add/translate comments

2024-03-22 09:41:45 +01:00 · 2024-03-22 09:41:45 +01:00 · e366116ac1
parent 2b5a35147a
commit e366116ac1
2 changed files with 15 additions and 4 deletions
--- a/packages/backend/src/server/api/endpoints/ap/show.ts
+++ b/packages/backend/src/server/api/endpoints/ap/show.ts
@ -83,7 +83,7 @@ export default define(meta, paramDef, async (ps, me) => {
 });

 /***
- * URIからUserかNoteを解決する
+ * Resolve a User or Note from a given URI
 */
 async function fetchAny(uri: string, me: ILocalUser | null | undefined): Promise<SchemaType<typeof meta['res']> | null> {
 	// Stop if the host is blocked.
@ -92,6 +92,7 @@ async function fetchAny(uri: string, me: ILocalUser | null | undefined): Promise
 		return null;
 	}

+	// first try to fetch the object from the database
 	const dbResolver = new DbResolver();

 	let local = await mergePack(me, ...await Promise.all([
@ -100,13 +101,15 @@ async function fetchAny(uri: string, me: ILocalUser | null | undefined): Promise
 	]));
 	if (local != null) return local;

-	// fetch object from remote
+	// getting the object from the database failed, fetch from remote
 	const resolver = new Resolver();
 	// allow redirect
 	const object = await resolver.resolve(uri, true) as any;

-	// /@user のような正規id以外で取得できるURIが指定されていた場合、ここで初めて正規URIが確定する
-	// これはDBに存在する可能性があるため再度DB検索
+	// If a URI other than the canonical id such as `/@user` is specified,
+	// the canonical URI is determined here for the first time.
+	//
+	// DB search again, since this may exist in the DB
 	if (uri !== object.id) {
 		local = await mergePack(me, ...await Promise.all([
 			dbResolver.getUserFromApId(object.id),
--- a/packages/backend/src/server/api/endpoints/drive/files/update.ts
+++ b/packages/backend/src/server/api/endpoints/drive/files/update.ts
@ -35,6 +35,14 @@ export const paramDef = {

 // eslint-disable-next-line import/no-default-export
 export default define(meta, paramDef, async (ps, user) => {
+	/*
+	Note: It should not be allowed for the actual file contents to be updated.
+	Not allowing the user to change the contents after the public URL has been determined
+	is relevant because it is a defense mechanism against AcitivtyPub content "impersonation".
+
+	If the URL is known, an integrity check could be defeated which checks that the `id`
+	indicated in an ActivityPub object is actually retrievable at that given `id`.
+	*/
 	const file = await DriveFiles.findOneBy({ id: ps.fileId });

 	if (file == null) throw new ApiError('NO_SUCH_FILE');