feat: adds federation event ACL

[ricardogarim]

Works along with RocketChat/homeserver#161.

Summary by CodeRabbit

• New Features

  • Added an endpoint to retrieve a specific event by ID, returning event metadata (timestamp, origin) and the event payload.
  • Enforced request-level access control for event retrieval so only authorized callers can fetch events.
  • GET now returns 404 with the appropriate error code when an event is not found.

• Bug Fixes

  • Response origin now reflects the stored event’s origin rather than the configured server name.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6136873

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Adds a middleware to authorize event access and updates the transactions router to use federationAuth and a guarded GET /v1/event/:eventId that fetches the event and returns origin, origin_server_ts, and pdus (PUT /v1/send/:txnId unchanged).

Changes

Cohort / File(s)	Summary of changes
Transactions router update ee/packages/federation-matrix/src/api/_matrix/transactions.ts	Switched to federationAuth for authorization; added guarded GET /v1/event/:eventId that invokes event.getEventById(...), returns 404 with M_NOT_FOUND when missing, and responds with origin_server_ts, origin (from eventData.origin), and pdus as [eventData.event]. PUT /v1/send/:txnId unchanged.
Event access middleware ee/packages/federation-matrix/src/api/middlewares.ts	Added export const canAccessEvent = (federationAuth: EventAuthorizationService) => async (c: Context, next: Next) => { ... } which extracts eventId, builds request path, reads Authorization header, calls federationAuth.canAccessEventFromAuthorizationHeader(...), maps failures to errCodes with appropriate HTTP status, returns 500 M_UNKNOWN on runtime errors, and calls next() when authorized.
Type import reorder ee/packages/federation-matrix/src/FederationMatrix.ts	Deduplicated/reordered type-only imports: added/relocated HomeserverEventSignatures, HomeserverServices, FederationContainerOptions type import from @hs/federation-sdk. No runtime logic changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant R as Router
  participant M as canAccessEvent Middleware
  participant A as EventAuthorizationService
  participant S as Event Service

  C->>R: GET /v1/event/:eventId (Authorization)
  R->>M: invoke middleware
  M->>A: canAccessEventFromAuthorizationHeader(eventId, header, method, path, undefined)
  alt Authorized
    M-->>R: next()
    R->>S: event.getEventById(eventId)
    alt Found
      S-->>R: { event, origin_server_ts, origin }
      R-->>C: 200 { origin: origin, origin_server_ts, pdus: [event] }
    else Not found
      R-->>C: 404 { errcode: M_NOT_FOUND, error: ... }
    end
  else Not authorized
    M-->>C: <status> { errcode, error }
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• sampaiodiego

Poem

I twitch my whiskers, guard the gate,
A tiny middleware checks each fate.
Fetch the event, return its song,
Origin whispers where it belongs.
— 🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "feat: adds federation event ACL" is concise and accurately reflects the primary change in the diff—introducing an event access-control (ACL) middleware and applying it to federation event routes; it uses the conventional "feat:" prefix and is clear enough for a reviewer scanning history to understand the main intent.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/federation-acl-middleware

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between aa5a4b4 and 5c8f75a.

📒 Files selected for processing (3)

• ee/packages/federation-matrix/src/FederationMatrix.ts (1 hunks)
• ee/packages/federation-matrix/src/api/_matrix/transactions.ts (4 hunks)
• ee/packages/federation-matrix/src/api/middlewares.ts (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• ee/packages/federation-matrix/src/FederationMatrix.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• ee/packages/federation-matrix/src/api/middlewares.ts
• ee/packages/federation-matrix/src/api/_matrix/transactions.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ricardogarim]

build will fail until we merge homeserver side things

[codecov]

Codecov Report

❌ Patch coverage is 63.20755% with 39 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.18%. Comparing base (490d4bc) to head (71d5871).
⚠️ Report is 65 commits behind head on chore/federation-backup.

Additional details and impacted files

@@                     Coverage Diff                     @@
##           chore/federation-backup   #36913      +/-   ##
===========================================================
+ Coverage                    66.21%   68.18%   +1.96%     
===========================================================
  Files                         3384     2750     -634     
  Lines                       115025    98829   -16196     
  Branches                     21066    17345    -3721     
===========================================================
- Hits                         76165    67384    -8781     
+ Misses                       36255    29876    -6379     
+ Partials                      2605     1569    -1036     

Flag	Coverage Δ
e2e	50.42% <33.92%> (-6.55%)	⬇️
e2e-api	?
unit	71.21% <88.33%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.