Merge branch 'fix/authenticated-remote-note-lookups' of https://codeberg.org/e2net/calckey into e2net-fix/authenticated-remote-note-lookups

packages/backend/src/remote/activitypub/check-fetch.ts

@@ -95,3 +95,79 @@ export async function checkFetch(req: IncomingMessage): Promise<number> {
 	}
 	return 200;
 }
+
+export async function getSignatureUser(
+	req: IncomingMessage,
+): Promise<CacheableRemoteUser> {
+	let authUser;
+	const meta = await fetchMeta();
+	if (meta.secureMode || meta.privateMode) {
+		let signature;
+
+		try {
+			signature = httpSignature.parseRequest(req, { headers: [] });
+		} catch (e) {
+			return null;
+		}
+
+		const keyId = new URL(signature.keyId);
+		const host = toPuny(keyId.hostname);
+
+		if (await shouldBlockInstance(host, meta)) {
+			return 403;
+		}
+
+		if (
+			meta.privateMode &&
+			host !== config.host &&
+			!meta.allowedHosts.includes(host)
+		) {
+			return null;
+		}
+
+		const keyIdLower = signature.keyId.toLowerCase();
+		if (keyIdLower.startsWith("acct:")) {
+			// Old keyId is no longer supported.
+			return null;
+		}
+
+		const dbResolver = new DbResolver();
+
+		// HTTP-Signature keyIdを元にDBから取得
+		authUser = await dbResolver.getAuthUserFromKeyId(signature.keyId);
+
+		// keyIdでわからなければ、resolveしてみる
+		if (authUser == null) {
+			try {
+				keyId.hash = "";
+				authUser = await dbResolver.getAuthUserFromApId(
+					getApId(keyId.toString()),
+				);
+			} catch (e) {
+				// できなければ駄目
+				return null;
+			}
+		}
+
+		// publicKey がなくても終了
+		if (authUser?.key == null) {
+			return null;
+		}
+
+		// もう一回チェック
+		if (authUser.user.host !== host) {
+			return null;
+		}
+
+		// HTTP-Signatureの検証
+		const httpSignatureValidated = httpSignature.verifySignature(
+			signature,
+			authUser.key.keyPem,
+		);
+
+		if (!httpSignatureValidated) {
+			return null;
+		}
+	}
+	return authUser;
+}

packages/backend/src/remote/activitypub/request.ts

@@ -3,6 +3,7 @@ import { getUserKeypair } from "@/misc/keypair-store.js";
 import type { User } from "@/models/entities/user.js";
 import { getResponse } from "../../misc/fetch.js";
 import { createSignedPost, createSignedGet } from "./ap-request.js";
+import { apLogger } from "@/remote/activitypub/logger.js";
 
 export default async (user: { id: User["id"] }, url: string, object: any) => {
 	const body = JSON.stringify(object);
@@ -35,6 +36,7 @@ export default async (user: { id: User["id"] }, url: string, object: any) => {
  * @param url URL to fetch
  */
 export async function signedGet(url: string, user: { id: User["id"] }) {
+	apLogger.debug(`Running signedGet on url: ${url}`);
 	const keypair = await getUserKeypair(user.id);
 
 	const req = createSignedGet({

packages/backend/src/remote/activitypub/resolver.ts

@@ -23,6 +23,7 @@ import renderCreate from "@/remote/activitypub/renderer/create.js";
 import { renderActivity } from "@/remote/activitypub/renderer/index.js";
 import renderFollow from "@/remote/activitypub/renderer/follow.js";
 import { shouldBlockInstance } from "@/misc/should-block-instance.js";
+import { apLogger } from "@/remote/activitypub/logger.js";
 
 export default class Resolver {
 	private history: Set<string>;
@@ -34,6 +35,15 @@ export default class Resolver {
 		this.recursionLimit = recursionLimit;
 	}
 
+	public setUser(user) {
+		this.user = user;
+	}
+
+	public reset(): Resolver {
+		this.history = new Set();
+		return this;
+	}
+
 	public getHistory(): string[] {
 		return Array.from(this.history);
 	}
@@ -56,15 +66,20 @@ export default class Resolver {
 		}
 
 		if (typeof value !== "string") {
+			apLogger.debug("Object to resolve is not a string");
 			if (typeof value.id !== "undefined") {
 				const host = extractDbHost(getApId(value));
 				if (await shouldBlockInstance(host)) {
 					throw new Error("instance is blocked");
 				}
 			}
+			apLogger.debug("Returning existing object:");
+			apLogger.debug(JSON.stringify(value, null, 2));
 			return value;
 		}
 
