feat(federation): validate user email domain

[sampaiodiego]

Proposed changes (including videos or screenshots)

Create a new setting with an extra layer of validation to restrict the usage of federation to only users with a validated email address that matches the configured federation domain.

Issue(s)

FEDCORE-42

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• New Features

  • New admin setting to optionally validate users' email domains for federation access.

• Refactor

  • Federation access checks now route through a centralized federation matrix, combining permission checks with optional domain validation.

• Tests

  • Added comprehensive end-to-end tests covering federation access for verified/unverified/mismatched/missing emails and remote invitation scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is targeting the wrong base branch. It should target 8.2.0, but it targets 8.1.0

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 121765e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Replaces direct access-federation permission checks with FederationMatrix.canUserAccessFederation(user); adds Federation_Service_Validate_User_Domain setting and implements optional email-domain + verification gating in FederationMatrix; updates callers and tests to use the new check.

Changes

Cohort / File(s)	Summary
Federation authorization callsites apps/meteor/app/lib/server/functions/createRoom.ts, apps/meteor/ee/server/hooks/federation/index.ts, ee/packages/federation-matrix/src/api/_matrix/invite.ts, apps/meteor/server/services/room/service.ts	Replaced direct Authorization.hasPermission / hasPermissionAsync checks for access-federation with FederationMatrix.canUserAccessFederation(user). Adjusted imports and RoomService.join user typing to IUser.
Federation matrix core ee/packages/federation-matrix/src/FederationMatrix.ts	Added private validateUserDomain: boolean field, wiring to Federation_Service_Validate_User_Domain setting, and new method canUserAccessFederation(user: IUser): Promise<boolean> implementing layered checks: permission → optional verified-email + domain match.
Settings & types apps/meteor/server/settings/federation-service.ts, packages/core-services/src/types/IFederationMatrixService.ts	New boolean setting Federation_Service_Validate_User_Domain (enterprise, default false). Added canUserAccessFederation(user): Promise<boolean> to IFederationMatrixService.
Tests ee/packages/federation-matrix/tests/end-to-end/permissions.spec.ts	Large E2E suite validating the new setting across verified/unverified/matching/non-matching emails for federated room creation, user additions, and remote invites; added helper imports (e.g., getSubscriptionByRoomId).

Sequence Diagram(s)

sequenceDiagram
    participant Caller as Caller (Room/Invite/Hook)
    participant FederationMatrix as FederationMatrix
    participant Authorization as Authorization Service
    participant Settings as Settings Store

    Caller->>FederationMatrix: canUserAccessFederation(user)
    FederationMatrix->>Authorization: hasPermission(user._id, 'access-federation')
    Authorization-->>FederationMatrix: permissionResult

    alt permissionResult = false
        FederationMatrix-->>Caller: false
    else permissionResult = true
        FederationMatrix->>Settings: read Federation_Service_Validate_User_Domain
        Settings-->>FederationMatrix: flagValue

        alt flagValue = true
            FederationMatrix->>FederationMatrix: check user's verified email & domain == serverName
            alt email verified && domain matches
                FederationMatrix-->>Caller: true
            else
                FederationMatrix-->>Caller: false
            end
        else flagValue = false
            FederationMatrix-->>Caller: true
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• regression(federation): enhance user authorization checks for federation access #37965 — Modifies federation authorization checks at the same callsites (createRoom, hooks, RoomService.join); high overlap.
• regression(federation): Old federation users #37102 — Alters FederationMatrix internals and related APIs; likely touches the same code paths.
• feat(federation): add access-federation permission #37377 — Related changes to access-federation permission checks that this PR centralizes into FederationMatrix.

