alemi/upub
alemi/upub
1
0
Fork 1
Code Issues 4 Pull requests Projects Releases Packages 1 Wiki Activity Actions

fix: remove excessive instruments, check actor

Browse source 
before we were checking only for server match, now check whole uid match
on inbox activities
This commit is contained in:
əlemi 2024-05-31 15:55:38 +02:00
parent 6469dbe85e
commit 5a57fd69b9
2 changed files with 6 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
upub/routes/src/activitypub/inbox.rs
View file

@ -1,4 +1,4 @@
use apb::{server::Inbox, Activity, ActivityType};
use apb::{server::Inbox, Activity, ActivityType, Base};
use axum::{extract::{Query, State}, http::StatusCode, Json};
use sea_orm::{sea_query::IntoCondition, ColumnTrait};
use upub::{server::auth::{AuthIdentity, Identity}, Context};
@ -38,13 +38,12 @@ macro_rules! pretty_json {
}
#[tracing::instrument(level = "info", skip(ctx), fields(activity = %activity))]
pub async fn post(
State(ctx): State<Context>,
AuthIdentity(auth): AuthIdentity,
Json(activity): Json<serde_json::Value>
) -> upub::Result<()> {
let Identity::Remote { domain: server, .. } = auth else {
let Identity::Remote { domain: server, user: uid, .. } = auth else {
if activity.activity_type() == Some(ActivityType::Delete) {
// this is spammy af, ignore them!
// we basically received a delete for a user we can't fetch and verify, meaning remote
@ -62,15 +61,14 @@ pub async fn post(
}
};
let Some(actor) = activity.actor().id() else {
return Err(upub::Error::bad_request());
};
let aid = activity.id().ok_or_else(|| upub::Error::field("id"))?.to_string();
let actor = activity.actor().id().ok_or_else(|| upub::Error::field("actor"))?;
if server != Context::server(&actor) {
if uid != actor {
return Err(upub::Error::unauthorized());
}
tracing::debug!("processing federated activity: '{}'", serde_json::to_string(&activity).unwrap_or_default());
tracing::debug!("processing federated activity: '{:#}'", activity);
// TODO we could process Links and bare Objects maybe, but probably out of AP spec?
match activity.activity_type().ok_or_else(upub::Error::bad_request)? {

1
upub/routes/src/activitypub/user/outbox.rs
View file

@ -37,7 +37,6 @@ pub async fn page(
.await
}
#[tracing::instrument(level = "info", skip(ctx), fields(activity = %activity))]
pub async fn post(
State(ctx): State<Context>,
Path(id): Path<String>,