Require HTTP signatures (if enabled) for routes used by both C2S and S2S AP API

Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2024-09-15 14:59:06 +02:00 · 2024-09-15 14:59:06 +02:00 · ad953143bb
commit ad953143bb
parent 8250a9764e
4 changed files with 60 additions and 4 deletions
--- a/lib/pleroma/web/plugs/http_signature_plug.ex
+++ b/lib/pleroma/web/plugs/http_signature_plug.ex
@ -19,8 +19,16 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
    options
  end

-  def call(%{assigns: %{valid_signature: true}} = conn, _opts) do
-    conn
+  def call(%{assigns: %{valid_signature: true}} = conn, _opts), do: conn
+
+  # skip for C2S requests from authenticated users
+  def call(%{assigns: %{user: %Pleroma.User{}}} = conn, _opts) do
+    if get_format(conn) in ["json", "activity+json"] do
+      # ensure access token is provided for 2FA
+      Pleroma.Web.Plugs.EnsureAuthenticatedPlug.call(conn, %{})
+    else
+      conn
+    end
  end

  def call(conn, _opts) do
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -907,17 +907,30 @@ defmodule Pleroma.Web.Router do
    plug(:after_auth)
  end

+  # AP interactions used by both S2S and C2S
+  pipeline :activitypub_server_or_client do
+    plug(:ap_service_actor)
+    plug(:fetch_session)
+    plug(:authenticate)
+    plug(:after_auth)
+    plug(:http_signature)
+  end
+
  scope "/", Pleroma.Web.ActivityPub do
    pipe_through([:activitypub_client])

    get("/api/ap/whoami", ActivityPubController, :whoami)
    get("/users/:nickname/inbox", ActivityPubController, :read_inbox)

-    get("/users/:nickname/outbox", ActivityPubController, :outbox)
    post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
    post("/api/ap/upload_media", ActivityPubController, :upload_media)
+  end
+
+  scope "/", Pleroma.Web.ActivityPub do
+    pipe_through([:activitypub_server_or_client])
+
+    get("/users/:nickname/outbox", ActivityPubController, :outbox)

-    # The following two are S2S as well, see `ActivityPub.fetch_follow_information_for_user/1`:
    get("/users/:nickname/followers", ActivityPubController, :followers)
    get("/users/:nickname/following", ActivityPubController, :following)
    get("/users/:nickname/collections/featured", ActivityPubController, :pinned)