diff --git a/src/api/server_server.rs b/src/api/server_server.rs index ec4bb955..3a94a60f 100644 --- a/src/api/server_server.rs +++ b/src/api/server_server.rs @@ -1165,6 +1165,22 @@ async fn create_join_event( )); } + let state_key: OwnedUserId = serde_json::from_value( + value + .get("state_key") + .ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "PDU does not a state key"))? + .clone() + .into(), + ) + .map_err(|_| Error::BadRequest(ErrorKind::BadJson, "State key is invalid or not a user ID"))?; + + if state_key != sender { + return Err(Error::BadRequest( + ErrorKind::InvalidParam, + "State key does not match sender user", + )); + } + ruma::signatures::hash_and_sign_event( services().globals.server_name().as_str(), services().globals.keypair(),