Move the signature verification logic into the Oban worker

2025-04-24 22:07:52 -04:00 · 2023-12-06 13:23:01 -05:00 · 2023-12-06 13:23:01 -05:00 · 33efa1ad23
commit 33efa1ad23
parent c57a15d890
4 changed files with 23 additions and 38 deletions
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@ -272,24 +272,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
    end
  end

-  def inbox(%{assigns: %{valid_signature: true}} = conn, params) do
-    case Federator.incoming_ap_doc(params) do
-      {:ok, %Oban.Job{}} ->
-        json(conn, "ok")
-
-      _ ->
-        conn
-        |> put_status(:internal_server_error)
-        |> json("error")
-    end
-  end
-
-  def inbox(%{assigns: %{valid_signature: false}} = conn, _params) do
-    conn
-    |> put_status(:bad_request)
-    |> json("Invalid HTTP Signature")
-  end
-
  # POST /relay/inbox -or- POST /internal/fetch/inbox
  def inbox(conn, %{"type" => "Create"} = params) do
    if FederatingPlug.federating?() do
@ -302,9 +284,15 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
  end

  def inbox(conn, _params) do
-    conn
-    |> put_status(:bad_request)
-    |> json("error, missing HTTP Signature")
+    case Federator.incoming_ap_doc(conn) do
+      {:ok, %Oban.Job{}} ->
+        json(conn, "ok")
+
+      _ ->
+        conn
+        |> put_status(:internal_server_error)
+        |> json("error")
+    end
  end

  defp post_inbox_relayed_create(conn, params) do
--- a/lib/pleroma/web/federator.ex
+++ b/lib/pleroma/web/federator.ex
@ -36,8 +36,8 @@ defmodule Pleroma.Web.Federator do

  # Client API

-  def incoming_ap_doc(params) do
-    ReceiverWorker.enqueue("incoming_ap_doc", %{"params" => params})
+  def incoming_ap_doc(conn) do
+    ReceiverWorker.enqueue("incoming_ap_doc", %{"conn" => conn})
  end

  @impl true
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -866,12 +866,6 @@ defmodule Pleroma.Web.Router do
    plug(:accepts, ["activity+json", "json"])
  end

-  # Server to Server (S2S) AP interactions
-  pipeline :activitypub do
-    plug(:ap_service_actor)
-    plug(:http_signature)
-  end
-
  # Client to Server (C2S) AP interactions
  pipeline :activitypub_client do
    plug(:ap_service_actor)
@ -897,7 +891,7 @@ defmodule Pleroma.Web.Router do
  end

  scope "/", Pleroma.Web.ActivityPub do
-    pipe_through(:activitypub)
+    pipe_through(:ap_service_actor)
    post("/inbox", ActivityPubController, :inbox)
    post("/users/:nickname/inbox", ActivityPubController, :inbox)
  end
--- a/lib/pleroma/workers/receiver_worker.ex
+++ b/lib/pleroma/workers/receiver_worker.ex
@ -11,22 +11,24 @@ defmodule Pleroma.Workers.ReceiverWorker do

  @impl Oban.Worker
  def perform(%Job{
-        args: %{"op" => "incoming_ap_doc", "params" => params = %{"nickname" => nickname}}
+        args: %{"op" => "incoming_ap_doc", "conn" => conn = %{params: %{"nickname" => nickname}}}
      }) do
-    with {:nickname, %User{} = recipient} <- {:nickname, User.get_cached_by_nickname(nickname)},
-         {:ok, %User{} = actor} <- User.get_or_fetch_by_ap_id(params["actor"]),
+    with {:signature, true} <- {:signature, HTTPSignatures.validate_conn(conn)},
+         {:nickname, %User{} = recipient} <- {:nickname, User.get_cached_by_nickname(nickname)},
+         {:ok, %User{} = actor} <- User.get_or_fetch_by_ap_id(conn.params["actor"]),
         {:in_message, true} <-
-           {:in_message, Utils.recipient_in_message(recipient, actor, params)},
-         params <- Utils.maybe_splice_recipient(recipient.ap_id, params),
-         {:ok, res} <- Federator.perform(:incoming_ap_doc, params) do
+           {:in_message, Utils.recipient_in_message(recipient, actor, conn.params)},
+         split_params <- Utils.maybe_splice_recipient(recipient.ap_id, conn.params),
+         {:ok, res} <- Federator.perform(:incoming_ap_doc, split_params) do
      {:ok, res}
    else
      e -> process_errors(e)
    end
  end

-  def perform(%Job{args: %{"op" => "incoming_ap_doc", "params" => params}}) do
-    with {:ok, res} <- Federator.perform(:incoming_ap_doc, params) do
+  def perform(%Job{args: %{"op" => "incoming_ap_doc", "conn" => conn}}) do
+    with {:signature, true} <- {:signature, HTTPSignatures.validate_conn(conn)},
+         {:ok, res} <- Federator.perform(:incoming_ap_doc, conn.params) do
      {:ok, res}
    else
      e -> process_errors(e)
@ -43,6 +45,7 @@ defmodule Pleroma.Workers.ReceiverWorker do
      {:error, {:validate_object, reason}} -> {:cancel, reason}
      {:error, {:error, {:validate, reason}}} -> {:cancel, reason}
      {:error, {:reject, reason}} -> {:cancel, reason}
+      {:signature, false} -> {:cancel, :invalid_signature}
      {:nickname, {:error, reason}} -> {:cancel, reason}
      {:in_message, false} -> {:cancel, "Recipient not in message"}
      e -> e