fix(federation): allow to join non-private or encrypted rooms based on settings

[ricardogarim]

Proposed changes (including videos or screenshots)

As per FDR-207, this PR adds a new setting that allows Rocket.Chat to control whether users can join non-private or non-encrypted rooms based on the invite event received from federation.

If an invite request does not meet the configured requirements, Rocket.Chat will respond with a 403 status code and will not store any data related to the rejected invite.

It’s important to note that this is not a formal rejection - the server returns an error response to the invite endpoint instead of sending a m.room.member rejection event, in accordance with the Matrix specification.

Related with RocketChat/homeserver#280 that adds the settings capabilities on homeserver side.

Issue(s)

• FDR-207

Steps to test or reproduce

Scenario 1 – Encrypted rooms (allowed)

• Set the Federation_Service_Join_Encrypted_Rooms setting to true.
• On a remote server, create an encrypted room and invite a Rocket.Chat user.
• The invited user should join the room and remain in it (no immediate leave).

Scenario 2 – Encrypted rooms (not allowed)

• Set the Federation_Service_Join_Encrypted_Rooms setting to false (default).
• On a remote server, create an encrypted room and invite a Rocket.Chat user.
• The invited user should join the room and then leave immediately.

Scenario 3 – Public rooms (allowed)

• Set the Federation_Service_Join_Non_Private_Rooms setting to true.
• On a remote server, create a public room and invite a Rocket.Chat user.
• The invited user should join the room and remain in it (no immediate leave).

Scenario 4 – Public rooms (not allowed)

• Set the Federation_Service_Join_Non_Private_Rooms setting to false (default).
• On a remote server, create a public room and invite a Rocket.Chat user.
• The invited user should join the room and then leave immediately.

Summary by CodeRabbit

• New Features

  • Admin settings to control joining encrypted federated rooms and joining non‑private federated rooms.

• Bug Fixes

  • Invite handling improved: returns forbidden when joining is disallowed and a generic error for other failures.

• Documentation

  • Updated federation alert wording (Alfa → Alpha) and added localization entries for the new settings.

• Chores

  • Updated federation SDK dependency.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 616a918

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Adds two federation feature toggles (join encrypted / non-private rooms), exposes them in the federation config, enforces invite policy with NotAllowedError -> 403 in the Matrix invite endpoint, adds i18n keys and a wording fix, and bumps the federation-sdk dependency.

Changes

Cohort / File(s)	Summary
Federation settings apps/meteor/server/settings/federation-service.ts	Adds boolean settings Federation_Service_Join_Encrypted_Rooms and Federation_Service_Join_Non_Private_Rooms (non-public, enterprise, default false).
Matrix invite API error handling ee/packages/federation-matrix/src/api/_matrix/invite.ts	Wraps invite processing in try/catch; on NotAllowedError returns 403 M_FORBIDDEN with a specific message; other errors return 500 M_UNKNOWN; preserves success path (process invite, schedule join, return invite event).
Federation setup / config ee/packages/federation-matrix/src/setup.ts	Reads the two new settings and injects them into the federation config under invite: { allowedEncryptedRooms, allowedNonPrivateRooms } passed to the federation container.
i18n updates packages/i18n/src/locales/en.i18n.json	Adds Federation_Service_Join_Encrypted_Rooms and Federation_Service_Join_Non_Private_Rooms translation keys; corrects Federation_Service_Alert text from "alfa" to "Alpha".
Dependency bumps ee/packages/federation-matrix/package.json, packages/core-services/package.json	Bumps @rocket.chat/federation-sdk from 0.1.28 to 0.1.29.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant HS as External Homeserver
  participant API as /_matrix/invite endpoint
  participant Proc as invite.processInvite
  participant Cfg as Federation Config

  Note over Cfg: invite policy: allowedEncryptedRooms<br/>allowedNonPrivateRooms

  HS->>API: POST /_matrix/client/.../invite (event)
  API->>Proc: processInvite(event, Cfg.invite)
  alt Allowed by policy
    Proc-->>API: processed invite event
    API-->>HS: 200 OK + event
    API->>Proc: schedule join (async)
  else NotAllowedError thrown
    Proc--x API: throws NotAllowedError
    API-->>HS: 403 M_FORBIDDEN (policy denial)
  else Other error
    Proc--x API: throws Error
    API-->>HS: 500 M_UNKNOWN (error message)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: revert dep changed federations #37186 — federation-sdk dependency changes (related package bump).
• fix(federation): add missing federation fields #37015 — modifications to ee/packages/federation-matrix/src/api/_matrix/invite.ts (invite-processing changes).
• refactor(federation): improve runWithBackoff function #37116 — refactors invite/join flow in the same invite endpoint.

