {
+			security: [{
+				'matrixAuth': []
+			}],
+		}
 	},
 );

packages/homeserver/src/routes/federation/query.ts

@@ -53,6 +53,9 @@ export const queryEndpoints = new Elysia().get(
 			description:
 				"Performs a query to get profile information, such as a display name or avatar,\nfor a given user. Homeservers should only query profiles for users that belong\nto the target server (identified by the server name\nin the user ID).\n\nServers may wish to cache the response to this query to avoid requesting the\ninformation too often.\n\nServers MAY deny profile look-up over federation by responding with 403 and an\nerror code of `M_FORBIDDEN`.",
 			operationId: "queryProfile",
+			security: [{
+				'matrixAuth': []
+			}],
 		},
 	},
 );

packages/homeserver/src/routes/federation/sendJoin.ts

@@ -121,5 +121,10 @@ export const sendJoinEndpoint = new Elysia().put(
 				],
 			},
 		),
+		detail: {
+			security: [{
+				'matrixAuth': []
+			}],
+		}
 	},
 );

packages/homeserver/src/routes/federation/users.ts

@@ -21,6 +21,11 @@ export const usersEndpoints = new Elysia()
 			response: t.Object({
 				device_keys: t.Any(),
 			}),
+			detail: {
+				security: [{
+					'matrixAuth': []
+				}],
+			}
 		},
 	)
 	// not tested
@@ -30,4 +35,12 @@ export const usersEndpoints = new Elysia()
 			stream_id: 1,
 			devices: [],
 		};
-	});
+	},
+		{
+			detail: {
+				security: [{
+					'matrixAuth': []
+				}],
+			}
+		}
+	);