Reject single faulty event instead of the whole room state

[babolivier]

Joining Matrix HQ with Dendrite is currently impossible because of a badly constructed event. In this case, gomatrixserverlib rejects the whole state, aborts the room join and logs the following error:

gomatrixserverlib: sender domain doesn't match origin: \"matrix.orly.cf\" != \"matrix.org\"

The JSON of the corresponding event is:

{
    "auth_events": [
        [
            "$145095128663932ULGxu:matrix.org",
            {
                "sha256": "Qr4iNEm3Sb+dMQQijh0Fk52B6QLgg2Bj+DSmbSD0gwQ"
            }
        ],
        [
            "$1416420717069yeQaw:matrix.org",
            {
                "sha256": "SQbXz8UcBT39JJs/J9hqWb8INde/p4pkr9AG6gk7EtY"
            }
        ],
        [
            "$1416420717079YOCAM:matrix.org",
            {
                "sha256": "PYI0qgBD3T2iPoh4nkCNQ+bIfTXJ5BvEA5pgtgLsAEw"
            }
        ]
    ],
    "content": {
        "membership": "join"
    },
    "depth": 87361,
    "event_id": "$1451109772178767MVoAx:matrix.org",
    "hashes": {
        "sha256": "PmApxqj8VK9+Q3WXC6MFCJJddaKgkBNzEBmlqELVURg"
    },
    "origin": "matrix.org",
    "origin_server_ts": 1451109772982,
    "prev_events": [
        [
            "$1451105729744QPsBR:whatthefuck.computer",
            {
                "sha256": "0knG+e09KD25TX3/7bjsEMg4y1+CIq/dxapaQcXkc7k"
            }
        ]
    ],
    "prev_state": [],
    "room_id": "!cURbafjkfsMDVwdRDQ:matrix.org",
    "sender": "@ferdinand:matrix.orly.cf",
    "signatures": {
        "matrix.org": {
            "ed25519:auto": "l2i38JcoXt5HmvbvOZLp/r04TE5salSh+FZm9lhZOsK2UdWsjHIN4oxCoXnmYtP27yOsqEvJ2Lq9Jc5jD8tdAA"
        },
        "matrix.orly.cf": {
            "ed25519:a_DqBf": "z0OAWxhLI19/PDd249OHszKNEtirip8osTOd+Sm9h3Q/b5d+lcy2DCquuuCV8RMC1l7hV8p9ukYvjo200yLuAg"
        }
    },
    "state_key": "@ferdinand:matrix.orly.cf",
    "type": "m.room.member",
    "unsigned": {}
}

Here, gomatrixserverlib should reject this single event instead and go on with the room join.

[kegsay]

Is this actually the intended behaviour? Does the spec say that we should drop and continue joining?

[richvdh]

I don't think the spec is clear on it.

This ties into the bigger question of "what should we do if we find an event whose signature we can't verify (possibly because we can't find the signing key)". IMHO failing the join would make joins rather brittle, but it's not obvious.

Relatedly, we broke this in synapse recently (matrix-org/synapse#6978), and it turned out that nobody could join a whole bunch of rooms until we fixed it.

[kegsay]

I guess from an attack vector perspective it makes sense not to block the join, else malicious actors could withold their signing key for example and cause chaos.

In scenarios where the failing to get the key is transient, and the events are real and should be included.... I dunno what we should do there.

[kegsay]

We reject individual faulty events now.