check state_key matches sender user at /send_join

Signed-off-by: strawberry <strawberry@puppygock.gay>

src/api/server_server.rs

@@ -1165,6 +1165,22 @@ async fn create_join_event(
 		));
 	}
 
+	let state_key: OwnedUserId = serde_json::from_value(
+		value
+			.get("state_key")
+			.ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "PDU does not a state key"))?
+			.clone()
+			.into(),
+	)
+	.map_err(|_| Error::BadRequest(ErrorKind::BadJson, "State key is invalid or not a user ID"))?;
+
+	if state_key != sender {
+		return Err(Error::BadRequest(
+			ErrorKind::InvalidParam,
+			"State key does not match sender user",
+		));
+	}
+
 	ruma::signatures::hash_and_sign_event(
 		services().globals.server_name().as_str(),
 		services().globals.keypair(),