diff --git a/packages/backend/src/server/ActivityPubServerService.ts b/packages/backend/src/server/ActivityPubServerService.ts index 64bce07a9..43e0e2f32 100644 --- a/packages/backend/src/server/ActivityPubServerService.ts +++ b/packages/backend/src/server/ActivityPubServerService.ts @@ -31,6 +31,7 @@ import type { MiNote } from '@/models/Note.js'; import { QueryService } from '@/core/QueryService.js'; import { UtilityService } from '@/core/UtilityService.js'; import { UserEntityService } from '@/core/entities/UserEntityService.js'; +import { UserBlockingService } from '@/core/UserBlockingService.js'; import { bindThis } from '@/decorators.js'; import { IActivity } from '@/core/activitypub/type.js'; import { isPureRenote } from '@/misc/is-pure-renote.js'; @@ -78,6 +79,7 @@ export class ActivityPubServerService { private metaService: MetaService, private utilityService: UtilityService, private userEntityService: UserEntityService, + private userBlockingService: UserBlockingService, private instanceActorService: InstanceActorService, private apRendererService: ApRendererService, private apDbResolverService: ApDbResolverService, @@ -206,6 +208,17 @@ export class ActivityPubServerService { return true; } + if (userId) { + /* this check is not really effective, because most requests we + get are signed by the remote instance user, not the user + who's requesting the information 😭 */ + const blocked = await this.userBlockingService.checkBlocked(userId, authUser.user.id); + if (blocked) { + reply.code(401); + return true; + } + } + let httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem); if (!httpSignatureValidated) { @@ -706,6 +719,8 @@ export class ActivityPubServerService { return; } + if (await this.shouldRefuseGetRequest(request, reply, note.userId)) return; + // γƒͺγƒ’γƒΌγƒˆγ γ£γŸγ‚‰γƒͺγƒ€γ‚€γƒ¬γ‚―γƒˆ if (note.userHost != null) { if (note.uri == null || this.utilityService.isSelfHost(note.userHost)) { @@ -739,6 +754,8 @@ export class ActivityPubServerService { return; } + if (await this.shouldRefuseGetRequest(request, reply, note.userId)) return; + if (!this.config.checkActivityPubGetSignature) reply.header('Cache-Control', 'public, max-age=180'); this.setResponseType(request, reply); return (this.apRendererService.addContext(await this.packActivity(note))); @@ -861,6 +878,8 @@ export class ActivityPubServerService { return; } + if (await this.shouldRefuseGetRequest(request, reply, note.userId)) return; + if (!this.config.checkActivityPubGetSignature) reply.header('Cache-Control', 'public, max-age=180'); this.setResponseType(request, reply); return (this.apRendererService.addContext(await this.apRendererService.renderLike(reaction, note))); @@ -868,7 +887,7 @@ export class ActivityPubServerService { // follow fastify.get<{ Params: { follower: string; followee: string; } }>('/follows/:follower/:followee', async (request, reply) => { - if (await this.shouldRefuseGetRequest(request, reply)) return; + if (await this.shouldRefuseGetRequest(request, reply, request.params.follwer)) return; // This may be used before the follow is completed, so we do not // check if the following exists. @@ -910,6 +929,8 @@ export class ActivityPubServerService { return; } + if (await this.shouldRefuseGetRequest(request, reply, followRequest.followerId)) return; + const [follower, followee] = await Promise.all([ this.usersRepository.findOneBy({ id: followRequest.followerId,