Skip to content

Commit

Permalink
Do not serve account actors at all in limited federation mode (mastod…
Browse files Browse the repository at this point in the history
…on#14800)

* Do not serve account actors at all in limited federation mode

When an account is fetched without a signature from an allowed instance,
return an error.

This isn't really an improvement in security, as the only information that was
previously returned was required protocol-level info, and the only personal bit
was the existence of the account. The existence of the account can still be
checked by issuing a webfinger query, as those are accepted without signatures.

However, this change makes it so that unallowed instances won't create account
records on their end when they find a reference to an unknown account.

The previous behavior of rendering a limited list of fields, instead of not
rendering the actor at all, was in order to prevent situations in which two
instances in Authorized Fetch mode or Limited Federation mode would fail to
reach each other because resolving an account would require a signed query…
from an account which can only be fetched with a signed query itself. However,
this should now be fine as fetching accounts is done by signing on behalf of
the special instance actor, which does not require any kind of valid signature
to be fetched.

* Fix tests
  • Loading branch information
ClearlyClaire authored and thenameisnigel-old committed Sep 18, 2020
1 parent e995ab2 commit 962c248
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 27 deletions.
11 changes: 2 additions & 9 deletions app/controllers/accounts_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ class AccountsController < ApplicationController
include AccountControllerConcern
include SignatureAuthentication

before_action :require_signature!, if: -> { request.format == :json && authorized_fetch_mode? }
before_action :set_cache_headers
before_action :set_body_classes

Expand Down Expand Up @@ -48,7 +49,7 @@ def show

format.json do
expires_in 3.minutes, public: !(authorized_fetch_mode? && signed_request_account.present?)
render_with_cache json: @account, content_type: 'application/activity+json', serializer: ActivityPub::ActorSerializer, adapter: ActivityPub::Adapter, fields: restrict_fields_to
render_with_cache json: @account, content_type: 'application/activity+json', serializer: ActivityPub::ActorSerializer, adapter: ActivityPub::Adapter
end
end
end
Expand Down Expand Up @@ -153,12 +154,4 @@ def cached_filtered_status_page
def params_slice(*keys)
params.slice(*keys).permit(*keys)
end

def restrict_fields_to
if signed_request_account.present? || public_fetch_mode?
# Return all fields
else
%i(id type preferred_username inbox public_key endpoints)
end
end
end
20 changes: 2 additions & 18 deletions spec/controllers/accounts_controller_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -348,24 +348,8 @@
context 'in authorized fetch mode' do
let(:authorized_fetch_mode) { true }

it 'returns http success' do
expect(response).to have_http_status(200)
end

it 'returns application/activity+json' do
expect(response.content_type).to eq 'application/activity+json'
end

it_behaves_like 'cachable response'

it 'returns Vary header with Signature' do
expect(response.headers['Vary']).to include 'Signature'
end

it 'renders bare minimum account' do
json = body_as_json
expect(json).to include(:id, :type, :preferredUsername, :inbox, :publicKey)
expect(json).to_not include(:name, :summary)
it 'returns http unauthorized' do
expect(response).to have_http_status(401)
end
end
end
Expand Down

0 comments on commit 962c248

Please sign in to comment.