Wire up stub routes for client calls of activitypub inbox/outbox

Code style: remove wrapping function of outbox
2018-12-29 18:01:15 +01:00 · 2018-12-29 18:01:15 +01:00 · aa082ca7b6
parent f5d7b0003e
commit aa082ca7b6
4 changed files with 87 additions and 6 deletions
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@ -93,19 +93,15 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
    end
  end

-  def outbox(conn, %{"nickname" => nickname, "max_id" => max_id}) do
+  def outbox(conn, %{"nickname" => nickname} = params) do
    with %User{} = user <- User.get_cached_by_nickname(nickname),
         {:ok, user} <- Pleroma.Web.WebFinger.ensure_keys_present(user) do
      conn
      |> put_resp_header("content-type", "application/activity+json")
-      |> json(UserView.render("outbox.json", %{user: user, max_id: max_id}))
+      |> json(UserView.render("outbox.json", %{user: user, max_id: params["max_id"]}))
    end
  end

-  def outbox(conn, %{"nickname" => nickname}) do
-    outbox(conn, %{"nickname" => nickname, "max_id" => nil})
-  end
-
  def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do
    with %User{} = user <- User.get_cached_by_nickname(nickname),
         true <- Utils.recipient_in_message(user.ap_id, params),
@ -156,6 +152,34 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
    end
  end

+  def read_inbox(%{assigns: %{user: user}} = conn, %{"nickname" => nickname} = params) do
+    if nickname == user.nickname do
+      Logger.info("read inbox #{inspect(params)}")
+
+      conn
+      |> put_resp_header("content-type", "application/activity+json")
+      |> json("ok!")
+    else
+      conn
+      |> put_status(:forbidden)
+      |> json("can't read inbox of #{nickname} as #{user.nickname}")
+    end
+  end
+
+  def update_outbox(%{assigns: %{user: user}} = conn, %{"nickname" => nickname} = params) do
+    if nickname == user.nickname do
+      Logger.info("update outbox #{inspect(params)}")
+
+      conn
+      |> put_status(:created)
+      |> json("ok!")
+    else
+      conn
+      |> put_status(:forbidden)
+      |> json("can't update outbox of #{nickname} as #{user.nickname}")
+    end
+  end
+
  def errors(conn, {:error, :not_found}) do
    conn
    |> put_status(404)
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -412,6 +412,27 @@ defmodule Pleroma.Web.Router do
    get("/users/:nickname/outbox", ActivityPubController, :outbox)
  end

+  pipeline :activitypub_client do
+    plug(:accepts, ["activity+json"])
+    plug(:fetch_session)
+    plug(Pleroma.Plugs.OAuthPlug)
+    plug(Pleroma.Plugs.BasicAuthDecoderPlug)
+    plug(Pleroma.Plugs.UserFetcherPlug)
+    plug(Pleroma.Plugs.SessionAuthenticationPlug)
+    plug(Pleroma.Plugs.LegacyAuthenticationPlug)
+    plug(Pleroma.Plugs.AuthenticationPlug)
+    plug(Pleroma.Plugs.UserEnabledPlug)
+    plug(Pleroma.Plugs.SetUserSessionIdPlug)
+    plug(Pleroma.Plugs.EnsureUserKeyPlug)
+  end
+
+  scope "/", Pleroma.Web.ActivityPub do
+    pipe_through([:activitypub_client])
+
+    get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
+    post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
+  end
+
  scope "/relay", Pleroma.Web.ActivityPub do
    pipe_through(:ap_relay)
    get("/", ActivityPubController, :relay)
--- a/test/fixtures/activitypub-client-post-activity.json
+++ b/test/fixtures/activitypub-client-post-activity.json
@ -0,0 +1,9 @@
+{
+  "@context": ["https://www.w3.org/ns/activitystreams", {"@language": "en-GB"}],
+  "type": "Create",
+  "object": {
+    "type": "Note",
+    "content": "It's a note"
+  },
+  "to": ["https://www.w3.org/ns/activitystreams#Public"]
+}
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@ -112,6 +112,19 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
      :timer.sleep(500)
      assert Activity.get_by_ap_id(data["id"])
    end
+
+    test "it rejects reads from other users", %{conn: conn} do
+      user = insert(:user)
+      otheruser = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, otheruser)
+        |> put_req_header("accept", "application/activity+json")
+        |> get("/users/#{user.nickname}/inbox")
+
+      assert json_response(conn, 403)
+    end
  end

  describe "/users/:nickname/outbox" do
@ -138,6 +151,20 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do

      assert response(conn, 200) =~ announce_activity.data["object"]
    end
+
+    test "it rejects posts from other users", %{conn: conn} do
+      data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
+      user = insert(:user)
+      otheruser = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, otheruser)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/outbox", data)
+
+      assert json_response(conn, 403)
+    end
  end

  describe "/users/:nickname/followers" do