ActivityPubController: add mismatched host test

test/pleroma/web/activity_pub/activity_pub_controller_test.exs

@@ -950,6 +950,49 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       refute Activity.get_by_ap_id(data["id"])
     end
 
+    test "does not process post with Host header not for us", %{conn: conn} do
+      alice = insert(:user, local: false, ap_id: "https://one.com/users/alice")
+      object_id = "https://one.com/objects/inbox-forged-note"
+
+      data = %{
+        "type" => "Create",
+        "actor" => alice.ap_id,
+        "id" => "https://one.com/activities/inbox-forged-create",
+        "context" => "https://one.com/contexts/inbox-forged-create",
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+        "cc" => [],
+        "object" => %{
+          "type" => "Note",
+          "id" => object_id,
+          "actor" => alice.ap_id,
+          "attributedTo" => alice.ap_id,
+          "context" => "https://one.com/contexts/inbox-forged-create",
+          "content" => "forged post",
+          "published" => "2024-07-25T13:33:31Z",
+          "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+          "cc" => []
+        }
+      }
+
+      expect_signature_retry_from(alice)
+
+      conn = %{conn | req_headers: [{"host", "invalid.example.com"}]}
+
+      conn =
+        conn
+        |> assign(:valid_signature, false)
+        |> put_req_header("content-type", "application/activity+json")
+        |> put_req_header("signature", "keyId=\"https://one.com/users/alice#main-key\"")
+        |> post("/inbox", data)
+
+      assert "Host header does not match this instance" == conn.resp_body
+      assert 400 == conn.status
+      assert true == conn.halted
+
+      refute Activity.get_by_ap_id(data["id"])
+      refute Object.get_by_ap_id(object_id)
+    end
+
     test "accept follow activity", %{conn: conn} do
       clear_config([:instance, :federating], true)
       relay = Relay.get_actor()