Suggested reviewers

• ggazzo
• rodrigok
• ricardogarim

Poem

🐇 I hopped through code to guard the gate,
Checking domains and if emails validate,
Matrix hums a careful tune,
Letting in the dawn or closing soon,
🥕 A tiny rabbit keeps federation straight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main feature: adding email domain validation for federation access, which is the core objective across all modified files.
Linked Issues check	✅ Passed	The PR fully implements the layered authorization gate from FEDCORE-42: validates email domain and verification status with tiered controls, adds the Federation_Service_Validate_User_Domain setting, and integrates these checks throughout the federation service.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing the email domain validation feature: centralizing federation permission checks in FederationMatrix, adding the new setting, and replacing outdated permission calls throughout the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch federation-validate-user-domain

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.87%. Comparing base (3a8520f) to head (121765e).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #38356      +/-   ##
===========================================
+ Coverage    70.84%   70.87%   +0.02%     
===========================================
  Files         3160     3160              
  Lines       109768   109769       +1     
  Branches     19702    19685      -17     
===========================================
+ Hits         77770    77794      +24     
+ Misses       29968    29953      -15     
+ Partials      2030     2022       -8     

Flag	Coverage Δ
e2e	60.40% <ø> (+0.11%)	⬆️
e2e-api	47.80% <100.00%> (-0.06%)	⬇️
unit	72.06% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

📦 Docker Image Size Report

➡️ Changes

Service	Current	Baseline	Change	Percent
sum of all images	0B	0B	0B
account-service	0B	0B	0B
authorization-service	0B	0B	0B
ddp-streamer-service	0B	0B	0B
omnichannel-transcript-service	0B	0B	0B
presence-service	0B	0B	0B
queue-worker-service	0B	0B	0B
rocketchat	0B	0B	0B

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 22:18", "12/17 21:04", "12/18 23:12", "12/19 23:27", "12/20 21:03", "12/22 18:54", "12/23 16:16", "12/24 19:38", "12/25 17:51", "12/26 13:18", "12/29 19:01", "12/30 20:52", "01/28 18:16 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.00]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.00]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "queue-worker-service" [0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.00]
  line "rocketchat" [0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.00]

Loading

Statistics (last 30 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.4GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 0B

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-38356
• Baseline: develop
• Timestamp: 2026-01-28 18:16:13 UTC
• Historical data points: 30

---

Updated: Wed, 28 Jan 2026 18:16:13 GMT

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@apps/meteor/server/services/room/service.ts`:
- Line 152: RoomService.join expects a full IUser because
canUserAccessFederation reads user.emails; fix the two call sites so they pass a
complete user object: in the slashcommands-join caller (server.ts) include
emails in the Mongo projection when fetching the user (add "emails" to the
projection before calling RoomService.join), and in
getRoomByNameOrIdWithOptionToJoin adjust the parameter type (or the caller) so
it returns/passes a full IUser rather than Pick<IUser, '_id' | 'username' |
'federated' | 'federation'>; reference RoomService.join and
canUserAccessFederation when updating types/fetch logic to ensure user.emails is
present.

In `@ee/packages/federation-matrix/src/FederationMatrix.ts`:
- Around line 820-824: The domain comparison in the user email check is
case-sensitive; update the logic in the block using user.emails (the anonymous
callback that does email.address.split('@')[1]) to normalize both sides to the
same case before comparing: extract the domain safely from email.address, call
.toLowerCase() (or .toLocaleLowerCase()) on the extracted domain and on
this.serverName, then compare those lowercased values and keep the existing
email.verified requirement; ensure the code handles malformed addresses (no '@')
gracefully when extracting the domain.

In `@ee/packages/federation-matrix/tests/end-to-end/permissions.spec.ts`:
- Around line 711-713: The test is incorrectly checking subscription.name
against the invited user's username; change the lookup to match the room name
instead. In the getSubscriptions result (subscriptions.update) replace the
predicate used to find invitedSub (currently (sub) => sub.name ===
userWithNonMatchingEmail.username) with a check against the channel name, e.g.
(sub) => sub.fname?.includes(channelName) or (sub) => sub.name === channelName
so the test verifies the room subscription was rejected rather than relying on
username mismatch.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the RoomService.join method to verify the current signature
find apps/meteor -name "*.ts" -type f | grep -i room | grep -i service

Repository: RocketChat/Rocket.Chat

Length of output: 622

---

🏁 Script executed:

# Let's check the exact file and method signature
cat -n apps/meteor/server/services/room/service.ts | head -200 | tail -100

Repository: RocketChat/Rocket.Chat

Length of output: 4100

---

🏁 Script executed:

# Search for the join method definition and surrounding code
rg -nP --type=ts "async join\s*\(" apps/meteor/server/services/room/service.ts -A 10 -B 2