Suggested labels

stat: ready to merge, stat: QA assured

Suggested reviewers

• ggazzo
• rodrigok

Poem

I twitch my nose at toggles new,
Two tiny switches, tried and true.
If rooms are locked or plaintext bright,
I follow rules and hop polite.
Invites are sorted — ears upright. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	Title accurately and concisely describes the addition of settings to allow joining non-private or encrypted federated rooms based on configuration and clearly reflects the main change in one sentence.
Linked Issues Check	✅ Passed	The pull request implements the requirements of FDR-207 by introducing configuration toggles for non-private and encrypted room invites, injecting them into the federation setup, and enforcing them in the invite endpoint to reject disallowed invites with a 403, meeting the linked issue’s coding objectives.
Out of Scope Changes Check	✅ Passed	All modifications including the new federation settings, invitation handling logic, translations, and necessary SDK version bumps are directly related to controlling federation invites and do not introduce any unrelated or out-of-scope changes.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/fed-non-private-or-encrypted-rooms-join

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c6b8c6f and 616a918.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• ee/packages/federation-matrix/package.json (1 hunks)
• packages/core-services/package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9ef6efe and 3ba1bb4.

📒 Files selected for processing (4)

• apps/meteor/server/settings/federation-service.ts (1 hunks)
• ee/packages/federation-matrix/src/api/_matrix/invite.ts (2 hunks)
• ee/packages/federation-matrix/src/setup.ts (2 hunks)
• packages/i18n/src/locales/en.i18n.json (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-19T15:15:04.642Z

Learnt from: rodrigok
PR: RocketChat/Rocket.Chat#36991
File: apps/meteor/server/services/federation/infrastructure/rocket-chat/adapters/Settings.ts:219-221
Timestamp: 2025-09-19T15:15:04.642Z
Learning: The Federation_Matrix_homeserver_domain setting in apps/meteor/server/services/federation/infrastructure/rocket-chat/adapters/Settings.ts is part of the old federation system and is being deprecated/removed, so configuration issues with this setting should not be flagged for improvement.

Applied to files:

• ee/packages/federation-matrix/src/api/_matrix/invite.ts
• ee/packages/federation-matrix/src/setup.ts
• apps/meteor/server/settings/federation-service.ts

🪛 GitHub Actions: CI

ee/packages/federation-matrix/src/api/_matrix/invite.ts

[error] 11-11: TS2305: Module "@rocket.chat/federation-sdk" has no exported member 'NotAllowedError'.

🔇 Additional comments (4)

apps/meteor/server/settings/federation-service.ts (1)

88-102: LGTM!

The two new federation settings follow the established pattern and are correctly configured as enterprise-enabled, non-public booleans scoped to the federation module.

ee/packages/federation-matrix/src/setup.ts (2)

48-49: LGTM!

The settings are correctly fetched following the same pattern as other federation settings in this file.

---

88-91: LGTM!

The invite configuration is properly structured and injected into the ConfigService options, consistent with how other configuration sections (like media) are handled.

ee/packages/federation-matrix/src/api/_matrix/invite.ts (1)

11-11: Verify that NotAllowedError is exported by @rocket.chat/federation-sdk
We couldn’t locate this export in the SDK’s source or type definitions—confirm it’s defined and exported (or adjust the import/define the error locally).

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

packages/i18n/src/locales/en.i18n.json (1)

2176-2176: Fix label to match federated setting name.

String should say “Allow joining non-private federated rooms.” (with trailing period) to mirror the feature scope.

-  "Federation_Service_Join_Non_Private_Rooms": "Allow joining non-private rooms",
+  "Federation_Service_Join_Non_Private_Rooms": "Allow joining non-private federated rooms.",

🧹 Nitpick comments (2)

apps/meteor/server/settings/federation-service.ts (1)

88-102: Verify if i18n labels and alert properties should be added for UI consistency.

