apf part 06: reject any ActivityPub activity from a local actor

2025-01-23 19:36:56 -08:00 · 2024-11-18 17:47:26 +00:00 · 2024-11-18 17:47:26 +00:00 · 479bbe4dcc
commit 479bbe4dcc
parent 20f17000f5
1 changed files with 17 additions and 4 deletions
--- a/app/activitypub/routes.py
+++ b/app/activitypub/routes.py
@ -442,6 +442,23 @@ def shared_inbox():
                actor.ap_fetched_at = utcnow()                  # use stored pubkey, don't try to re-fetch for next step (signature verification)
                db.session.commit()

+    actor = find_actor_or_create(request_json['actor'])
+    if not actor:
+        actor_name = request_json['actor']
+        log_incoming_ap(request_json['id'], APLOG_NOTYPE, APLOG_FAILURE, request_json if store_ap_json else None, f'Actor could not be found 1: {actor_name}')
+        return '', 400
+
+    if actor.is_local():        # should be impossible (can be Announced back, but not sent without access to privkey)
+        log_incoming_ap(request_json['id'], APLOG_NOTYPE, APLOG_FAILURE, request_json if store_ap_json else None, 'ActivityPub activity from a local actor')
+        return '', 400
+    else:
+        actor.instance.last_seen = utcnow()
+        actor.instance.dormant = False
+        actor.instance.gone_forever = False
+        actor.instance.failures = 0
+        actor.instance.ip_address = ip_address()
+        db.session.commit()
+
    if request.method == 'POST':
        # save all incoming data to aid in debugging and development. Set result to 'success' if things go well
        activity_log = ActivityPubLog(direction='in', result='failure')
@ -462,7 +479,6 @@ def shared_inbox():
                    process_delete_request.delay(request_json, activity_log.id, ip_address())
                return ''

-        actor = find_actor_or_create(request_json['actor']) if 'actor' in request_json else None
        if actor is not None:
            try:
                HttpSignature.verify_request(request, actor.public_key, skip_date=True)
@ -476,9 +492,6 @@ def shared_inbox():
                activity_log.result = 'failure'
                db.session.commit()
                return '', 400
-        else:
-            actor_name = request_json['actor'] if 'actor' in request_json else ''
-            activity_log.exception_message = f'Actor could not be found 1: {actor_name}'

        if activity_log.exception_message is not None:
            activity_log.result = 'failure'