activitypub: disallow transitive activities

This might be able to circumvent the ID host equality check, which
doesn't seem like a good idea.

Probably better since most likely the following code is not properly
equipped to handle null values anyway.

packages/backend/src/queue/processors/inbox.ts

@@ -59,6 +59,11 @@ export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
 		if (activity.id.length > 2048) {
 			return `skip: overly long id from ${signerHost}`;
 		}
+	} else {
+		// might want to allow null id's for transitive activites, but currently
+		// there are no known sensible such transitive activities that we could
+		// process
+		return "skip: non-string id";
 	}
 
 	// Update stats