Fall back to federation if we can't satisfy with any of our local users

federationapi/routing/join.go

@@ -604,8 +604,9 @@ func verifyRestrictedMembershipForSendJoin(
 	}
 
 	// If there's no `join_authorised_via_users_server` key then there's
-	// nothing else to do. Return the original event and it'll either
-	// succeed for some other reason or it will fail auth.
+	// nothing else to do. This might be because it's a join -> join transition
+	// or the response to an invite. Return the original event and it'll either
+	// pass auth for some other reason or it will fail auth correctly.
 	if memberContent.AuthorisedVia == "" {
 		return event, nil
 	}

federationsender/internal/perform.go

@@ -209,8 +209,6 @@ func (r *FederationSenderInternalAPI) performJoinUsingServer(
 		return fmt.Errorf("respMakeJoin.JoinEvent.Build: %w", err)
 	}
 
-	fmt.Println("Join event:", event.EventID())
-
 	// No longer reuse the request context from this point forward.
 	// We don't want the client timing out to interrupt the join.
 	var cancel context.CancelFunc

roomserver/internal/perform/perform_join.go

@@ -250,11 +250,19 @@ func (r *Joiner) performJoinRoomByID(
 	if restricted, roomIDs, rerr := r.checkIfRestrictedJoin(ctx, req); rerr != nil {
 		return "", "", err
 	} else if restricted {
+		success := false
 		for _, roomID := range roomIDs {
 			if err = r.attemptRestrictedJoinUsingRoomID(ctx, req, roomID, &eb); err == nil {
+				success = true
 				break
 			}
 		}
+		if !success {
+			// We haven't been able to validate the join using any of our own
+			// local users, so we now need to depend on a remote server to help.
+			joinedVia, err = r.performFederatedJoinRoomByID(ctx, req)
+			return req.RoomIDOrAlias, joinedVia, err
+		}
 	}
 
 	// Try to construct an actual join event from the template.