Repository: RocketChat/Rocket.Chat

Length of output: 743

---

🏁 Script executed:

# Find all calls to .join( method in the codebase
rg -nP --type=ts "\.join\s*\(\s*\{" apps/meteor ee/packages | grep -v "node_modules" | head -50

Repository: RocketChat/Rocket.Chat

Length of output: 595

---

🏁 Script executed:

# Find canUserAccessFederation method definition
rg -nP --type=ts "canUserAccessFederation" apps/meteor ee/packages -B 2 -A 10 | head -100

Repository: RocketChat/Rocket.Chat

Length of output: 5921

---

🏁 Script executed:

# Check all the call sites in detail - start with joinRoom.ts
cat -n apps/meteor/app/lib/server/methods/joinRoom.ts | head -50

Repository: RocketChat/Rocket.Chat

Length of output: 1253

---

🏁 Script executed:

# Check the channels.ts call site
cat -n apps/meteor/app/api/server/v1/channels.ts | sed -n '220,240p'

Repository: RocketChat/Rocket.Chat

Length of output: 646

---

🏁 Script executed:

# Check the slashcommands-join call site
cat -n apps/meteor/app/slashcommands-join/server/server.ts | sed -n '40,60p'

Repository: RocketChat/Rocket.Chat

Length of output: 729

---

🏁 Script executed:

# Check getRoomByNameOrIdWithOptionToJoin.ts
cat -n apps/meteor/app/lib/server/functions/getRoomByNameOrIdWithOptionToJoin.ts | sed -n '80,95p'

Repository: RocketChat/Rocket.Chat

Length of output: 542

---

🏁 Script executed:

# Check the function signature
rg -nP --type=ts "export.*getRoomByNameOrIdWithOptionToJoin" apps/meteor -B 5 -A 15 | head -40

Repository: RocketChat/Rocket.Chat

Length of output: 2276

---

🏁 Script executed:

# Get more context on where canUserAccessFederation accesses emails
cat -n ee/packages/federation-matrix/src/FederationMatrix.ts | sed -n '811,830p'

Repository: RocketChat/Rocket.Chat

Length of output: 577

---

🏁 Script executed:

# Verify what properties the slashcommands-join actually fetches for user
cat -n apps/meteor/app/slashcommands-join/server/server.ts | sed -n '40,55p'

Repository: RocketChat/Rocket.Chat

Length of output: 642

---

🏁 Script executed:

# Check if there are any other calls to canUserAccessFederation and what user objects they pass
rg -nP --type=ts "canUserAccessFederation" apps/meteor ee/packages -B 5 | grep -E "(const user|user:)" | head -20

Repository: RocketChat/Rocket.Chat

Length of output: 187

---

🏁 Script executed:

# Let's look for git history or type definition changes - check current IUser type
rg -nP --type=ts "interface IUser" apps/meteor ee/packages | head -5

Repository: RocketChat/Rocket.Chat

Length of output: 311

---

Fix caller types to pass complete user objects to RoomService.join.

The user parameter expects full IUser type for canUserAccessFederation to access user.emails for domain validation. Two call sites have issues:

1. apps/meteor/app/slashcommands-join/server/server.ts:46 — fetches user with only { federated: 1, federation: 1 } projection, excluding emails. Include emails in the projection before passing to Room.join.

2. apps/meteor/app/lib/server/functions/getRoomByNameOrIdWithOptionToJoin.ts:17 — function signature accepts Pick<IUser, '_id' | 'username' | 'federated' | 'federation'> but passes to Room.join expecting full IUser. Update the parameter type or ensure callers pass complete user objects.

🤖 Prompt for AI Agents

In `@apps/meteor/server/services/room/service.ts` at line 152, RoomService.join
expects a full IUser because canUserAccessFederation reads user.emails; fix the
two call sites so they pass a complete user object: in the slashcommands-join
caller (server.ts) include emails in the Mongo projection when fetching the user
(add "emails" to the projection before calling RoomService.join), and in
getRoomByNameOrIdWithOptionToJoin adjust the parameter type (or the caller) so
it returns/passes a full IUser rather than Pick<IUser, '_id' | 'username' |
'federated' | 'federation'>; reference RoomService.join and
canUserAccessFederation when updating types/fetch logic to ensure user.emails is
present.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Email domain comparison should be case-insensitive.

