Add ActivityPub secure mode (#11269)

* Add HTTP signature requirement for served ActivityPub resources * Change `SECURE_MODE` to `AUTHORIZED_FETCH` * Add 'Signature' to 'Vary' header and improve code style * Improve code style by adding `public_fetch_mode?` method
2019-07-11 20:11:09 +02:00 · 2019-07-11 20:11:09 +02:00 · 5bf67ca913
commit 5bf67ca913
parent 4e1260feaa
14 changed files with 89 additions and 34 deletions
--- a/app/controllers/follower_accounts_controller.rb
+++ b/app/controllers/follower_accounts_controller.rb
@ -2,7 +2,9 @@

 class FollowerAccountsController < ApplicationController
  include AccountControllerConcern
+  include SignatureVerification

+  before_action :require_signature!, if: -> { request.format == :json && authorized_fetch_mode? }
  before_action :set_cache_headers

  def index
@ -17,9 +19,9 @@ class FollowerAccountsController < ApplicationController
      end

      format.json do
-        raise Mastodon::NotPermittedError if params[:page].present? && @account.user_hides_network?
+        raise Mastodon::NotPermittedError if page_requested? && @account.user_hides_network?

-        expires_in 3.minutes, public: true if params[:page].blank?
+        expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode?)

        render json: collection_presenter,
               serializer: ActivityPub::CollectionSerializer,
@ -35,12 +37,16 @@ class FollowerAccountsController < ApplicationController
    @follows ||= Follow.where(target_account: @account).recent.page(params[:page]).per(FOLLOW_PER_PAGE).preload(:account)
  end

+  def page_requested?
+    params[:page].present?
+  end
+
  def page_url(page)
    account_followers_url(@account, page: page) unless page.nil?
  end

  def collection_presenter
-    if params[:page].present?
+    if page_requested?
      ActivityPub::CollectionPresenter.new(
        id: account_followers_url(@account, page: params.fetch(:page, 1)),
        type: :ordered,