The new settings lack i18nLabel, i18nDescription, and alert properties that similar federation settings possess (e.g., Federation_Service_EDU_Process_Typing on lines 70-77). If these settings will be exposed in the admin UI, consider adding these properties for consistency and better user experience.

If these properties should be added, apply a diff similar to this:

 		await this.add('Federation_Service_Join_Encrypted_Rooms', false, {
 			type: 'boolean',
 			public: false,
 			enterprise: true,
 			modules: ['federation'],
 			invalidValue: false,
+			i18nLabel: 'Federation_Service_Join_Encrypted_Rooms',
+			i18nDescription: 'Federation_Service_Join_Encrypted_Rooms_Description',
+			alert: 'Federation_Service_Join_Encrypted_Rooms_Alert',
 		});

 		await this.add('Federation_Service_Join_Non_Private_Rooms', false, {
 			type: 'boolean',
 			public: false,
 			enterprise: true,
 			modules: ['federation'],
 			invalidValue: false,
+			i18nLabel: 'Federation_Service_Join_Non_Private_Rooms',
+			i18nDescription: 'Federation_Service_Join_Non_Private_Rooms_Description',
+			alert: 'Federation_Service_Join_Non_Private_Rooms_Alert',
 		});

ee/packages/federation-matrix/src/api/_matrix/invite.ts (1)

358-403: Consider adding logging for error cases to aid debugging.

The error handling correctly returns appropriate HTTP responses, but lacks logging for error scenarios. This can make troubleshooting production issues difficult, especially for the catch-all error case on lines 396-402.

Apply this diff to add error logging:

 		} catch (error) {
 			if (error instanceof NotAllowedError) {
+				console.warn('Invite rejected due to federation settings', { roomId, eventId, error: error.message });
 				return {
 					body: {
 						errcode: 'M_FORBIDDEN',
 						error: 'This server does not allow joining this type of room based on federation settings.',
 					},
 					statusCode: 403,
 				};
 			}

+			console.error('Error processing invite', { roomId, eventId, error });
 			return {
 				body: {
 					errcode: 'M_UNKNOWN',
 					error: error instanceof Error ? error.message : 'Internal server error while processing request',
 				},
 				statusCode: 500,
 			};
 		}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3ba1bb4 and c6b8c6f.

📒 Files selected for processing (4)

• apps/meteor/server/settings/federation-service.ts (1 hunks)
• ee/packages/federation-matrix/src/api/_matrix/invite.ts (2 hunks)
• ee/packages/federation-matrix/src/setup.ts (2 hunks)
• packages/i18n/src/locales/en.i18n.json (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• ee/packages/federation-matrix/src/setup.ts

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-19T15:15:04.642Z

Learnt from: rodrigok
PR: RocketChat/Rocket.Chat#36991
File: apps/meteor/server/services/federation/infrastructure/rocket-chat/adapters/Settings.ts:219-221
Timestamp: 2025-09-19T15:15:04.642Z
Learning: The Federation_Matrix_homeserver_domain setting in apps/meteor/server/services/federation/infrastructure/rocket-chat/adapters/Settings.ts is part of the old federation system and is being deprecated/removed, so configuration issues with this setting should not be flagged for improvement.

Applied to files:

• apps/meteor/server/settings/federation-service.ts
• ee/packages/federation-matrix/src/api/_matrix/invite.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: CodeQL-Build

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.34%. Comparing base (4711b48) to head (616a918).
⚠️ Report is 3 commits behind head on release-7.11.0.

Additional details and impacted files

@@                Coverage Diff                 @@
##           release-7.11.0   #37227      +/-   ##
==================================================
- Coverage           66.39%   66.34%   -0.05%     
==================================================
  Files                3386     3386              
  Lines              115618   115628      +10     
  Branches            21352    21353       +1     
==================================================
- Hits                76765    76716      -49     
- Misses              36251    36304      +53     
- Partials             2602     2608       +6     

Flag	Coverage Δ
e2e	57.28% <ø> (-0.06%)	⬇️
unit	71.19% <ø> (-0.06%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.