Citadel is an instant messaging platform for business, by Thales. It is based on Matrix. If you want to check out the things in this post for yourself, you can use join.citadel.team to do so.

View/click counts for news posts

When you open a news post, the client sends a PUT request to /_matrix/client/r0/citadel/stats/m.news/<event id>. This bumps the amount of clicks for each request, and also the amount of unique users who read the news post.

Then when you view the news post, it uses a GET request to the same path to fetch the view count (user_readings):

curl 'https://ext01.citadel.team/_matrix/client/r0/citadel/stats/m.news/$eventhere' -H "Authorization: $AUTH"

{
    "total_clicks": 1,
    "user_readings": 1
}

However, they don’t actually check that the event ID is real! So you can make counters for any string. You can actually sign up to Citadel and check $eventhere using your access token. It should have 69 clicks by the time you read this (unless someone ruins it).

Room deletion

Citadel also has a feature to delete rooms. When you click the ‘Delete room’ button, it sends a POST to /_matrix/client/r0/citadel/rooms/<room id>/closeRoom with this JSON:

{
	"room_id":"!XqfhgxnNjpMhbhJPEF:ext01.citadel.team",
	"store_response": true
}

Which gives back an ID for the operation:

{
    "operation_id": "HYIOTbLucmmXPBHU"
}

The client sets store_response to true. Setting this to false, then making the same request again after the room is closed shows this:

{
    "operation_id": "IzTXWzmLdiNjIFli",
    "previous_state": {
        "progress": {
            "steps": {
                "step_kick_users": {
                    "status": "complete"
                },
                "step_purge_history": {
                    "status": "complete"
                },
                "step_purge_media": {
                    "status": "complete"
                }
            }
        },
        "status": "complete"
    }
}

Trying to join the room again returns a response saying it’s blocked:

{
    "errcode": "M_UNKNOWN",
    "error": "This room has been blocked on this server"
}

Meaning that the room still exists.

If it’s a public room, you can even view the state! Here is the topic of the room I just closed.

curl 'https://ext01.citadel.team/_matrix/client/r0/rooms/!yKNaqrffJfakyFNdyH:ext01.citadel.team/state' -H "Authorization: $AUTH" | 
	jq '.[] | select(.content.topic) | .content.topic'
"this room was made for my blog post and will be deleted"

Room versions

This is the /_matrix/client/r0/capabilities response for the server:

{
    "capabilities": {
        "m.change_password": {
            "enabled": true
        },
        "m.room_versions": {
            "available": {
                "1": "stable",
                "2": "stable",
                "3": "stable",
                "state-v2-test": "unstable"
            },
            "default": "1"
        }
    }
}

Incredibly old, right? I have nothing more to say about this.