merge: feat: implement attachLdSignatureForRelays to control signing of Relayed activities (#599) (!579)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/579 Closes #599 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Marie <marie@kaifa.ch>
This commit is contained in:
dakkar
commit
9de422280f
6 changed files with 36 additions and 6 deletions
|
|
@ -106,7 +106,7 @@ redis:
|
|||
# ┌───────────────────────────┐
|
||||
#───┘ MeiliSearch configuration └─────────────────────────────
|
||||
|
||||
# You can set scope to local (default value) or global
|
||||
# You can set scope to local (default value) or global
|
||||
# (include notes from remote).
|
||||
|
||||
#meilisearch:
|
||||
|
|
@ -198,13 +198,18 @@ proxyRemoteFiles: true
|
|||
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
||||
#videoThumbnailGenerator: https://example.com
|
||||
|
||||
# Sign to ActivityPub GET request (default: true)
|
||||
# Sign outgoing ActivityPub GET request (default: true)
|
||||
signToActivityPubGet: true
|
||||
# Sign outgoing ActivityPub Activities (default: true)
|
||||
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
|
||||
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
|
||||
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
|
||||
attachLdSignatureForRelays: true
|
||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||
checkActivityPubGetSignature: false
|
||||
|
||||
# For security reasons, uploading attachments from the intranet is prohibited,
|
||||
# but exceptions can be made from the following settings. Default value is "undefined".
|
||||
# but exceptions can be made from the following settings. Default value is "undefined".
|
||||
# Read changelog to learn more (Improvements of 12.90.0 (2021/09/04)).
|
||||
#allowedPrivateNetworks: [
|
||||
# '127.0.0.1/32'
|
||||
|
|
|
|||
|
|
@ -270,8 +270,13 @@ proxyRemoteFiles: true
|
|||
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
||||
#videoThumbnailGenerator: https://example.com
|
||||
|
||||
# Sign to ActivityPub GET request (default: true)
|
||||
# Sign outgoing ActivityPub GET request (default: true)
|
||||
signToActivityPubGet: true
|
||||
# Sign outgoing ActivityPub Activities (default: true)
|
||||
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
|
||||
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
|
||||
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
|
||||
attachLdSignatureForRelays: true
|
||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||
checkActivityPubGetSignature: false
|
||||
|
||||
|
|
|
|||
|
|
@ -285,8 +285,13 @@ proxyRemoteFiles: true
|
|||
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
||||
#videoThumbnailGenerator: https://example.com
|
||||
|
||||
# Sign to ActivityPub GET request (default: true)
|
||||
# Sign outgoing ActivityPub GET request (default: true)
|
||||
signToActivityPubGet: true
|
||||
# Sign outgoing ActivityPub Activities (default: true)
|
||||
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
|
||||
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
|
||||
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
|
||||
attachLdSignatureForRelays: true
|
||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||
checkActivityPubGetSignature: false
|
||||
|
||||
|
|
|
|||
|
|
@ -208,8 +208,13 @@ id: "aidx"
|
|||
# Media Proxy
|
||||
#mediaProxy: https://example.com/proxy
|
||||
|
||||
# Sign to ActivityPub GET request (default: true)
|
||||
# Sign outgoing ActivityPub GET request (default: true)
|
||||
signToActivityPubGet: true
|
||||
# Sign outgoing ActivityPub Activities (default: true)
|
||||
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
|
||||
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
|
||||
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
|
||||
attachLdSignatureForRelays: true
|
||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||
checkActivityPubGetSignature: false
|
||||
|
||||
|
|
|
|||
|
|
@ -96,6 +96,7 @@ type Source = {
|
|||
customMOTD?: string[];
|
||||
|
||||
signToActivityPubGet?: boolean;
|
||||
attachLdSignatureForRelays?: boolean;
|
||||
checkActivityPubGetSignature?: boolean;
|
||||
|
||||
perChannelMaxNoteCacheCount?: number;
|
||||
|
|
@ -162,6 +163,7 @@ export type Config = {
|
|||
proxyRemoteFiles: boolean | undefined;
|
||||
customMOTD: string[] | undefined;
|
||||
signToActivityPubGet: boolean;
|
||||
attachLdSignatureForRelays: boolean;
|
||||
checkActivityPubGetSignature: boolean | undefined;
|
||||
|
||||
version: string;
|
||||
|
|
@ -299,6 +301,7 @@ export function loadConfig(): Config {
|
|||
proxyRemoteFiles: config.proxyRemoteFiles,
|
||||
customMOTD: config.customMOTD,
|
||||
signToActivityPubGet: config.signToActivityPubGet ?? true,
|
||||
attachLdSignatureForRelays: config.attachLdSignatureForRelays ?? true,
|
||||
checkActivityPubGetSignature: config.checkActivityPubGetSignature,
|
||||
mediaProxy: externalMediaProxy ?? internalMediaProxy,
|
||||
externalMediaProxyEnabled: externalMediaProxy !== null && externalMediaProxy !== internalMediaProxy,
|
||||
|
|
|
|||
|
|
@ -793,6 +793,13 @@ export class ApRendererService {
|
|||
|
||||
@bindThis
|
||||
public async attachLdSignature(activity: any, user: { id: MiUser['id']; host: null; }): Promise<IActivity> {
|
||||
// Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
|
||||
// When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
|
||||
// This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
|
||||
if (!this.config.attachLdSignatureForRelays) {
|
||||
return activity;
|
||||
}
|
||||
|
||||
const keypair = await this.userKeypairService.getUserKeypair(user.id);
|
||||
|
||||
const jsonLd = this.jsonLdService.use();
|
||||
|
|
|
|||
Loading…
Reference in a new issue