RocketChat · sampaiodiego · Jan 26, 2026 · Jan 27, 2026 · Jan 27, 2026 · coderabbitai
diff --git a/apps/meteor/app/lib/server/functions/createRoom.ts b/apps/meteor/app/lib/server/functions/createRoom.ts
@@ -13,7 +13,6 @@ import { beforeAddUserToRoom } from '../../../../server/lib/callbacks/beforeAddU
 import { beforeCreateRoomCallback, prepareCreateRoomCallback } from '../../../../server/lib/callbacks/beforeCreateRoomCallback';
 import { getSubscriptionAutotranslateDefaultConfig } from '../../../../server/lib/getSubscriptionAutotranslateDefaultConfig';
 import { syncRoomRolePriorityForUserAndRoom } from '../../../../server/lib/roles/syncRoomRolePriority';
-import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { getDefaultSubscriptionPref } from '../../../utils/lib/getDefaultSubscriptionPref';
 import { getValidRoomName } from '../../../utils/server/lib/getValidRoomName';
 import { notifyOnRoomChanged, notifyOnSubscriptionChangedById } from '../lib/notifyListener';
@@ -184,12 +183,7 @@ export const createRoom = async <T extends RoomType>(
 
 	const shouldBeHandledByFederation = extraData.federated === true;
 
-	if (
-		shouldBeHandledByFederation &&
-		owner &&
-		!isUserNativeFederated(owner) &&
-		!(await hasPermissionAsync(owner._id, 'access-federation'))
-	) {
+	if (shouldBeHandledByFederation && owner && !isUserNativeFederated(owner) && !(await FederationMatrix.canUserAccessFederation(owner))) {
 		throw new Meteor.Error('error-not-authorized-federation', 'Not authorized to access federation', {
 			method: 'createRoom',
 		});

diff --git a/apps/meteor/ee/server/hooks/federation/index.ts b/apps/meteor/ee/server/hooks/federation/index.ts
@@ -1,4 +1,4 @@
-import { FederationMatrix, Authorization, MeteorError, Room } from '@rocket.chat/core-services';
+import { FederationMatrix, MeteorError, Room } from '@rocket.chat/core-services';
 import { isEditedMessage, isRoomNativeFederated, isUserNativeFederated } from '@rocket.chat/core-typings';
 import type { IRoomNativeFederated, IMessage, IRoom, IUser } from '@rocket.chat/core-typings';
 import { validateFederatedUsername } from '@rocket.chat/federation-matrix';
@@ -112,7 +112,7 @@ beforeAddUserToRoom.add(
 			return;
 		}
 
-		if (!isUserNativeFederated(user) && !(await Authorization.hasPermission(user._id, 'access-federation'))) {
+		if (!isUserNativeFederated(user) && !(await FederationMatrix.canUserAccessFederation(user))) {
 			throw new MeteorError('error-not-authorized-federation', 'Not authorized to access federation');
 		}
 

@@ -1,4 +1,4 @@
-import { ServiceClassInternal, Authorization, Message, MeteorError } from '@rocket.chat/core-services';
+import { ServiceClassInternal, Authorization, Message, MeteorError, FederationMatrix } from '@rocket.chat/core-services';
 import type { ICreateRoomParams, IRoomService } from '@rocket.chat/core-services';
 import {
 	type AtLeast,
@@ -149,7 +149,7 @@ export class RoomService extends ServiceClassInternal implements IRoomService {
 	/**
 	 * Method called by users to join a room.
 	 */
-	async join({ room, user, joinCode }: { room: IRoom; user: Pick<IUser, '_id' | 'federated' | 'federation'>; joinCode?: string }) {
+	async join({ room, user, joinCode }: { room: IRoom; user: IUser; joinCode?: string }) {
 		if (!(await roomCoordinator.getRoomDirectives(room.t)?.allowMemberAction(room, RoomMemberActions.JOIN, user._id))) {
 			throw new MeteorError('error-not-allowed', 'Not allowed', { method: 'joinRoom' });
 		}
@@ -165,7 +165,7 @@ export class RoomService extends ServiceClassInternal implements IRoomService {
 		if (
 			FederationActions.shouldPerformFederationAction(room) &&
 			!isUserNativeFederated(user) &&
-			!(await Authorization.hasPermission(user._id, 'access-federation'))
+			!(await FederationMatrix.canUserAccessFederation(user))
 		) {
 			throw new MeteorError('error-not-authorized-federation', 'Not authorized to access federation', { method: 'joinRoom' });
 		}

