ActivityPubController: require validated host header

lib/pleroma/web/activity_pub/activity_pub_controller.ex

@@ -303,7 +303,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     end
   end
 
-  def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do
+  def inbox(%{assigns: %{valid_signature: true, valid_host_header: true}} = conn, %{"nickname" => nickname} = params) do
     with {:recipient_exists, %User{} = recipient} <-
            {:recipient_exists, User.get_cached_by_nickname(nickname)},
          {:sender_exists, {:ok, %User{} = actor}} <-
@@ -342,7 +342,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     end
   end
 
-  def inbox(%{assigns: %{valid_signature: true}} = conn, params) do
+  def inbox(%{assigns: %{valid_signature: true, valid_host_header: true}} = conn, params) do
     Federator.incoming_ap_doc(params)
     json(conn, "ok")
   end