Per RFC 5321, domain names in email addresses are case-insensitive. If a user's email was stored as [email protected] but serverName is example.com, they would incorrectly fail validation.

🔧 Suggested fix

 return (
     user.emails?.some((email) => {
-        const domain = email.address.split('@')[1];
-        return domain === this.serverName && email.verified;
+        const domain = email.address.split('@')[1]?.toLowerCase();
+        return domain === this.serverName.toLowerCase() && email.verified;
     }) ?? false
 );

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	return (
	user.emails?.some((email) => {
	const domain = email.address.split('@')[1];
	return domain === this.serverName && email.verified;
	}) ?? false
	return (
	user.emails?.some((email) => {
	const domain = email.address.split('@')[1]?.toLowerCase();
	return domain === this.serverName.toLowerCase() && email.verified;
	}) ?? false

🤖 Prompt for AI Agents

In `@ee/packages/federation-matrix/src/FederationMatrix.ts` around lines 820 -
824, The domain comparison in the user email check is case-sensitive; update the
logic in the block using user.emails (the anonymous callback that does
email.address.split('@')[1]) to normalize both sides to the same case before
comparing: extract the domain safely from email.address, call .toLowerCase() (or
.toLocaleLowerCase()) on the extracted domain and on this.serverName, then
compare those lowercased values and keep the existing email.verified
requirement; ensure the code handles malformed addresses (no '@') gracefully
when extracting the domain.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Incorrect subscription lookup - should check by room name, not username.

The subscription's name property contains the room name, not the user's username. This assertion passes only because no subscription has name === username, not because the room subscription was properly rejected. Compare with line 107 which correctly uses sub.fname?.includes(channelName).

🔧 Suggested fix

 const subscriptions = await getSubscriptions(userWithNonMatchingEmailRequestConfig);
-const invitedSub = subscriptions.update.find((sub) => sub.name === userWithNonMatchingEmail.username);
+const invitedSub = subscriptions.update.find((sub) => sub.fname?.includes(channelName));
 expect(invitedSub).toBeUndefined();

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const subscriptions = await getSubscriptions(userWithNonMatchingEmailRequestConfig);
	const invitedSub = subscriptions.update.find((sub) => sub.name === userWithNonMatchingEmail.username);
	expect(invitedSub).toBeUndefined();
	const subscriptions = await getSubscriptions(userWithNonMatchingEmailRequestConfig);
	const invitedSub = subscriptions.update.find((sub) => sub.fname?.includes(channelName));
	expect(invitedSub).toBeUndefined();

🤖 Prompt for AI Agents

In `@ee/packages/federation-matrix/tests/end-to-end/permissions.spec.ts` around
lines 711 - 713, The test is incorrectly checking subscription.name against the
invited user's username; change the lookup to match the room name instead. In
the getSubscriptions result (subscriptions.update) replace the predicate used to
find invitedSub (currently (sub) => sub.name ===
userWithNonMatchingEmail.username) with a check against the channel name, e.g.
(sub) => sub.fname?.includes(channelName) or (sub) => sub.name === channelName
so the test verifies the room subscription was rejected rather than relying on
username mismatch.

[cubic-dev-ai]

No issues found across 8 files

[cubic-dev-ai]

No issues found across 8 files

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@ee/packages/federation-matrix/tests/end-to-end/permissions.spec.ts`:
- Around line 283-362: Combine the two beforeAll hooks into a single beforeAll
inside the "Federation_Service_Validate_User_Domain Setting" describe block:
move the permissions.grant POST (the
rc1AdminRequestConfig.request.post(api('permissions.update')) call) and the RC
user creation steps (creating rcValidUser1 and rcValidUser2 via createUser,
marking them verified with users.update, and obtaining their configs via
getRequestConfig) into one sequential beforeAll so all setup runs in one place;
ensure you preserve the existing order (grant permission first, then
create/verify users and call getRequestConfig) and keep references to
rcValidUser1, rcValidUser2, rc1AdminRequestConfig, createUser, and
getRequestConfig intact.