@@ -100,5 +100,13 @@ export const createFederationServiceSettings = async (): Promise<void> => {
 			modules: ['federation'],
 			invalidValue: false,
 		});
+
+		await this.add('Federation_Service_Validate_User_Domain', false, {
+			type: 'boolean',
+			public: false,
+			enterprise: true,
+			modules: ['federation'],
+			invalidValue: false,
+		});
 	});
 };
diff --git a/ee/packages/federation-matrix/src/FederationMatrix.ts b/ee/packages/federation-matrix/src/FederationMatrix.ts
@@ -1,4 +1,4 @@
-import { type IFederationMatrixService, Room, ServiceClass } from '@rocket.chat/core-services';
+import { Authorization, type IFederationMatrixService, Room, ServiceClass } from '@rocket.chat/core-services';
 import {
 	isDeletedMessage,
 	isMessageFromMatrixFederation,
@@ -36,6 +36,8 @@ export class FederationMatrix extends ServiceClass implements IFederationMatrixS
 
 	private processEDUPresence: boolean;
 
+	private validateUserDomain: boolean;
+
 	private readonly logger = new Logger(this.name);
 
 	override async created(): Promise<void> {
@@ -52,6 +54,8 @@ export class FederationMatrix extends ServiceClass implements IFederationMatrixS
 				this.processEDUTyping = value;
 			} else if (_id === 'Federation_Service_EDU_Process_Presence' && typeof value === 'boolean') {
 				this.processEDUPresence = value;
+			} else if (_id === 'Federation_Service_Validate_User_Domain' && typeof value === 'boolean') {
+				this.validateUserDomain = value;
 			}
 		});
 
@@ -98,6 +102,7 @@ export class FederationMatrix extends ServiceClass implements IFederationMatrixS
 		this.serverName = (await Settings.getValueById<string>('Federation_Service_Domain')) || '';
 		this.processEDUTyping = (await Settings.getValueById<boolean>('Federation_Service_EDU_Process_Typing')) || false;
 		this.processEDUPresence = (await Settings.getValueById<boolean>('Federation_Service_EDU_Process_Presence')) || false;
+		this.validateUserDomain = (await Settings.getValueById<boolean>('Federation_Service_Validate_User_Domain')) || false;
 	}
 
 	async createRoom(room: IRoom, owner: IUser): Promise<{ room_id: string; event_id: string }> {
@@ -802,4 +807,21 @@ export class FederationMatrix extends ServiceClass implements IFederationMatrixS
 			}
 		}
 	}
+
+	async canUserAccessFederation(user: IUser): Promise<boolean> {
+		if (!(await Authorization.hasPermission(user._id, 'access-federation'))) {
+			return false;
+		}
+
+		if (!this.validateUserDomain) {
+			return true;
+		}
+
+		return (
+			user.emails?.some((email) => {
+				const domain = email.address.split('@')[1];
+				return domain === this.serverName && email.verified;
+			}) ?? false
-		return (
-			user.emails?.some((email) => {
-				const domain = email.address.split('@')[1];
-				return domain === this.serverName && email.verified;
-			}) ?? false
+		return (
+			user.emails?.some((email) => {
+				const domain = email.address.split('@')[1]?.toLowerCase();
+				return domain === this.serverName.toLowerCase() && email.verified;
+			}) ?? false
-		return (
-			user.emails?.some((email) => {
-				const domain = email.address.split('@')[1];
-				return domain === this.serverName && email.verified;
-			}) ?? false
+		return (
+			user.emails?.some((email) => {
+				const domain = email.address.split('@')[1]?.toLowerCase();
+				return domain === this.serverName.toLowerCase() && email.verified;
+			}) ?? false
+		);
+	}
 }
diff --git a/ee/packages/federation-matrix/src/api/_matrix/invite.ts b/ee/packages/federation-matrix/src/api/_matrix/invite.ts
@@ -1,4 +1,4 @@
-import { Authorization } from '@rocket.chat/core-services';
+import { FederationMatrix } from '@rocket.chat/core-services';
 import { NotAllowedError, federationSDK } from '@rocket.chat/federation-sdk';
 import { Router } from '@rocket.chat/http-router';
 import { Logger } from '@rocket.chat/logger';
@@ -175,7 +175,7 @@ export const getMatrixInviteRoutes = () => {
 			}
 
 			// check federation permission before processing the invite
-			if (!(await Authorization.hasPermission(ourUser._id, 'access-federation'))) {
+			if (!(await FederationMatrix.canUserAccessFederation(ourUser))) {
 				logger.info({ msg: 'User denied federation access, rejecting invite to room', userId: userToCheck, roomId });
 
 				return {