feat(#292): implement protocol version checking

Add protocol version validation during connection handshake. - Define FEDERATION_PROTOCOL_VERSION constant (1.0) - Validate version on both outgoing and incoming connections - Require exact version match for compatibility - Log and audit version mismatches Fixes #292 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 22:00:16 -06:00
parent d373ce591f
commit 14ae97bba4
3 changed files with 115 additions and 0 deletions
--- a/apps/api/src/federation/connection.service.spec.ts
+++ b/apps/api/src/federation/connection.service.spec.ts
@@ -150,6 +150,31 @@ describe("ConnectionService", () => {
      );
    });

+    it("should reject connection to instance with incompatible protocol version", async () => {
+      const incompatibleRemoteIdentity = {
+        ...mockRemoteIdentity,
+        capabilities: {
+          ...mockRemoteIdentity.capabilities,
+          protocolVersion: "2.0",
+        },
+      };
+
+      const mockAxiosResponse: AxiosResponse = {
+        data: incompatibleRemoteIdentity,
+        status: 200,
+        statusText: "OK",
+        headers: {},
+        config: {} as never,
+      };
+
+      vi.spyOn(prismaService.federationConnection, "count").mockResolvedValue(5);
+      vi.spyOn(httpService, "get").mockReturnValue(of(mockAxiosResponse));
+
+      await expect(service.initiateConnection(mockWorkspaceId, mockRemoteUrl)).rejects.toThrow(
+        "Incompatible protocol version. Expected 1.0, received 2.0"
+      );
+    });
+
    it("should create a pending connection", async () => {
      const mockAxiosResponse: AxiosResponse = {
        data: mockRemoteIdentity,
@@ -449,6 +474,42 @@ describe("ConnectionService", () => {
      signature: "valid-signature",
    };

+    it("should reject request with incompatible protocol version", async () => {
+      const incompatibleRequest = {
+        ...mockRequest,
+        capabilities: {
+          ...mockRemoteIdentity.capabilities,
+          protocolVersion: "2.0",
+        },
+      };
+
+      vi.spyOn(signatureService, "verifyConnectionRequest").mockResolvedValue({ valid: true });
+
+      await expect(
+        service.handleIncomingConnectionRequest(mockWorkspaceId, incompatibleRequest)
+      ).rejects.toThrow("Incompatible protocol version. Expected 1.0, received 2.0");
+    });
+
+    it("should accept request with compatible protocol version", async () => {
+      const compatibleRequest = {
+        ...mockRequest,
+        capabilities: {
+          ...mockRemoteIdentity.capabilities,
+          protocolVersion: "1.0",
+        },
+      };
+
+      vi.spyOn(signatureService, "verifyConnectionRequest").mockResolvedValue({ valid: true });
+      vi.spyOn(prismaService.federationConnection, "create").mockResolvedValue(mockConnection);
+
+      const result = await service.handleIncomingConnectionRequest(
+        mockWorkspaceId,
+        compatibleRequest
+      );
+
+      expect(result.status).toBe(FederationConnectionStatus.PENDING);
+    });
+
    it("should validate connection request signature", async () => {
      const verifySpy = vi.spyOn(signatureService, "verifyConnectionRequest");
      vi.spyOn(prismaService.federationConnection, "create").mockResolvedValue(mockConnection);