Use destination field in X-Matrix Authorization header

Both validating and sending it is a MUST since Matrix v1.3.
2025-12-16 23:31:24 +01:00 · 2024-06-03 16:35:00 +00:00 · 2024-06-03 16:35:00 +00:00 · 5c39c7c5ff
commit 5c39c7c5ff
parent 62dd097f49
2 changed files with 14 additions and 1 deletions
--- a/src/api/ruma_wrapper/axum.rs
+++ b/src/api/ruma_wrapper/axum.rs
@ -196,6 +196,19 @@ async fn ar_from_request_inner(
                        Error::BadRequest(ErrorKind::forbidden(), msg)
                    })?;

+                if let Some(destination) = x_matrix.destination {
+                    if destination != services().globals.server_name() {
+                        warn!(
+                            %destination,
+                            "Incorrect destination in X-Matrix header"
+                        );
+                        return Err(Error::BadRequest(
+                            ErrorKind::Unauthorized,
+                            "Incorrect destination in X-Matrix header",
+                        ));
+                    }
+                }
+
                let origin_signatures = BTreeMap::from_iter([(
                    x_matrix.key.to_string(),
                    CanonicalJsonValue::String(x_matrix.sig),