mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
359 Commits 83 Branches 4 Tags
8aadfb99af7cd7d3465633fee70ce77a016979b5
Commit Graph

4 Commits

Author SHA1 Message Date
Jason Woltje
43681ca1b1 feat(#295): validate FederationCapabilities structure 
Add DTO validation for FederationCapabilities to ensure proper structure.
- Create FederationCapabilitiesDto with class-validator decorators
- Validate boolean types for capability flags
- Validate string type for protocolVersion
- Update IncomingConnectionRequestDto to use validated DTO
- Add comprehensive unit tests for DTO validation

Fixes #295

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-03 22:02:08 -06:00
Jason Woltje
01639fff95 feat(#285): Add input sanitization for XSS prevention 
Security improvements:
- Create sanitization utility using sanitize-html library
- Add @Sanitize() and @SanitizeObject() decorators for DTOs
- Apply sanitization to vulnerable fields:
  - Connection rejection/disconnection reasons
  - Connection metadata
  - Identity linking metadata
  - Command payloads
- Remove script tags, event handlers, javascript: URLs
- Prevent data exfiltration, CSS-based XSS, SVG-based XSS

Changes:
- Add sanitize.util.ts with recursive sanitization functions
- Add sanitize.decorator.ts for class-transformer integration
- Update connection.dto.ts with sanitization decorators
- Update identity-linking.dto.ts with sanitization decorators
- Update command.dto.ts with sanitization decorators
- Add comprehensive test coverage including attack vectors

Part of M7.1 Remediation Sprint P1 security fixes.

Fixes #285

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-03 21:47:32 -06:00
Jason Woltje
df2086ffe8 fix(#85): resolve TypeScript compilation and validation issues 
- Fix @IsNumber() validator on timestamp field (was @IsString() - critical security issue)
- Fix TypeScript compilation error in sortObjectKeys array handling
- Replace generic Error with UnauthorizedException and ServiceUnavailableException
- Document hardcoded workspace ID limitation in handleIncomingConnection
- Remove unused BadRequestException import

All tests passing (70/70), TypeScript compiles cleanly, linting passes.
 2026-02-03 11:48:23 -06:00
Jason Woltje
fc3919012f feat(#85): implement CONNECT/DISCONNECT protocol 
Implemented connection handshake protocol for federation building on
the Instance Identity Model from issue #84.

**Services:**
- SignatureService: Message signing/verification with RSA-SHA256
- ConnectionService: Federation connection management

**API Endpoints:**
- POST /api/v1/federation/connections/initiate
- POST /api/v1/federation/connections/:id/accept
- POST /api/v1/federation/connections/:id/reject
- POST /api/v1/federation/connections/:id/disconnect
- GET /api/v1/federation/connections
- GET /api/v1/federation/connections/:id
- POST /api/v1/federation/incoming/connect

**Tests:** 70 tests pass (18 Signature + 20 Connection + 13 Controller + 19 existing)
**Coverage:** 100% on new code
**TDD Approach:** Tests written before implementation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-03 11:41:07 -06:00