Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIX: Request signing and signature verification fixes #53

Merged
merged 2 commits into from Dec 22, 2023
Merged

FIX: Request signing and signature verification fixes #53

merged 2 commits into from Dec 22, 2023

Conversation

angusmcleod
Copy link
Contributor

@angusmcleod angusmcleod commented Dec 21, 2023
edited

@pmusaraj This will fix the issue you were having.

  • Add Application actor as default request signer.
  • Only require signature verification when necessary.
  • Use HTTP_X_FORWARDED_HOST in development to allow for proper signature verification.

@angusmcleod
Request signing and signature verification improvements
5acda7b 
- Add Application actor as default request signer.
- Only require signature verification when necessary.
pmusaraj
pmusaraj approved these changes Dec 22, 2023
View reviewed changes
app/controllers/discourse_activity_pub/ap/actors_controller.rb
@@ -23,6 +23,7 @@ def ensure_can_access_actor
end

def ensure_can_access_actor_model
return true if @actor.ap.application?
Copy link
Contributor

@pmusaraj pmusaraj Dec 22, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When my local ENV is marked as login_required, I can't follow a remote Discourse instance, and it looks like that is because the remote instance is calling this route to get actor info and it is failing at the ensure_can_access_actor check (just above), this seems to return false:

DiscourseActivityPub.publishing_enabled || @actor.ap.group?

When I change that to

DiscourseActivityPub.publishing_enabled || @actor.ap.group? || @actor.ap.application?

the follow action works. Note though that then I can't unfollow the category, possibly because the Undo action also isn't permitted under a login_required scenario?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well caught. This will fix both: angusmcleod@ae0978b

@pmusaraj pmusaraj merged commit 313ac9c into discourse:main Dec 22, 2023
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmusaraj pmusaraj pmusaraj approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
2 participants
@angusmcleod @pmusaraj