alemi/upub
alemi/upub
1
0
Fork 1
Code Issues 4 Pull requests Projects Releases Packages 1 Wiki Activity Actions

feat: more federation policies

Browse source 
also allow to prevent access via http signatures or straight out reject
all fetches. note that this last option is rather ineffective as remotes
can just fetch public objects anonimously
This commit is contained in:
əlemi 2024-12-29 03:31:59 +01:00
parent 95d1ab948f
commit e600fbed0f
Signed by: alemi
GPG key ID: A4895B84D311642C
2 changed files with 16 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
upub/core/src/config.rs
View file

@ -136,6 +136,12 @@ pub struct RejectConfig {
#[serde(default)] #[serde(default)]
pub delivery: Vec<String>, pub delivery: Vec<String>,
#[serde(default)]
pub fetch: Vec<String>,
#[serde(default)]
pub access: Vec<String>,
} }
impl Config { impl Config {

14
upub/routes/src/auth.rs
View file

@ -150,10 +150,16 @@ where
return Err(ApiError::unauthorized()); return Err(ApiError::unauthorized());
} }
let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db()) if ctx.cfg().reject.fetch.contains(&user.domain) {
.await? return Err(ApiError::Status(axum::http::StatusCode::UNAVAILABLE_FOR_LEGAL_REASONS));
.ok_or_else(ApiError::internal_server_error)?; // user but not their domain??? }
identity = Identity::Remote { user: user.id, domain: user.domain, internal };
if !ctx.cfg().reject.access.contains(&user.domain) {
let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db())
.await?
.ok_or_else(ApiError::internal_server_error)?; // user but not their domain???
identity = Identity::Remote { user: user.id, domain: user.domain, internal };
}
}, },
} }