+		apLogger.debug(`Resolving: ${value}`);
+
 		if (value.includes("#")) {
 			// URLs with fragment parts cannot be resolved correctly because
 			// the fragment part does not get transmitted over HTTP(S).
@@ -102,6 +117,9 @@ export default class Resolver {
 			this.user = await getInstanceActor();
 		}
 
+		apLogger.debug("Getting object from remote, authenticated as user:");
+		apLogger.debug(JSON.stringify(this.user, null, 2));
+
 		const object = (
 			this.user
 				? await signedGet(value, this.user)

packages/backend/src/server/activitypub.ts

@@ -20,7 +20,11 @@ import {
 import type { ILocalUser, User } from "@/models/entities/user.js";
 import { renderLike } from "@/remote/activitypub/renderer/like.js";
 import { getUserKeypair } from "@/misc/keypair-store.js";
-import { checkFetch, hasSignature } from "@/remote/activitypub/check-fetch.js";
+import {
+	checkFetch,
+	hasSignature,
+	getSignatureUser,
+} from "@/remote/activitypub/check-fetch.js";
 import { getInstanceActor } from "@/services/instance-actor.js";
 import { fetchMeta } from "@/misc/fetch-meta.js";
 import renderFollow from "@/remote/activitypub/renderer/follow.js";
@@ -28,6 +32,7 @@ import Featured from "./activitypub/featured.js";
 import Following from "./activitypub/following.js";
 import Followers from "./activitypub/followers.js";
 import Outbox, { packActivity } from "./activitypub/outbox.js";
+import { serverLogger } from "./index.js";
 
 // Init router
 const router = new Router();
@@ -84,7 +89,7 @@ router.get("/notes/:note", async (ctx, next) => {
 
 	const note = await Notes.findOneBy({
 		id: ctx.params.note,
-		visibility: In(["public" as const, "home" as const]),
+		visibility: In(["public" as const, "home" as const, "followers" as const]),
 		localOnly: false,
 	});
 
@@ -103,6 +108,31 @@ router.get("/notes/:note", async (ctx, next) => {
 		return;
 	}
 
+	if (note.visibility == "followers") {
+		serverLogger.debug(
+			"Responding to request for follower-only note, validating access...",
+		);
+		let remoteUser = await getSignatureUser(ctx.req);
+		serverLogger.debug("Local note author user:");
+		serverLogger.debug(JSON.stringify(note, null, 2));
+		serverLogger.debug("Authenticated remote user:");
+		serverLogger.debug(JSON.stringify(remoteUser, null, 2));
+
+		let relation = await Users.getRelation(remoteUser.user.id, note.userId);
+		serverLogger.debug("Relation:");
+		serverLogger.debug(JSON.stringify(relation, null, 2));
+
+		if (!relation.isFollowing || relation.isBlocked) {
+			serverLogger.debug(
+				"Rejecting: authenticated user is not following us or was blocked by us",
+			);
+			ctx.status = 403;
+			return;
+		}
+
+		serverLogger.debug("Accepting: access criteria met");
+	}
+
 	ctx.body = renderActivity(await renderNote(note, false));
 
 	const meta = await fetchMeta();

packages/backend/src/server/api/endpoints/ap/show.ts

@@ -127,6 +127,7 @@ async function fetchAny(
 
 	// fetching Object once from remote
 	const resolver = new Resolver();
+	resolver.setUser(me);
 	const object = await resolver.resolve(uri);
 
 	// /@user If a URI other than the id is specified,
@@ -144,8 +145,12 @@ async function fetchAny(
 
 	return await mergePack(
 		me,
-		isActor(object) ? await createPerson(getApId(object)) : null,
+		isActor(object)
-		isPost(object) ? await createNote(getApId(object), undefined, true) : null,
+			? await createPerson(getApId(object), resolver.reset())
+			: null,
+		isPost(object)
+			? await createNote(getApId(object), resolver.reset(), true)
+			: null,
 	);
 }