From 134bbcf981de6bb41dce31a5c7e0996ebcd3a9a4 Mon Sep 17 00:00:00 2001
From: Jason Little <j.little@famedly.com>
Date: Mon, 30 Jun 2025 12:25:55 -0500
Subject: [PATCH] feat: Optionally require S2S auth for the server /version
 endpoint

Adds a new setting that defaults to 'False' for root level yaml
configuration

`require_auth_for_server_version`: boolean
---
 synapse/config/server.py                      |  6 +++++
 .../federation/transport/server/federation.py | 12 ++++++++++
 .../transport/server/test_federation.py       | 23 +++++++++++++++++++
 3 files changed, 41 insertions(+)
 create mode 100644 tests/federation/transport/server/test_federation.py

diff --git a/synapse/config/server.py b/synapse/config/server.py
index 6893450989..29510cec27 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -409,6 +409,12 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
             "require_auth_for_profile_requests", False
         )
 
+        # Whether to require federation(server) authentication for the server /version
+        # endpoint.
+        self.require_auth_for_server_version = config.get(
+            "require_auth_for_server_version", False
+        )
+
         # Whether to require sharing a room with a user to retrieve their
         # profile data
         self.limit_profile_requests_to_users_who_share_rooms = config.get(
diff --git a/synapse/federation/transport/server/federation.py b/synapse/federation/transport/server/federation.py
index eb96ff27f9..dfc98c8c24 100644
--- a/synapse/federation/transport/server/federation.py
+++ b/synapse/federation/transport/server/federation.py
@@ -678,6 +678,18 @@ class FederationVersionServlet(BaseFederationServlet):
 
     REQUIRE_AUTH = False
 
+    def __init__(
+        self,
+        hs: "HomeServer",
+        authenticator: Authenticator,
+        ratelimiter: FederationRateLimiter,
+        server_name: str,
+    ):
+        # Enable auth on the /version endpoint if enabled. Not sure how many
+        # ramifications this will end up having.
+        self.REQUIRE_AUTH = hs.config.server.require_auth_for_server_version
+        super().__init__(hs, authenticator, ratelimiter, server_name)
+
     async def on_GET(
         self,
         origin: Optional[str],
diff --git a/tests/federation/transport/server/test_federation.py b/tests/federation/transport/server/test_federation.py
new file mode 100644
index 0000000000..f9a406a905
--- /dev/null
+++ b/tests/federation/transport/server/test_federation.py
@@ -0,0 +1,23 @@
+from synapse.types import JsonDict
+
+from tests import unittest
+
+
+class TestAuthenticatedFederationVersionEndpoint(unittest.FederatingHomeserverTestCase):
+    def default_config(self) -> JsonDict:
+        config = super().default_config()
+        config.update({"require_auth_for_server_version": True})
+        return config
+
+    def test_endpoint(self) -> None:
+        # Un-authed requests to endpoints that require them return a 401
+        channel = self.make_request(
+            "GET", "/_matrix/federation/v1/version", shorthand=False
+        )
+        assert channel.code == 401, channel
+
+        # Authing the request works as expected
+        channel = self.make_signed_federation_request(
+            "GET", "/_matrix/federation/v1/version"
+        )
+        assert channel.code == 200, channel