activitypub inbox: only accept unsigned/invalid-signature relayed creates, nothing else

although the previous handling assumed any unsigned/invalid signature message was a Create, lets make it more explicit
2018-09-28 00:01:54 +00:00 · 2018-09-28 00:01:54 +00:00 · 5c312ad677
parent 6258ddaa60
commit 5c312ad677
1 changed files with 17 additions and 7 deletions
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@ -93,19 +93,29 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
    json(conn, "ok")
  end

+  # only accept relayed Creates
+  def inbox(conn, %{"type" => "Create"} = params) do
+    Logger.info(
+      "Signature missing or not from author, relayed Create message, fetching object from source"
+    )
+
+    ActivityPub.fetch_object_from_id(params["object"]["id"])
+
+    json(conn, "ok")
+  end
+
  def inbox(conn, params) do
    headers = Enum.into(conn.req_headers, %{})

-    if !String.contains?(headers["signature"] || "", params["actor"]) do
-      Logger.info("Signature not from author, relayed message, fetching from source")
-      ActivityPub.fetch_object_from_id(params["object"]["id"])
-    else
-      Logger.info("Signature error - make sure you are forwarding the HTTP Host header!")
-      Logger.info("Could not validate #{params["actor"]}")
+    if String.contains?(headers["signature"], params["actor"]) do
+      Logger.info(
+        "Signature validation error for: #{params["actor"]}, make sure you are forwarding the HTTP Host header!"
+      )
+
      Logger.info(inspect(conn.req_headers))
    end

-    json(conn, "ok")
+    json(conn, "error")
  end

  def relay(conn, params) do