Merge cc2623f8da into 6b6d351ef8

Specify basic validation for federation membership endpoints (#2284 )
Signed-off-by: Tulir Asokan <tulir@maunium.net> Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
2026-04-13 14:44:10 +02:00 · 2026-02-24 13:35:16 +00:00 · 2026-02-24 13:35:05 +00:00 · 2026-02-17 17:23:26 -05:00 · 2026-02-07 18:43:03 -05:00 · 2026-01-28 12:05:35 -05:00
16 changed files with 258 additions and 43 deletions
--- a/changelogs/room_versions/newsfragments/2297.clarification
+++ b/changelogs/room_versions/newsfragments/2297.clarification
@ -0,0 +1 @@
+Clarify meaning of floating-point powerlevels.
--- a/changelogs/server_server/newsfragments/2284.clarification
+++ b/changelogs/server_server/newsfragments/2284.clarification
@ -0,0 +1 @@
+Specify validation for PDUs passed to and returned from federation membership endpoints.
--- a/content/rooms/fragments/v1-floaty-power-levels.md
+++ b/content/rooms/fragments/v1-floaty-power-levels.md
@ -0,0 +1,41 @@
+
+##### `m.room.power_levels` events accept values as floats
+
+When the value is a float
+ * First, exponential notation is applied: `5.114698E4` becomes `51146.98`
+ * Second, the value is truncated at the decimal point: `51146.98` becomes `51146`.
+
+Values outside the range represented by IEE754 binary64 (a "double") cause the
+powerlevel event to be rejected.
+
+For example, this is a valid `m.room.power_levels` event in this room version:
+
+```json
+{
+  "content": {
+    "ban": 50,
+    "events": {
+      "m.room.power_levels": 100
+    },
+    "events_default": 0,
+    "state_default": 50,
+    "users": {
+      "@example:example.org": 100,
+      "@alice:localhost": 50,
+      "@bob:localhost": 50.57
+    },
+    "users_default": 0
+  },
+  "origin_server_ts": 1432735824653,
+  "room_id": "!jEsUZKDJdhlrceRyVU:example.org",
+  "sender": "@example:example.org",
+  "state_key": "",
+  "type": "m.room.power_levels"
+}
+```
+
+In this example, both `@bob:localhost` and `@alice:localhost` have the same effective
+power level of `50`, even though the values are technically different.
+
+Note that, since this room version does not enforce that events comply with the requirements
+of [Canonical JSON](/appendices#canonical-json), power levels can be formatted as floats.
--- a/content/rooms/v1.md
+++ b/content/rooms/v1.md
@ -59,6 +59,8 @@ Events in version 1 rooms have the following structure:

 {{% rver-fragment name="v1-stringy-power-levels" %}}

+{{% rver-fragment name="v1-floaty-power-levels" %}}
+
 ### Authorization rules

 {{% rver-fragment name="v1-auth-rules" %}}
--- a/content/rooms/v2.md
+++ b/content/rooms/v2.md
@ -57,6 +57,8 @@ Events in rooms of this version have the following structure:

 {{% rver-fragment name="v1-stringy-power-levels" %}}

+{{% rver-fragment name="v1-floaty-power-levels" %}}
+
 ### Authorization rules

 {{% rver-fragment name="v1-auth-rules" %}}
--- a/content/rooms/v3.md
+++ b/content/rooms/v3.md
@ -87,6 +87,8 @@ The complete structure of a event in a v3 room is shown below.

 {{% rver-fragment name="v1-stringy-power-levels" %}}

+{{% rver-fragment name="v1-floaty-power-levels" %}}
+
 ### Authorization rules

 {{% boxes/note %}}
--- a/content/rooms/v4.md
+++ b/content/rooms/v4.md
@ -76,6 +76,8 @@ the changes in this room version.

 {{% rver-fragment name="v1-stringy-power-levels" %}}

+{{% rver-fragment name="v1-floaty-power-levels" %}}
+
 ### Authorization rules

 {{% rver-fragment name="v3-auth-rules" %}}
--- a/content/rooms/v5.md
+++ b/content/rooms/v5.md
@ -58,6 +58,8 @@ completeness.

