Mark instances as unreachable when returning a 403 from an object fetch

This is a definite sign the instance is blocked and they are enforcing authorized_fetch
2023-12-26 15:54:14 -05:00 · 2023-12-26 15:54:14 -05:00 · 4c29366fe5
parent ac4cc619ea
commit 4c29366fe5
3 changed files with 34 additions and 0 deletions
--- a/lib/pleroma/object/fetcher.ex
+++ b/lib/pleroma/object/fetcher.ex
@ -181,6 +181,15 @@ defmodule Pleroma.Object.Fetcher do
      {:fetch_object, %Object{} = object} ->
        {:ok, object}

+      {:fetch, {:error, {:ok, %Tesla.Env{status: 403}}}} ->
+        Instances.set_consistently_unreachable(id)
+
+        Logger.error(
+          "Error while fetching #{id}: HTTP 403 likely due to instance block rejecting the signed fetch."
+        )
+
+        {:error, "Object fetch has been denied"}
+
      {:fetch, {:error, error}} ->
        Logger.error("Error while fetching #{id}: #{inspect(error)}")
        {:error, error}
--- a/lib/pleroma/workers/remote_fetcher_worker.ex
+++ b/lib/pleroma/workers/remote_fetcher_worker.ex
@ -10,5 +10,16 @@ defmodule Pleroma.Workers.RemoteFetcherWorker do
  @impl Oban.Worker
  def perform(%Job{args: %{"op" => "fetch_remote", "id" => id} = args}) do
    {:ok, _object} = Fetcher.fetch_object_from_id(id, depth: args["depth"])
+
+    case Fetcher.fetch_object_from_id(id, depth: args["depth"]) do
+      {:ok, _object} ->
+        :ok
+
+      {:error, reason = "Object fetch has been denied"} ->
+        {:cancel, reason}
+
+      _ ->
+        :error
+    end
  end
 end
--- a/test/pleroma/object/fetcher_test.exs
+++ b/test/pleroma/object/fetcher_test.exs
@ -57,6 +57,8 @@ defmodule Pleroma.Object.FetcherTest do
          body: spoofed_object_with_ids("https://patch.cx/objects/spoof_content_type")
        }

+      %{method: :get, url: "https://octodon.social/users/cwebber/statuses/111647596861000656"} ->
+        %Tesla.Env{status: 403}
      # Spoof: mismatching ids
      # Variant 1: Non-exisitng fake id
      %{
@ -417,6 +419,18 @@ defmodule Pleroma.Object.FetcherTest do
               )
    end

+    test "handle HTTP 403 response" do
+      object_id = "https://octodon.social/users/cwebber/statuses/111647596861000656"
+      Instances.set_reachable(object_id)
+
+      assert Instances.reachable?(object_id)
+
+      assert {:error, "Object fetch has been denied"} ==
+               Fetcher.fetch_object_from_id(object_id)
+
+      refute Instances.reachable?(object_id)
+    end
+
    test "it can fetch pleroma polls with attachments" do
      {:ok, object} =
        Fetcher.fetch_object_from_id("https://patch.cx/objects/tesla_mock/poll_attachment")