summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Manfre2022-12-06 00:23:35 -0500
committerGitHub2022-12-05 22:23:35 -0700
commit42c7b629cf68957dab815fe5da4accf484e2cb90 (patch)
treea42f6a44fd20b9e4a7d61d6fd5415d07af298dec
parentb8460b0acd3e833b9ec302d9fa3fb6ab28032c0e (diff)
downloadtakahe-42c7b629cf68957dab815fe5da4accf484e2cb90.tar.gz
takahe-42c7b629cf68957dab815fe5da4accf484e2cb90.tar.bz2
takahe-42c7b629cf68957dab815fe5da4accf484e2cb90.zip
Ignore actor delete messages for unknown actors (#124)
-rw-r--r--tests/conftest.py3
-rw-r--r--tests/users/views/test_activitypub.py22
-rw-r--r--users/views/activitypub.py13
3 files changed, 38 insertions, 0 deletions
diff --git a/tests/conftest.py b/tests/conftest.py
index c67717c..283de76 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -92,6 +92,7 @@ def identity(user, domain) -> Identity:
"""
identity = Identity.objects.create(
actor_uri="https://example.com/@test@example.com/",
+ inbox_uri="https://example.com/@test@example.com/inbox/",
username="test",
domain=domain,
name="Test User",
@@ -125,6 +126,7 @@ def other_identity(user, domain) -> Identity:
"""
identity = Identity.objects.create(
actor_uri="https://example.com/@other@example.com/",
+ inbox_uri="https://example.com/@other@example.com/inbox/",
username="other",
domain=domain,
name="Other User",
@@ -143,6 +145,7 @@ def remote_identity() -> Identity:
domain = Domain.objects.create(domain="remote.test", local=False)
return Identity.objects.create(
actor_uri="https://remote.test/test-actor/",
+ inbox_uri="https://remote.test/@test/inbox/",
profile_uri="https://remote.test/@test/",
username="test",
domain=domain,
diff --git a/tests/users/views/test_activitypub.py b/tests/users/views/test_activitypub.py
index d9ad578..c6e7faf 100644
--- a/tests/users/views/test_activitypub.py
+++ b/tests/users/views/test_activitypub.py
@@ -31,3 +31,25 @@ def test_webfinger_system_actor(client):
data = client.get("/actor/", HTTP_ACCEPT="application/ld+json").json()
assert data["id"] == "https://example.com/actor/"
assert data["inbox"] == "https://example.com/actor/inbox/"
+
+
+@pytest.mark.django_db
+def test_delete_actor(client, identity):
+ data = {
+ "@context": "https://www.w3.org/ns/activitystreams",
+ "actor": "https://mastodon.social/users/fakec8b6984105c8f15070a2",
+ "id": "https://mastodon.social/users/fakec8b6984105c8f15070a2#delete",
+ "object": "https://mastodon.social/users/fakec8b6984105c8f15070a2",
+ "signature": {
+ "created": "2022-12-06T03:54:28Z",
+ "creator": "https://mastodon.social/users/fakec8b6984105c8f15070a2#main-key",
+ "signatureValue": "This value doesn't matter",
+ "type": "RsaSignature2017",
+ },
+ "to": ["https://www.w3.org/ns/activitystreams#Public"],
+ "type": "Delete",
+ }
+ resp = client.post(
+ identity.inbox_uri, data=data, content_type="application/activity+json"
+ )
+ assert resp.status_code == 202
diff --git a/users/views/activitypub.py b/users/views/activitypub.py
index b155b08..93a6eae 100644
--- a/users/views/activitypub.py
+++ b/users/views/activitypub.py
@@ -145,9 +145,21 @@ class Inbox(View):
# This ensures that the signature used for the headers matches the actor
# described in the payload.
identity = Identity.by_actor_uri(document["actor"], create=True, transient=True)
+ if (
+ document["type"] == "Delete"
+ and document["actor"] == document["object"]
+ and not identity.pk
+ ):
+ # We don't have an Identity record for the user. No-op
+ exceptions.capture_message(
+ f"Inbox: Discarded delete message for unknown actor {document['actor']}"
+ )
+ return HttpResponse(status=202)
+
if not identity.public_key:
# See if we can fetch it right now
async_to_sync(identity.fetch_actor)()
+
if not identity.public_key:
exceptions.capture_message(
f"Inbox error: cannot fetch actor {document['actor']}"
@@ -160,6 +172,7 @@ class Inbox(View):
f"Inbox: Discarded message from {identity.domain}"
)
return HttpResponse(status=202)
+
# If there's a "signature" payload, verify against that
if "signature" in document:
try: