feat: implement attachLdSignatureForRelays
to control signing of Relayed activities
This commit is contained in:
parent
c344705d67
commit
32872181dd
@ -198,8 +198,10 @@ proxyRemoteFiles: true
|
||||
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
||||
#videoThumbnailGenerator: https://example.com
|
||||
|
||||
# Sign to ActivityPub GET request (default: true)
|
||||
# Sign outgoing ActivityPub GET request (default: true)
|
||||
signToActivityPubGet: true
|
||||
# Sign outgoing ActivityPub Activities (default: true)
|
||||
attachLdSignatureForRelays: true
|
||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||
checkActivityPubGetSignature: false
|
||||
|
||||
|
@ -270,8 +270,10 @@ proxyRemoteFiles: true
|
||||
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
||||
#videoThumbnailGenerator: https://example.com
|
||||
|
||||
# Sign to ActivityPub GET request (default: true)
|
||||
# Sign outgoing ActivityPub GET request (default: true)
|
||||
signToActivityPubGet: true
|
||||
# Sign outgoing ActivityPub Activities (default: true)
|
||||
attachLdSignatureForRelays: true
|
||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||
checkActivityPubGetSignature: false
|
||||
|
||||
|
@ -285,8 +285,10 @@ proxyRemoteFiles: true
|
||||
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
||||
#videoThumbnailGenerator: https://example.com
|
||||
|
||||
# Sign to ActivityPub GET request (default: true)
|
||||
# Sign outgoing ActivityPub GET request (default: true)
|
||||
signToActivityPubGet: true
|
||||
# Sign outgoing ActivityPub Activities (default: true)
|
||||
attachLdSignatureForRelays: true
|
||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||
checkActivityPubGetSignature: false
|
||||
|
||||
|
@ -208,8 +208,10 @@ id: "aidx"
|
||||
# Media Proxy
|
||||
#mediaProxy: https://example.com/proxy
|
||||
|
||||
# Sign to ActivityPub GET request (default: true)
|
||||
# Sign outgoing ActivityPub GET request (default: true)
|
||||
signToActivityPubGet: true
|
||||
# Sign outgoing ActivityPub Activities (default: true)
|
||||
attachLdSignatureForRelays: true
|
||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||
checkActivityPubGetSignature: false
|
||||
|
||||
|
@ -95,6 +95,7 @@ type Source = {
|
||||
customMOTD?: string[];
|
||||
|
||||
signToActivityPubGet?: boolean;
|
||||
attachLdSignatureForRelays?: boolean;
|
||||
checkActivityPubGetSignature?: boolean;
|
||||
|
||||
perChannelMaxNoteCacheCount?: number;
|
||||
@ -161,6 +162,7 @@ export type Config = {
|
||||
proxyRemoteFiles: boolean | undefined;
|
||||
customMOTD: string[] | undefined;
|
||||
signToActivityPubGet: boolean;
|
||||
attachLdSignatureForRelays: boolean;
|
||||
checkActivityPubGetSignature: boolean | undefined;
|
||||
|
||||
version: string;
|
||||
@ -291,6 +293,7 @@ export function loadConfig(): Config {
|
||||
proxyRemoteFiles: config.proxyRemoteFiles,
|
||||
customMOTD: config.customMOTD,
|
||||
signToActivityPubGet: config.signToActivityPubGet ?? true,
|
||||
attachLdSignatureForRelays: config.attachLdSignatureForRelays ?? true,
|
||||
checkActivityPubGetSignature: config.checkActivityPubGetSignature,
|
||||
mediaProxy: externalMediaProxy ?? internalMediaProxy,
|
||||
externalMediaProxyEnabled: externalMediaProxy !== null && externalMediaProxy !== internalMediaProxy,
|
||||
|
@ -9,7 +9,7 @@ import { In } from 'typeorm';
|
||||
import * as mfm from '@transfem-org/sfm-js';
|
||||
import {DI} from '@/di-symbols.js';
|
||||
import type {Config} from '@/config.js';
|
||||
import type { MiPartialLocalUser, MiLocalUser, MiPartialRemoteUser, MiRemoteUser, MiUser } from '@/models/User.js';
|
||||
import type {MiLocalUser, MiPartialLocalUser, MiPartialRemoteUser, MiRemoteUser, MiUser} from '@/models/User.js';
|
||||
import type {IMentionedRemoteUsers, MiNote} from '@/models/Note.js';
|
||||
import type {MiBlocking} from '@/models/Blocking.js';
|
||||
import type {MiRelay} from '@/models/Relay.js';
|
||||
@ -23,7 +23,14 @@ import { MfmService } from '@/core/MfmService.js';
|
||||
import {UserEntityService} from '@/core/entities/UserEntityService.js';
|
||||
import {DriveFileEntityService} from '@/core/entities/DriveFileEntityService.js';
|
||||
import type {MiUserKeypair} from '@/models/UserKeypair.js';
|
||||
import type { UsersRepository, UserProfilesRepository, NotesRepository, DriveFilesRepository, PollsRepository, InstancesRepository } from '@/models/_.js';
|
||||
import type {
|
||||
DriveFilesRepository,
|
||||
InstancesRepository,
|
||||
NotesRepository,
|
||||
PollsRepository,
|
||||
UserProfilesRepository,
|
||||
UsersRepository
|
||||
} from '@/models/_.js';
|
||||
import {bindThis} from '@/decorators.js';
|
||||
import {CustomEmojiService} from '@/core/CustomEmojiService.js';
|
||||
import {isNotNull} from '@/misc/is-not-null.js';
|
||||
@ -32,7 +39,33 @@ import { MetaService } from '../MetaService.js';
|
||||
import {JsonLdService} from './JsonLdService.js';
|
||||
import {ApMfmService} from './ApMfmService.js';
|
||||
import {CONTEXT} from './misc/contexts.js';
|
||||
import type { IAccept, IActivity, IAdd, IAnnounce, IApDocument, IApEmoji, IApHashtag, IApImage, IApMention, IBlock, ICreate, IDelete, IFlag, IFollow, IKey, ILike, IMove, IObject, IPost, IQuestion, IReject, IRemove, ITombstone, IUndo, IUpdate } from './type.js';
|
||||
import type {
|
||||
IAccept,
|
||||
IActivity,
|
||||
IAdd,
|
||||
IAnnounce,
|
||||
IApDocument,
|
||||
IApEmoji,
|
||||
IApHashtag,
|
||||
IApImage,
|
||||
IApMention,
|
||||
IBlock,
|
||||
ICreate,
|
||||
IDelete,
|
||||
IFlag,
|
||||
IFollow,
|
||||
IKey,
|
||||
ILike,
|
||||
IMove,
|
||||
IObject,
|
||||
IPost,
|
||||
IQuestion,
|
||||
IReject,
|
||||
IRemove,
|
||||
ITombstone,
|
||||
IUndo,
|
||||
IUpdate
|
||||
} from './type.js';
|
||||
|
||||
@Injectable()
|
||||
export class ApRendererService {
|
||||
@ -793,6 +826,12 @@ export class ApRendererService {
|
||||
|
||||
@bindThis
|
||||
public async attachLdSignature(activity: any, user: { id: MiUser['id']; host: null; }): Promise<IActivity> {
|
||||
// When using authorized fetch, Linked Data signatures are often undesired (as it can allow blocked instances to bypass the check).
|
||||
// We allow admins to disable LD signatures for increased privacy, at the expense of increased incoming fetch (GET) requests.
|
||||
if (!this.config.attachLdSignatureForRelays) {
|
||||
return activity;
|
||||
}
|
||||
|
||||
const keypair = await this.userKeypairService.getUserKeypair(user.id);
|
||||
|
||||
const jsonLd = this.jsonLdService.use();
|
||||
|
Loading…
Reference in New Issue
Block a user