options to control public room directory visibility

Signed-off-by: girlbossceo <june@girlboss.ceo>
2023-09-10 02:32:37 -04:00 · 2023-09-10 02:32:37 -04:00 · 81e8df3102
parent 76c00283de
commit 81e8df3102
5 changed files with 65 additions and 0 deletions
--- a/conduit-example.toml
+++ b/conduit-example.toml
@ -55,3 +55,12 @@ trusted_servers = ["matrix.org"]

 address = "127.0.0.1" # This makes sure Conduit can only be reached using the reverse proxy
 #address = "0.0.0.0" # If Conduit is running in a container, make sure the reverse proxy (ie. Traefik) can reach it.
+
+# Set this to true to allow your server's public room directory to be federated.
+# Set this to false to protect against /publicRooms spiders, but will forbid external users from viewing your server's public room directory.
+# If federation is disabled entirely (`allow_federation`), this is inherently false.
+allow_public_room_directory_over_federation = false
+
+# Set this to true to allow your server's public room directory to be queried without client authentication (access token) through the Client APIs.
+# Set this to false to protect against /publicRooms spiders.
+allow_public_room_directory_without_auth = false
--- a/src/api/client_server/directory.rs
+++ b/src/api/client_server/directory.rs
@ -36,6 +36,17 @@ use tracing::{error, info, warn};
 pub async fn get_public_rooms_filtered_route(
    body: Ruma<get_public_rooms_filtered::v3::Request>,
 ) -> Result<get_public_rooms_filtered::v3::Response> {
+    if !services()
+        .globals
+        .config
+        .allow_public_room_directory_without_auth
+    {
+        let _sender_user = body
+            .sender_user
+            .as_ref()
+            .ok_or_else(|| Error::BadRequest(ErrorKind::MissingToken, "Missing access token."))?;
+    }
+
    get_public_rooms_filtered_helper(
        body.server.as_deref(),
        body.limit,
@ -54,6 +65,17 @@ pub async fn get_public_rooms_filtered_route(
 pub async fn get_public_rooms_route(
    body: Ruma<get_public_rooms::v3::Request>,
 ) -> Result<get_public_rooms::v3::Response> {
+    if !services()
+        .globals
+        .config
+        .allow_public_room_directory_without_auth
+    {
+        let _sender_user = body
+            .sender_user
+            .as_ref()
+            .ok_or_else(|| Error::BadRequest(ErrorKind::MissingToken, "Missing access token."))?;
+    }
+
    let response = get_public_rooms_filtered_helper(
        body.server.as_deref(),
        body.limit,
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@ -621,6 +621,13 @@ pub async fn get_public_rooms_filtered_route(
        return Err(Error::bad_config("Federation is disabled."));
    }

+    if !services()
+        .globals
+        .allow_public_room_directory_over_federation()
+    {
+        return Err(Error::bad_config("Room directory is not public."));
+    }
+
    let response = client_server::get_public_rooms_filtered_helper(
        None,
        body.limit,
@ -648,6 +655,13 @@ pub async fn get_public_rooms_route(
        return Err(Error::bad_config("Federation is disabled."));
    }

+    if !services()
+        .globals
+        .allow_public_room_directory_over_federation()
+    {
+        return Err(Error::bad_config("Room directory is not public."));
+    }
+
    let response = client_server::get_public_rooms_filtered_helper(
        None,
        body.limit,
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@ -51,6 +51,10 @@ pub struct Config {
    pub allow_encryption: bool,
    #[serde(default = "false_fn")]
    pub allow_federation: bool,
+    #[serde(default = "false_fn")]
+    pub allow_public_room_directory_over_federation: bool,
+    #[serde(default = "false_fn")]
+    pub allow_public_room_directory_without_auth: bool,
    #[serde(default = "true_fn")]
    pub allow_room_creation: bool,
    #[serde(default = "true_fn")]
@ -150,6 +154,14 @@ impl fmt::Display for Config {
            ("Allow encryption", &self.allow_encryption.to_string()),
            ("Allow federation", &self.allow_federation.to_string()),
            ("Allow room creation", &self.allow_room_creation.to_string()),
+            (
+                "Allow public room directory over federation",
+                &self.allow_public_room_directory_over_federation.to_string(),
+            ),
+            (
+                "Allow public room directory without authentication",
+                &self.allow_public_room_directory_without_auth.to_string(),
+            ),
            (
                "JWT secret",
                match self.jwt_secret {
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@ -299,6 +299,14 @@ impl Service {
        self.config.allow_federation
    }

+    pub fn allow_public_room_directory_over_federation(&self) -> bool {
+        self.config.allow_public_room_directory_over_federation
+    }
+
+    pub fn allow_public_room_directory_without_auth(&self) -> bool {
+        self.config.allow_public_room_directory_without_auth
+    }
+
    pub fn allow_room_creation(&self) -> bool {
        self.config.allow_room_creation
    }