From 5fec0c187df6c364f9192b92142564b7e03e1cc8 Mon Sep 17 00:00:00 2001
From: silverpill <silverpill@firemail.cc>
Date: Sun, 8 Jan 2023 23:21:31 +0000
Subject: [PATCH] Sign Move() activity with server key

---
 docs/openapi.yaml                       | 13 ++-------
 src/activitypub/builders/move_person.rs | 15 ++++++----
 src/mastodon_api/accounts/types.rs      |  5 ----
 src/mastodon_api/accounts/views.rs      | 24 ----------------
 src/mastodon_api/settings/views.rs      | 37 ++++++++-----------------
 5 files changed, 23 insertions(+), 71 deletions(-)

diff --git a/docs/openapi.yaml b/docs/openapi.yaml
index 5dfeb6f..e8a0ac7 100644
--- a/docs/openapi.yaml
+++ b/docs/openapi.yaml
@@ -738,7 +738,7 @@ paths:
                 user2@example.org
   /api/v1/settings/move_followers:
     post:
-      summary: Build Move(Person) activity for signing (experimental).
+      summary: Move followers from remote alias.
       requestBody:
         content:
           application/json:
@@ -761,15 +761,7 @@ paths:
           content:
             application/json:
               schema:
-                type: object
-                properties:
-                  params:
-                    description: Activity parameters
-                    $ref: '#/components/schemas/ActivityParameters'
-                  message:
-                    description: Canonical representation of activity.
-                    type: string
-                    example: '{"type":"Move"}'
+                $ref: '#/components/schemas/AccountWithSource'
         400:
           description: Invalid data.
   /api/v1/statuses:
@@ -1332,7 +1324,6 @@ components:
           description: Activity type
           type: string
           enum:
-            - move
             - update
     Attachment:
       type: object
diff --git a/src/activitypub/builders/move_person.rs b/src/activitypub/builders/move_person.rs
index 9420e1f..60f6939 100644
--- a/src/activitypub/builders/move_person.rs
+++ b/src/activitypub/builders/move_person.rs
@@ -10,6 +10,7 @@ use crate::activitypub::{
 };
 use crate::config::Instance;
 use crate::models::users::types::User;
+use crate::utils::id::new_uuid;
 
 #[derive(Serialize)]
 pub struct MovePerson {
@@ -32,9 +33,11 @@ pub fn build_move_person(
     sender: &User,
     from_actor_id: &str,
     followers: &[String],
-    internal_activity_id: &Uuid,
+    maybe_internal_activity_id: Option<&Uuid>,
 ) -> MovePerson {
-    let activity_id = local_object_id(instance_url, internal_activity_id);
+    let internal_activity_id = maybe_internal_activity_id.copied()
+        .unwrap_or(new_uuid());
+    let activity_id = local_object_id(instance_url, &internal_activity_id);
     let actor_id = local_actor_id(instance_url, &sender.profile.username);
     MovePerson {
         context: AP_CONTEXT.to_string(),
@@ -47,12 +50,12 @@ pub fn build_move_person(
     }
 }
 
-pub fn prepare_signed_move_person(
+pub fn prepare_move_person(
     instance: &Instance,
     sender: &User,
     from_actor_id: &str,
     followers: Vec<Actor>,
-    internal_activity_id: &Uuid,
+    maybe_internal_activity_id: Option<&Uuid>,
 ) -> OutgoingActivity {
     let followers_ids: Vec<String> = followers.iter()
         .map(|actor| actor.id.clone())
@@ -62,7 +65,7 @@ pub fn prepare_signed_move_person(
         sender,
         from_actor_id,
         &followers_ids,
-        internal_activity_id,
+        maybe_internal_activity_id,
     );
     OutgoingActivity::new(
         instance,
@@ -100,7 +103,7 @@ mod tests {
             &sender,
             from_actor_id,
             &followers,
-            &internal_activity_id,
+            Some(&internal_activity_id),
         );
 
         assert_eq!(
diff --git a/src/mastodon_api/accounts/types.rs b/src/mastodon_api/accounts/types.rs
index e66414c..362c756 100644
--- a/src/mastodon_api/accounts/types.rs
+++ b/src/mastodon_api/accounts/types.rs
@@ -308,11 +308,6 @@ impl AccountUpdateData {
 #[derive(Serialize, Deserialize)]
 #[serde(tag = "type", rename_all = "kebab-case")]
 pub enum ActivityParams {
-    Move {
-        internal_activity_id: Uuid,
-        from_actor_id: String,
-        followers: Vec<String>,
-    },
     Update { internal_activity_id: Uuid },
 }
 
