feat: add PreventedToFetchSelfServer error handling in FederationRequ…

[ggazzo]

…estService

Summary by CodeRabbit

• Bug Fixes
  • Prevents attempts to fetch the local server by validating requests early and returning a clear, distinct error when the target matches the local server.
  • Extends the same validation to binary data requests so these are also stopped early with the same clear error message.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a new exported error class SelfServerFetchError and early guards in FederationRequestService.request and FederationRequestService.requestBinaryData to throw this error when the target server equals the local server name, preventing self-targeted federation requests.

Changes

Cohort / File(s)	Summary
Federation request guards & error export packages/federation-sdk/src/services/federation-request.service.ts	Added exported SelfServerFetchError class; added early validation in FederationRequestService.request and FederationRequestService.requestBinaryData to throw the error when targetServer matches the local server name. Guards placed before query-string construction, signing, and request execution.

Sequence Diagram(s)

(omitted — change is a local guard and does not introduce multi-component sequential flows)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: add FederationRequestError class  #316 — modifies the same federation-request.service.ts to introduce an exported error and adjust federation request error handling.

Suggested reviewers

• ricardogarim

Poem

🐇 I hop through files with nimble feet,
Stopping mirrors where servers meet.
A gentle guard, a quiet cheer,
No self-fetch loops shall appear. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title references 'PreventedToFetchSelfServer error handling' but the actual implementation uses 'SelfServerFetchError' class name, creating a naming mismatch.	Update the PR title to accurately reflect the implemented error class name, e.g., 'feat: add SelfServerFetchError handling in FederationRequestService' or adjust implementation to use the error name referenced in the title.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/prevent-from-request-self-server

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

❌ Patch coverage is 81.25000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.32%. Comparing base (252f452) to head (547a593).

Files with missing lines	Patch %	Lines
...ion-sdk/src/services/federation-request.service.ts	81.25%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #328      +/-   ##
==========================================
+ Coverage   52.29%   52.32%   +0.03%     
==========================================
  Files          97       97              
  Lines       13153    13169      +16     
==========================================
+ Hits         6878     6891      +13     
- Misses       6275     6278       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

No issues found across 1 file

[Copilot]

Pull request overview

This PR adds safeguard logic to prevent the federation service from making requests to its own server. It introduces a new error class PreventedToFetchSelfServer and implements a validation check in the request method to throw this error when attempting to fetch from the self server.

Changes:

• Added PreventedToFetchSelfServer error class for self-server fetch prevention
• Implemented validation in the request method to check and prevent self-server requests

Comments suppressed due to low confidence (1)

packages/federation-sdk/src/services/federation-request.service.ts:217

• The self-server check is missing in the 'requestBinaryData' method. This method also accepts a targetServer parameter and makes requests, so it should have the same validation to prevent fetching from the self server for consistency and completeness.

	async requestBinaryData(
		method: string,
		targetServer: string,
		endpoint: string,
		queryParams?: Record<string, string>,
	): Promise<MultipartResult> {
		const response = await this.makeSignedRequest({

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new self-server validation logic lacks test coverage. The test file 'federation-request.service.spec.ts' contains comprehensive tests for other methods, but no tests verify this validation behavior. Add tests to ensure the error is thrown when targetServer equals the configured serverName.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@packages/federation-sdk/src/services/federation-request.service.ts`:
- Around line 148-152: The self-server prevention guard is only in request() and
is bypassed by requestBinaryData() which calls makeSignedRequest() directly;
move the guard into makeSignedRequest() so all outgoing federation calls are
blocked from targeting the local server (use the same PreventedToFetchSelfServer
exception and compare targetServer to
this.configService.getConfig('serverName')), then remove the duplicate guard
from request(); alternatively, if you prefer less-wide changes, add the
identical check from request() into requestBinaryData() to throw
PreventedToFetchSelfServer when targetServer equals the configured server name.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 252f452 and 3124d85.

📒 Files selected for processing (1)

• packages/federation-sdk/src/services/federation-request.service.ts

🔇 Additional comments (1)

packages/federation-sdk/src/services/federation-request.service.ts (1)

44-49: LGTM!

