Re-fetch object if attributedTo value doesn't match actor of Create activity

CHANGELOG.md

@@ -8,13 +8,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Added
 
-- Support Monero Wallet RPC authentication.
 - Added `create-user` command.
 
 ### Changed
 
 - Added emoji count check to profile data validator.
 - Check mention and link counts when creating post.
+- Re-fetch object if `attributedTo` value doesn't match `actor` of `Create` activity.
 
 ## [1.20.0] - 2023-03-07
 

src/activitypub/handlers/create.rs

@@ -680,7 +680,7 @@ pub async fn handle_create(
     config: &Config,
     db_client: &mut impl DatabaseClient,
     activity: JsonValue,
-    is_authenticated: bool,
+    mut is_authenticated: bool,
 ) -> HandlerResult {
     let object: Object = serde_json::from_value(activity["object"].to_owned())
         .map_err(|_| ValidationError("invalid object"))?;
@@ -691,6 +691,15 @@ pub async fn handle_create(
         return Ok(None);
     };
 
+    // Verify attribution
+    let actor_id = activity["actor"].as_str()
+        .ok_or(ValidationError("actor property is missing"))?;
+    let author_id = get_object_attributed_to(&object)?;
+    if actor_id != author_id {
+        log::warn!("attributedTo value doesn't match actor");
+        is_authenticated = false; // Object will be fetched
+    };
+
     let object_id = object.id.clone();
     let object_received = if is_authenticated {
         Some(object)