diff --git a/src/mastodon_api/accounts/views.rs b/src/mastodon_api/accounts/views.rs
index 7c87e4e..051c84d 100644
--- a/src/mastodon_api/accounts/views.rs
+++ b/src/mastodon_api/accounts/views.rs
@@ -7,9 +7,6 @@ use uuid::Uuid;
 
 use crate::activitypub::builders::{
     follow::prepare_follow,
-    move_person::{
-        prepare_signed_move_person,
-    },
     undo_follow::prepare_undo_follow,
     update_person::{
         build_update_person,
@@ -49,7 +46,6 @@ use crate::models::posts::queries::get_posts_by_author;
 use crate::models::profiles::queries::{
     get_profile_by_acct,
     get_profile_by_id,
-    get_profile_by_remote_actor_id,
     search_profiles_by_did,
     update_profile,
 };
@@ -275,26 +271,6 @@ async fn send_signed_activity(
         return Err(ValidationError("unknown signer").into());
     };
     let mut outgoing_activity = match &data.params {
-        ActivityParams::Move {
-            internal_activity_id,
-            from_actor_id,
-            followers: followers_ids,
-        } => {
-            let mut followers = vec![];
-            for actor_id in followers_ids {
-                let remote_actor = get_profile_by_remote_actor_id(db_client, actor_id)
-                    .await?
-                    .actor_json.ok_or(HttpError::InternalError)?;
-                followers.push(remote_actor);
-            };
-            prepare_signed_move_person(
-                &config.instance(),
-                &current_user,
-                from_actor_id,
-                followers,
-                internal_activity_id,
-            )
-        },
         ActivityParams::Update { internal_activity_id } => {
             prepare_update_person(
                 db_client,
diff --git a/src/mastodon_api/settings/views.rs b/src/mastodon_api/settings/views.rs
index 9a90918..21c6dd9 100644
--- a/src/mastodon_api/settings/views.rs
+++ b/src/mastodon_api/settings/views.rs
@@ -6,7 +6,7 @@ use actix_web_httpauth::extractors::bearer::BearerAuth;
 use crate::activitypub::{
     actors::types::ActorAddress,
     builders::{
-        move_person::build_move_person,
+        move_person::prepare_move_person,
         undo_follow::prepare_undo_follow,
     },
 };
@@ -14,7 +14,7 @@ use crate::config::Config;
 use crate::database::{get_database_client, DatabaseError, DbPool};
 use crate::errors::{HttpError, ValidationError};
 use crate::mastodon_api::{
-    accounts::types::{Account, ActivityParams, UnsignedActivity},
+    accounts::types::Account,
     oauth::auth::get_current_user,
 };
 use crate::models::{
@@ -23,11 +23,7 @@ use crate::models::{
     relationships::queries::{follow, unfollow},
     users::queries::set_user_password,
 };
-use crate::utils::{
-    canonicalization::canonicalize_object,
-    id::new_uuid,
-    passwords::hash_password,
-};
+use crate::utils::passwords::hash_password;
 use super::helpers::{export_followers, export_follows};
 use super::types::{MoveFollowersRequest, PasswordChangeRequest};
 
@@ -121,7 +117,7 @@ async fn move_followers(
         let follower = get_profile_by_acct(db_client, &follower_acct).await?;
         if let Some(remote_actor) = follower.actor_json {
             // Add remote actor to activity recipients list
-            followers.push(remote_actor.id);
+            followers.push(remote_actor);
         } else {
             // Immediately move local followers (only if alias can be verified)
             if let Some(ref from_profile) = maybe_from_profile {
@@ -152,25 +148,16 @@ async fn move_followers(
             };
         };
     };
-    let internal_activity_id = new_uuid();
-    let activity = build_move_person(
-        &config.instance_url(),
+    prepare_move_person(
+        &config.instance(),
         &current_user,
         &request_data.from_actor_id,
-        &followers,
-        &internal_activity_id,
-    );
-    let canonical_json = canonicalize_object(&activity)
-        .map_err(|_| HttpError::InternalError)?;
-    let data = UnsignedActivity {
-        params: ActivityParams::Move {
-            internal_activity_id,
-            from_actor_id: request_data.from_actor_id.clone(),
-            followers,
-        },
-        message: canonical_json,
-    };
-    Ok(HttpResponse::Ok().json(data))
+        followers,
+        None,
+    ).enqueue(db_client).await?;
+
+    let account = Account::from_user(current_user, &config.instance_url());
+    Ok(HttpResponse::Ok().json(account))
 }
 
 pub fn settings_api_scope() -> Scope {