 {{% rver-fragment name="v1-stringy-power-levels" %}}

+{{% rver-fragment name="v1-floaty-power-levels" %}}
+
 ### Authorization rules

 {{% rver-fragment name="v3-auth-rules" %}}
--- a/content/server-server-api.md
+++ b/content/server-server-api.md
@ -868,8 +868,10 @@ selecting a resident from the candidate list, and using the
 enough information for the joining server to fill in the event.

 The joining server is expected to add or replace the `origin`,
-`origin_server_ts`, and `event_id` on the templated event received by
-the resident server. This event is then signed by the joining server.
+`origin_server_ts`, and `event_id` on the templated event received by the
+resident server. The joining server MUST also verify that the `type`, `room_id`,
+`sender`, `state_key` and `content.membership` fields have the expected values.
+This event is then signed by the joining server.

 To complete the join handshake, the joining server submits this new event
 to the resident server it used for `GET /make_join`, using the `PUT /send_join`
--- a/data/api/server-server/invites-v1.yaml
+++ b/data/api/server-server/invites-v1.yaml
@ -36,6 +36,28 @@ paths:
        Also note that if the remote homeserver is already in the room, it will receive the
        invite event twice; once through this endpoint, and again through a [federation
        transaction](/server-server-api/#transactions).
+
+        Servers MUST apply certain validation to ensure they don't accidentally sign non-invite
+        events from a malicious server. A specific error code is not mandated, but servers SHOULD
+        return `M_INVALID_PARAM` if:
+
+        * The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
+        * The event type is not `m.room.member`.
+        * The `membership` field inside the event content is not `invite`.
+        * The event sender is not a user ID on the origin server.
+        * The `state_key` is not a user ID on the receiving server.
+
+        The `invite_room_state` has additional validation, which servers MAY apply to room versions
+        1 through 11 and SHOULD apply to all other room versions. As with the above errors, servers
+        SHOULD return `M_INVALID_PARAM` if:
+
+        * The `m.room.create` event is missing from `invite_room_state`.
+        * One or more entries in `invite_room_state` are not formatted according
+          to the room's version.
+        * One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
+        * One or more events does not reside in the same room as the invite.
+          Note: Some room versions may require calculating the room ID for an
+          event rather than relying on the presence of `room_id`.
      operationId: sendInviteV1
      security:
        - signedRequest: []
@ -83,8 +105,7 @@ paths:
                            MUST additionally be formatted according to the room version specification.

                            Servers might need to apply validation to the `invite_room_state` depending
-                            on room version. See the `400 M_MISSING_PARAM` error definition for more
-                            information.
+                            on room version. See endpoint description for more information.

                            Note that events have a different format depending on the room
                            version - check the [room version specification](/rooms) for
@ -178,23 +199,7 @@ paths:
                  }
        "400":
          description: |-
-            The `M_MISSING_PARAM` error code is used to indicate one or more of
-            the following:
-
-            * The `m.room.create` event is missing from `invite_room_state`.
-            * One or more entries in `invite_room_state` are not formatted according
-              to the room's version.
-            * One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
-            * One or more events does not reside in the same room as the invite.
-              Note: Some room versions may require calculating the room ID for an
-              event rather than relying on the presence of `room_id`.
-
-            Servers MAY apply the validation above to room versions 1 through 11,
-            and SHOULD apply the validation above to all other room versions.
-
-            If `M_MISSING_PARAM` is returned and the request is associated with a
-            Client-Server API request, the Client-Server API request SHOULD fail
-            with a 5xx error rather than being passed through.
+            The request is invalid in some way.
          content:
            application/json:
              schema:
@ -202,7 +207,7 @@ paths:
              examples:
                response:
                  value: {
-                    "errcode": "M_MISSING_PARAM",
+                    "errcode": "M_INVALID_PARAM",
                    "error": "Create event not among invite state entries."
                  }
 servers:
--- a/data/api/server-server/invites-v2.yaml
+++ b/data/api/server-server/invites-v2.yaml
@ -40,6 +40,28 @@ paths:
        Also note that if the remote homeserver is already in the room, it will receive the
        invite event twice; once through this endpoint, and again through a [federation
        transaction](/server-server-api/#transactions).
+
+        Servers MUST apply certain validation to ensure they don't accidentally sign non-invite
+        events from a malicious server. A specific error code is not mandated, but servers SHOULD
+        return `M_INVALID_PARAM` if:
+
+        * The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
+        * The event type is not `m.room.member`.
+        * The `membership` field inside the event content is not `invite`.
+        * The event sender is not a user ID on the origin server.
+        * The `state_key` is not a user ID on the receiving server.
+
+        The `invite_room_state` has additional validation, which servers MAY apply to room versions
+        1 through 11 and SHOULD apply to all other room versions. As with the above errors, servers
+        SHOULD return `M_INVALID_PARAM` if:
+
+        * The `m.room.create` event is missing from `invite_room_state`.
+        * One or more entries in `invite_room_state` are not formatted according
+          to the room's version.
+        * One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
+        * One or more events does not reside in the same room as the invite.
+          Note: Some room versions may require calculating the room ID for an
+          event rather than relying on the presence of `room_id`.
      operationId: sendInviteV2
      security:
        - signedRequest: []
@ -84,8 +106,7 @@ paths:
                    MUST additionally be formatted according to the room version specification.

