Accept Delete(Person) activities if HTTP signature is correct

2022-05-30 17:35:43 +00:00 · 2022-05-30 17:35:43 +00:00 · c89ee4fd7b
commit c89ee4fd7b
parent b95d409010
2 changed files with 20 additions and 18 deletions
--- a/src/activitypub/receiver.rs
+++ b/src/activitypub/receiver.rs
@ -163,16 +163,6 @@ pub async fn receive_activity(
    request: &HttpRequest,
    activity_raw: &Value,
 ) -> Result<(), HttpError> {
-    let signer = verify_http_signature(config, db_client, request).await.map_err(|err| {
-        log::warn!("invalid signature: {}", err);
-        HttpError::AuthError("invalid signature")
-    })?;
-    let signer_id = signer.actor_id(&config.instance_url());
-    log::debug!("activity signed by {}", signer_id);
-    if config.blocked_instances.iter().any(|instance| signer.acct.contains(instance)) {
-        return Err(HttpError::ValidationError("instance is blocked".into()));
-    };
-
    let activity: Activity = serde_json::from_value(activity_raw.clone())
        .map_err(|_| ValidationError("invalid activity"))?;
    let activity_type = activity.activity_type.clone();
@ -180,6 +170,25 @@ pub async fn receive_activity(
    let maybe_object_type = activity.object.get("type")
        .and_then(|val| val.as_str())
        .unwrap_or("Unknown");
+
+    let signer = match verify_http_signature(config, db_client, request).await {
+        Ok(signer) => signer,
+        Err(error) => {
+            let object_id = get_object_id(activity.object)?;
+            if activity_type == DELETE && activity.actor == object_id {
+                // Ignore Delete(Person) activities without HTTP signatures
+                return Ok(());
+            };
+            log::warn!("invalid signature: {}", error);
+            return Err(HttpError::AuthError("invalid signature"));
+        },
+    };
+    let signer_id = signer.actor_id(&config.instance_url());
+    log::debug!("activity signed by {}", signer_id);
+    if config.blocked_instances.iter().any(|instance| signer.acct.contains(instance)) {
+        return Err(HttpError::ValidationError("instance is blocked".into()));
+    };
+
    let object_type = match (activity_type.as_str(), maybe_object_type) {
        (ACCEPT, FOLLOW) => {
            require_actor_signature(&activity.actor, &signer_id)?;
--- a/src/activitypub/views.rs
+++ b/src/activitypub/views.rs
@ -24,7 +24,6 @@ use super::collections::{
 };
 use super::constants::ACTIVITY_CONTENT_TYPE;
 use super::receiver::receive_activity;
-use super::vocabulary::DELETE;

 pub fn get_actor_url(instance_url: &str, username: &str) -> String {
    format!("{}/users/{}", instance_url, username)
@ -109,13 +108,7 @@ async fn inbox(
 ) -> Result<HttpResponse, HttpError> {
    log::debug!("received activity: {}", activity);
    let activity_type = activity["type"].as_str().unwrap_or("Unknown");
-    if activity_type == DELETE && activity["actor"] == activity["object"] {
-        // Ignore Delete(Person) activities and skip signature verification
-        log::info!("received in {}: Delete(Person)", request.uri().path());
-        return Ok(HttpResponse::Ok().finish());
-    } else {
-        log::info!("received in {}: {}", request.uri().path(), activity_type);
-    };
+    log::info!("received in {}: {}", request.uri().path(), activity_type);
    let now = Instant::now();
    // Store mutex guard in a variable to prevent it from being dropped immediately
    let _guard = inbox_mutex.lock().await;