The custom error class follows the standard pattern for extending Error in TypeScript, correctly setting the name property for proper error identification.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@packages/federation-sdk/src/services/federation-request.service.ts`:
- Line 51: The module exports an alias "PreventedToFetchSelfServer" via "export
{ SelfServerFetchError as PreventedToFetchSelfServer }" but later code tries to
reference PreventedToFetchSelfServer as a local binding—create a real local
binding or stop using the alias: either replace internal references to
PreventedToFetchSelfServer with SelfServerFetchError, or add a local alias
(e.g., const PreventedToFetchSelfServer = SelfServerFetchError;) and keep the
export; update usages accordingly so the symbol referenced in this module is a
real local binding.

♻️ Duplicate comments (1)

packages/federation-sdk/src/services/federation-request.service.ts (1)

213-229: Self-server check is still bypassed by requestBinaryData.

This method calls makeSignedRequest() directly, bypassing the guard in request(). This concern was previously raised and remains unaddressed.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3124d85 and 1a99c38.

📒 Files selected for processing (1)

• packages/federation-sdk/src/services/federation-request.service.ts

🧰 Additional context used

🪛 GitHub Actions: my-workflow

packages/federation-sdk/src/services/federation-request.service.ts

[error] 151-151: TS2304: Cannot find name 'PreventedToFetchSelfServer'.

🔇 Additional comments (1)

packages/federation-sdk/src/services/federation-request.service.ts (1)

44-49: LGTM!

The error class follows best practices for custom errors in TypeScript—extending Error and setting this.name for proper stack trace identification.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@packages/federation-sdk/src/services/federation-request.service.ts`:
- Around line 44-49: SelfServerFetchError is not re-exported from the package
public API; update the module's index.ts to add SelfServerFetchError to the
exported errors (alongside FederationRequestError and the other error classes)
so consumers can import and catch SelfServerFetchError by type—i.e., add
SelfServerFetchError to the existing export list that re-exports from
services/federation-request.service.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1a99c38 and 547a593.

📒 Files selected for processing (1)

• packages/federation-sdk/src/services/federation-request.service.ts

🔇 Additional comments (2)

packages/federation-sdk/src/services/federation-request.service.ts (2)

149-153: LGTM! Self-server guard correctly prevents self-targeted requests.

The guard is properly placed early in the method (before query string construction), providing a fast-fail behavior. The error message is clear and actionable.

---

218-222: LGTM! Addresses the previous bypass concern.

This guard ensures requestBinaryData() also prevents self-targeted requests, addressing the previously identified gap where this method bypassed the check by calling makeSignedRequest() directly.

Note: Per the Codecov report, the patch coverage shows 3 lines missing—likely these guard blocks. Consider adding tests that verify SelfServerFetchError is thrown when targetServer matches serverName in both request() and requestBinaryData().

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify if SelfServerFetchError is exported in the package's public API

# Search for SelfServerFetchError export in index.ts files
echo "=== Checking index.ts exports for SelfServerFetchError ==="
rg -n "SelfServerFetchError" --type ts -g '**/index.ts'

echo ""
echo "=== Checking how FederationRequestError is exported (for comparison) ==="
rg -n "FederationRequestError" --type ts -g '**/index.ts'

echo ""
echo "=== Listing all index.ts files in federation-sdk package ==="
fd -t f 'index.ts' packages/federation-sdk/

Repository: RocketChat/homeserver

Length of output: 416

---

🏁 Script executed:

cat -n packages/federation-sdk/src/index.ts

Repository: RocketChat/homeserver

Length of output: 7078

---

Export SelfServerFetchError in the public API

SelfServerFetchError is not exported in packages/federation-sdk/src/index.ts. Add it alongside FederationRequestError and other error classes so consumers can catch it by type:

export { SelfServerFetchError, FederationRequestError } from './services/federation-request.service';

🤖 Prompt for AI Agents

In `@packages/federation-sdk/src/services/federation-request.service.ts` around
lines 44 - 49, SelfServerFetchError is not re-exported from the package public
API; update the module's index.ts to add SelfServerFetchError to the exported
errors (alongside FederationRequestError and the other error classes) so
consumers can import and catch SelfServerFetchError by type—i.e., add
SelfServerFetchError to the existing export list that re-exports from
services/federation-request.service.