                    Servers might need to apply validation to the `invite_room_state` depending
-                    on room version. See the `400 M_MISSING_PARAM` error definition for more
-                    information.
+                    on room version. See the endpoint description for more information.

                    Note that events have a different format depending on the room
                    version - check the [room version specification](/rooms) for
@ -154,22 +175,8 @@ paths:
            The error should be passed through to clients so that they
            may give better feedback to users.

-            The `M_MISSING_PARAM` error code is used to indicate one or more of
-            the following:
-
-            * The `m.room.create` event is missing from `invite_room_state`.
-            * One or more entries in `invite_room_state` are not formatted according
-              to the room's version.
-            * One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
-            * One or more events does not reside in the same room as the invite.
-              Note: Some room versions may require calculating the room ID for an
-              event rather than relying on the presence of `room_id`.
-
-            Servers MAY apply the validation above to room versions 1 through 11,
-            and SHOULD apply the validation above to all other room versions.
-
-            If `M_MISSING_PARAM` is returned and the request is associated with a
-            Client-Server API request, the Client-Server API request SHOULD fail
+            If `M_MISSING_PARAM` or `M_INVALID_PARAM` is returned and the request is associated
+            with a Client-Server API request, the Client-Server API request SHOULD fail
            with a 5xx error rather than being passed through.
          content:
            application/json:
--- a/data/api/server-server/joins-v1.yaml
+++ b/data/api/server-server/joins-v1.yaml
@ -23,6 +23,17 @@ paths:
      description: |-
        Asks the receiving server to return information that the sending
        server will need to prepare a join event to get into the room.
+
+        Before signing the returned template and calling `/send_join`,
+        the sending server MUST verify that:
+
+        * the `room_id` is equal to the `roomId` path parameter.
+        * both the `sender` and `state_key` are equal to the `userId` path parameter.
+        * the `type` of the event is `m.room.member`.
+        * the `membership` field inside `content` is `join`.
+
+        In case any of the above checks fail, the response MUST be treated as malformed and
+        discarded. The caller MAY try to join through another server.
      operationId: makeJoin
      security:
        - signedRequest: []
@ -36,7 +47,7 @@ paths:
            type: string
        - in: path
          name: userId
-          description: The user ID the join event will be for.
+          description: The user ID the join event will be for. This MUST be a user ID on the origin server.
          required: true
          example: "@someone:example.org"
          schema:
@ -238,6 +249,15 @@ paths:
        **The request and response body here describe the common
        event fields in more detail and may be missing other required
        fields for a PDU.**
+
+        The receiving server MUST apply certain validation before accepting the event.
+        A specific error code is not mandated, but servers SHOULD return `M_INVALID_PARAM` if:
+
+        * The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
+        * The event type is not `m.room.member`.
+        * The `membership` field inside the event content is not `join`.
+        * The event sender is not a user ID on the origin server.
+        * The `state_key` is not equal to the `sender`.
      operationId: sendJoinV1
      security:
        - signedRequest: []
@ -388,6 +408,33 @@ paths:
                      }
                    }
                  ]
+        "400":
+          description: |-
+            The request is invalid in some way.
+          content:
+            application/json:
+              schema:
+                $ref: ../client-server/definitions/errors/error.yaml
+              examples:
+                response:
+                  value: {
+                    "errcode": "M_INVALID_PARAM",
+                    "error": "Not a join event."
+                  }
+        "403":
+          description: |-
+            The room that the joining server is attempting to join does not permit the user
+            to join.
+          content:
+            application/json:
+              schema:
+                $ref: ../client-server/definitions/errors/error.yaml
+              examples:
+                response:
+                  value: {
+                    "errcode": "M_FORBIDDEN",
+                    "error": "You are not invited to this room"
+                  }
 servers:
  - url: "{protocol}://{hostname}{basePath}"
    variables:
--- a/data/api/server-server/joins-v2.yaml
+++ b/data/api/server-server/joins-v2.yaml
@ -38,6 +38,15 @@ paths:
        **The request and response body here describe the common
        event fields in more detail and may be missing other required
        fields for a PDU.**
+
+        The receiving server MUST apply certain validation before accepting the event.
+        A specific error code is not mandated, but servers SHOULD return `M_INVALID_PARAM` if:
+
+        * The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
+        * The event type is not `m.room.member`.
+        * The `membership` field inside the event content is not `join`.
+        * The event sender is not a user ID on the origin server.
+        * The `state_key` is not equal to the `sender`.
      operationId: sendJoinV2
      security:
        - signedRequest: []
@ -247,6 +256,10 @@ paths:
            The error should be passed through to clients so that they
            may give better feedback to users.

