fix(#283): Enforce connection status validation in queries

Move status validation from post-retrieval checks into Prisma WHERE clauses. This prevents TOCTOU issues and ensures only ACTIVE connections are retrieved. Removed redundant status checks after retrieval in both query and command services. Security improvement: Enforces status=ACTIVE in database query rather than checking after retrieval, preventing race conditions. Fixes #283 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 21:32:47 -06:00
parent a1973e6419
commit aabf97fe4e
4 changed files with 63 additions and 52 deletions
--- a/apps/api/src/federation/query.service.spec.ts
+++ b/apps/api/src/federation/query.service.spec.ts
@@ -143,7 +143,11 @@ describe("QueryService", () => {
      expect(result.messageType).toBe(FederationMessageType.QUERY);
      expect(result.query).toBe(query);
      expect(mockPrisma.federationConnection.findUnique).toHaveBeenCalledWith({
-        where: { id: connectionId, workspaceId },
+        where: {
+          id: connectionId,
+          workspaceId,
+          status: FederationConnectionStatus.ACTIVE,
+        },
      });
      expect(mockPrisma.federationMessage.create).toHaveBeenCalled();
      expect(mockHttpService.post).toHaveBeenCalledWith(
@@ -168,17 +172,21 @@ describe("QueryService", () => {
    });

    it("should throw error if connection not active", async () => {
-      const mockConnection = {
-        id: "connection-1",
-        workspaceId: "workspace-1",
-        status: FederationConnectionStatus.PENDING,
-      };
-
-      mockPrisma.federationConnection.findUnique.mockResolvedValue(mockConnection);
+      // Connection should not be found by query because it's not ACTIVE
+      mockPrisma.federationConnection.findUnique.mockResolvedValue(null);

      await expect(
        service.sendQuery("workspace-1", "connection-1", "SELECT * FROM tasks")
-      ).rejects.toThrow("Connection is not active");
+      ).rejects.toThrow("Connection not found");
+
+      // Verify that findUnique was called with status: ACTIVE in the query
+      expect(mockPrisma.federationConnection.findUnique).toHaveBeenCalledWith({
+        where: {
+          id: "connection-1",
+          workspaceId: "workspace-1",
+          status: FederationConnectionStatus.ACTIVE,
+        },
+      });
    });

    it("should handle network errors gracefully", async () => {
@@ -305,19 +313,21 @@ describe("QueryService", () => {
        signature: "valid-signature",
      };

-      const mockConnection = {
-        id: "connection-1",
-        workspaceId: "workspace-1",
-        remoteInstanceId: "remote-instance-1",
-        status: FederationConnectionStatus.PENDING,
-      };
-
-      mockPrisma.federationConnection.findFirst.mockResolvedValue(mockConnection);
+      // Connection should not be found because status filter in query excludes non-ACTIVE
+      mockPrisma.federationConnection.findFirst.mockResolvedValue(null);
      mockSignatureService.validateTimestamp.mockReturnValue(true);

      await expect(service.handleIncomingQuery(queryMessage)).rejects.toThrow(
-        "Connection is not active"
+        "No connection found for remote instance"
      );
+
+      // Verify the findFirst was called with status: ACTIVE filter
+      expect(mockPrisma.federationConnection.findFirst).toHaveBeenCalledWith({
+        where: {
+          remoteInstanceId: "remote-instance-1",
+          status: FederationConnectionStatus.ACTIVE,
+        },
+      });
    });

    it("should reject query from unknown instance", async () => {