Follow(ers|ing) collections can be fetched without signature even if authorized_fetch is enabled #729

New issue

Open

opened 2024-04-01 23:04:05 +00:00 by Oneric · 0 comments

Oneric commented

2024-04-01 23:04:05 +00:00

Member

Your setup

From source

Extra details

Alpine 3.19

Version

2d439034ca

PostgreSQL version

What were you trying to do?

When :pleroma, :activitypub, :authorized_fetch_mode is enabled, all AP fetches without a valid signature should be denied. However, fetching /users/:nickname/followers and /users/:nickname/following still succeeds without any signature at all, while fetching the user owning the collections is denied with “Request not signed”.

E.g. try the follwoing

curl_ap () 
{ 
    curl -s -S -H 'Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"' "$@"
}

curl_ap https://ihatebeinga.live/users/akkoma
# -> Fails with response "Request not signed"
curl_ap https://ihatebeinga.live/users/akkoma/following
curl_ap https://ihatebeinga.live/users/akkoma/followers
# -> both return a proper collection

Looking at the route for fetching users, it uses the http_signature plug:

pipe_through([:accepts_html_xml_json, :http_signature, :static_fe])

scope "/", Pleroma.Web do
    # Note: html format is supported only if static FE is enabled
    # Note: http signature is only considered for json requests (no auth for non-json requests)
    pipe_through([:accepts_html_xml_json, :http_signature, :static_fe])

    # Note: returns user _profile_ for json requests, redirects to user _feed_ for non-json ones
    get("/users/:nickname", Feed.UserController, :feed_redirect, as: :user_feed)
  end

While the route for fetching the follow(ers|ing) collection doesn’t pipe through :http_signature:

pipe_through([:accepts_html_json, :static_fe, :activitypub_client])

 scope "/", Pleroma.Web.ActivityPub do
    # Note: html format is supported only if static FE is enabled
    pipe_through([:accepts_html_json, :static_fe, :activitypub_client])

    # The following two are S2S as well, see `ActivityPub.fetch_follow_information_for_user/1`:
    get("/users/:nickname/followers", ActivityPubController, :followers)
    get("/users/:nickname/following", ActivityPubController, :following)
  end

However it does use the :activitypub_client plug and i’m not sure how this C2S and signature plug will interact with each other (presumably C2S interaction must not require a http signature)

What did you expect to happen?

Requests without signature fail

What actually happened?

Requests succeed

Severity

I can manage

Have you searched for this issue?

I have double-checked and have not found this issue mentioned anywhere.

### Your setup From source ### Extra details Alpine 3.19 ### Version 2d439034ca ### PostgreSQL version 16 ### What were you trying to do? When `:pleroma, :activitypub, :authorized_fetch_mode` is enabled, all AP fetches without a valid signature should be denied. However, fetching `/users/:nickname/followers` and `/users/:nickname/following` still succeeds without any signature at all, while fetching the user owning the collections is denied with “`Request not signed`”. E.g. try the follwoing ```sh curl_ap () { curl -s -S -H 'Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"' "$@" } curl_ap https://ihatebeinga.live/users/akkoma # -> Fails with response "Request not signed" curl_ap https://ihatebeinga.live/users/akkoma/following curl_ap https://ihatebeinga.live/users/akkoma/followers # -> both return a proper collection ``` Looking at the route for fetching users, it uses the http_signature plug: https://akkoma.dev/AkkomaGang/akkoma/src/commit/2d439034ca801b704536cb05483e012d62c2d52e/lib/pleroma/web/router.ex#L748 ```elixir scope "/", Pleroma.Web do # Note: html format is supported only if static FE is enabled # Note: http signature is only considered for json requests (no auth for non-json requests) pipe_through([:accepts_html_xml_json, :http_signature, :static_fe]) # Note: returns user _profile_ for json requests, redirects to user _feed_ for non-json ones get("/users/:nickname", Feed.UserController, :feed_redirect, as: :user_feed) end ``` While the route for fetching the follow(ers|ing) collection doesn’t pipe through `:http_signature`: https://akkoma.dev/AkkomaGang/akkoma/src/commit/2d439034ca801b704536cb05483e012d62c2d52e/lib/pleroma/web/router.ex#L815 ```elixir scope "/", Pleroma.Web.ActivityPub do # Note: html format is supported only if static FE is enabled pipe_through([:accepts_html_json, :static_fe, :activitypub_client]) # The following two are S2S as well, see `ActivityPub.fetch_follow_information_for_user/1`: get("/users/:nickname/followers", ActivityPubController, :followers) get("/users/:nickname/following", ActivityPubController, :following) end ``` However it does use the `:activitypub_client` plug and i’m not sure how this C2S and signature plug will interact with each other (presumably C2S interaction *must not* require a http signature) ### What did you expect to happen? Requests without signature fail ### What actually happened? Requests succeed ### Severity I can manage ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.

Oneric added the

bug

label 2024-04-01 23:04:05 +00:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#729

No description provided.