+            If `M_MISSING_PARAM` or `M_INVALID_PARAM` is returned and the request is associated
+            with a Client-Server API request, the Client-Server API request SHOULD fail
+            with a 5xx error rather than being passed through.
+
            New in `v1.2`, the following error conditions might happen:

            If the room is [restricted](/client-server-api/#restricted-rooms)
--- a/data/api/server-server/knocks.yaml
+++ b/data/api/server-server/knocks.yaml
@ -23,6 +23,17 @@ paths:
      description: |-
        Asks the receiving server to return information that the sending
        server will need to prepare a knock event for the room.
+
+        Before signing the returned template and calling `/send_knock`,
+        the sending server MUST verify that:
+
+        * the `room_id` is equal to the `roomId` path parameter.
+        * both the `sender` and `state_key` are equal to the `userId` path parameter.
+        * the `type` of the event is `m.room.member`.
+        * the `membership` field inside `content` is `knock`.
+
+        In case any of the above checks fail, the response MUST be treated as malformed and
+        discarded. The caller MAY try to knock through another server.
      operationId: makeKnock
      security:
        - signedRequest: []
@ -36,7 +47,7 @@ paths:
            type: string
        - in: path
          name: userId
-          description: The user ID the knock event will be for.
+          description: The user ID the knock event will be for. This MUST be a user ID on the origin server.
          required: true
          example: "@someone:example.org"
          schema:
@ -204,6 +215,15 @@ paths:
        **The request and response body here describe the common
        event fields in more detail and may be missing other required
        fields for a PDU.**
+
+        The receiving server MUST apply certain validation before accepting the event.
+        A specific error code is not mandated, but servers SHOULD return `M_INVALID_PARAM` if:
+
+        * The knock event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
+        * The event type is not `m.room.member`.
+        * The `membership` field inside the event content is not `knock`.
+        * The event sender is not a user ID on the origin server.
+        * The `state_key` is not equal to the `sender`.
      operationId: sendKnock
      security:
        - signedRequest: []
@ -330,6 +350,19 @@ paths:
                      "$ref": "./examples/invite_or_knock_state.json"
                    }
                  }
+        "400":
+          description: |-
+            The request is invalid in some way.
+          content:
+            application/json:
+              schema:
+                $ref: ../client-server/definitions/errors/error.yaml
+              examples:
+                response:
+                  value: {
+                    "errcode": "M_INVALID_PARAM",
+                    "error": "Not a knock event."
+                  }
        "403":
          description: |-
            The knocking server or user is not permitted to knock on the room, such as when the
--- a/data/api/server-server/leaving-v1.yaml
+++ b/data/api/server-server/leaving-v1.yaml
@ -23,6 +23,17 @@ paths:
      description: |-
        Asks the receiving server to return information that the sending
        server will need to prepare a leave event to get out of the room.
+
+        Before signing the returned template and calling `/send_leave`,
+        the sending server MUST verify that:
+
+        * the `room_id` is equal to the `roomId` path parameter.
+        * both the `sender` and `state_key` are equal to the `userId` path parameter.
+        * the `type` of the event is `m.room.member`.
+        * the `membership` field inside `content` is `leave`.
+
+        In case any of the above checks fail, the response MUST be treated as malformed and
+        discarded. The caller MAY try to leave through another server.
      operationId: makeLeave
      security:
        - signedRequest: []
@ -36,7 +47,7 @@ paths:
            type: string
        - in: path
          name: userId
-          description: The user ID the leave event will be for.
+          description: The user ID the leave event will be for. This MUST be a user ID on the origin server.
          required: true
          example: "@someone:example.org"
          schema:
@ -153,6 +164,15 @@ paths:
        **The request and response body here describe the common
        event fields in more detail and may be missing other required
        fields for a PDU.**
+
+        The receiving server MUST apply certain validation before accepting the event.
+        A specific error code is not mandated, but servers SHOULD return `M_INVALID_PARAM` if:
+
+        * The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
+        * The event type is not `m.room.member`.
+        * The `membership` field inside the event content is not `leave`.
+        * The event sender is not a user ID on the origin server.
+        * The `state_key` is not equal to the `sender`.
      operationId: sendLeaveV1
      security:
        - signedRequest: []
@ -249,6 +269,19 @@ paths:
                    200,
                    {}
                  ]
+        "400":
+          description: |-
+            The request is invalid in some way.
+          content:
+            application/json:
+              schema:
+                $ref: ../client-server/definitions/errors/error.yaml
+              examples:
+                response:
+                  value: {
+                    "errcode": "M_INVALID_PARAM",
+                    "error": "Not a leave event."
+                  }
 servers:
  - url: "{protocol}://{hostname}{basePath}"
    variables:
--- a/data/api/server-server/leaving-v2.yaml
+++ b/data/api/server-server/leaving-v2.yaml
@ -38,6 +38,15 @@ paths:
        **The request and response body here describe the common
        event fields in more detail and may be missing other required
        fields for a PDU.**
+
+        The receiving server MUST apply certain validation before accepting the event.
+        A specific error code is not mandated, but servers SHOULD return `M_INVALID_PARAM` if:
+
+        * The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
+        * The event type is not `m.room.member`.
+        * The `membership` field inside the event content is not `leave`.
+        * The event sender is not a user ID on the origin server.
+        * The `state_key` is not equal to the `sender`.
      operationId: sendLeaveV2
      security:
        - signedRequest: []
@ -134,6 +143,19 @@ paths:
              examples:
                response:
                  value: {}
+        "400":
+          description: |-
+            The request is invalid in some way.
+          content:
+            application/json:
+              schema:
+                $ref: ../client-server/definitions/errors/error.yaml
+              examples:
+                response:
+                  value: {
+                    "errcode": "M_INVALID_PARAM",
+                    "error": "Not a leave event."
+                  }
 servers:
  - url: "{protocol}://{hostname}{basePath}"
    variables:
Author	SHA1	Message	Date
Kierre Sametti	e4af8b79b6	Merge `cc2623f8da` into `6b6d351ef8`	2026-02-24 13:35:16 +00:00
Tulir Asokan	6b6d351ef8	Specify basic validation for federation membership endpoints (#2284 ) Signed-off-by: Tulir Asokan <tulir@maunium.net> Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>	2026-02-24 13:35:05 +00:00
Kierre	cc2623f8da	apply suggestions from code review	2026-02-17 17:23:26 -05:00
Kierre	1d1fa4cb5b	move transformations into one section	2026-02-07 18:43:03 -05:00
Kierre	6264b34caf	clarify exponential notation and add canonical JSON note	2026-01-28 12:05:35 -05:00
Kierre	917f1dd8c1	"visually" -> "technically" this makes more sense to me	2026-01-28 11:37:58 -05:00
Kierre Sametti	909395ab3c	Update content/rooms/fragments/v1-floaty-power-levels.md Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>	2026-01-28 11:03:16 -05:00
Kierre Sametti	b6198973e0	Update changelogs/room_versions/newsfragments/2297.clarification Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>	2026-01-28 11:02:53 -05:00
Kierre	b09d59bd37	newsfragment	2026-01-25 11:37:36 -05:00
Kierre	68d92cf254	`m.room.power_levels` events accept values as floats	2026-01-25 11:31:32 -05:00
				`@ -0,0 +1 @@`
				`Clarify meaning of floating-point powerlevels.`
				`@ -0,0 +1 @@`
				`Specify validation for PDUs passed to and returned from federation membership endpoints.`