From ee37b2d8c64b8fee5f6f1634ad817da64e631b98 Mon Sep 17 00:00:00 2001
From: Ekaterina Vaartis <vaartis@kotobank.ch>
Date: Tue, 17 Jun 2025 21:12:20 +0300
Subject: [PATCH] Return 404 when an activity is sent to a deactivated user's
 /inbox

Also return 404 when the user who sent the activity is believed to be
deactivated. It was already an error, now it just returns a better
reason than "Invalid request". Also send proper errors when either
user is not known at all.
---
 changelog.d/deactivated-404-inbox.change      |  1 +
 .../activity_pub/activity_pub_controller.ex   | 28 ++++++++-
 .../activity_pub_controller_test.exs          | 61 +++++++++++++------
 3 files changed, 71 insertions(+), 19 deletions(-)
 create mode 100644 changelog.d/deactivated-404-inbox.change

diff --git a/changelog.d/deactivated-404-inbox.change b/changelog.d/deactivated-404-inbox.change
new file mode 100644
index 000000000..3912c53ef
--- /dev/null
+++ b/changelog.d/deactivated-404-inbox.change
@@ -0,0 +1 @@
+Return 404 with a better error message instead of 400 when receiving an activity for a deactivated user
\ No newline at end of file
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index 7ac0bbab4..71e0a24de 100644
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -274,13 +274,37 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
   end
 
   def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do
-    with %User{is_active: true} = recipient <- User.get_cached_by_nickname(nickname),
-         {:ok, %User{is_active: true} = actor} <- User.get_or_fetch_by_ap_id(params["actor"]),
+    with {:recipient_exists, %User{} = recipient} <-
+           {:recipient_exists, User.get_cached_by_nickname(nickname)},
+         {:sender_exists, {:ok, %User{} = actor}} <-
+           {:sender_exists, User.get_or_fetch_by_ap_id(params["actor"])},
+         {:recipient_active, true} <- {:recipient_active, recipient.is_active},
+         {:sender_active, true} <- {:sender_active, actor.is_active},
          true <- Utils.recipient_in_message(recipient, actor, params),
          params <- Utils.maybe_splice_recipient(recipient.ap_id, params) do
       Federator.incoming_ap_doc(params)
       json(conn, "ok")
     else
+      {:recipient_exists, _} ->
+        conn
+        |> put_status(:not_found)
+        |> json("User does not exist")
+
+      {:sender_exists, _} ->
+        conn
+        |> put_status(:not_found)
+        |> json("Sender does not exist")
+
+      {:recipient_active, _} ->
+        conn
+        |> put_status(:not_found)
+        |> json("User deactivated")
+
+      {:sender_active, _} ->
+        conn
+        |> put_status(:not_found)
+        |> json("Sender deactivated")
+
       _ ->
         conn
         |> put_status(:bad_request)
diff --git a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
index 46b3d5f0d..ded5d9d99 100644
--- a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
@@ -941,23 +941,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       assert Activity.get_by_ap_id(data["id"])
     end
 
-    test "it rejects an invalid incoming activity", %{conn: conn, data: data} do
-      user = insert(:user, is_active: false)
-
-      data =
-        data
-        |> Map.put("bcc", [user.ap_id])
-        |> Kernel.put_in(["object", "bcc"], [user.ap_id])
-
-      conn =
-        conn
-        |> assign(:valid_signature, true)
-        |> put_req_header("content-type", "application/activity+json")
-        |> post("/users/#{user.nickname}/inbox", data)
-
-      assert "Invalid request." == json_response(conn, 400)
-    end
-
     test "it accepts messages with to as string instead of array", %{conn: conn, data: data} do
       user = insert(:user)
 
@@ -1341,6 +1324,50 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       ObanHelpers.perform(all_enqueued(worker: ReceiverWorker))
       assert Activity.get_by_ap_id(data["id"])
     end
+
+    test "it returns an error when receiving an activity sent to a deactivated user", %{
+      conn: conn,
+      data: data
+    } do
+      user = insert(:user)
+      {:ok, _} = User.set_activation(user, false)
+
+      data =
+        data
+        |> Map.put("bcc", [user.ap_id])
+        |> Kernel.put_in(["object", "bcc"], [user.ap_id])
+
+      conn =
+        conn
+        |> assign(:valid_signature, true)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/inbox", data)
+
+      assert "User deactivated" == json_response(conn, 404)
+    end
+
+    test "it returns an error when receiving an activity sent from a deactivated user", %{
+      conn: conn,
+      data: data
+    } do
+      sender = insert(:user)
+      user = insert(:user)
+      {:ok, _} = User.set_activation(sender, false)
+
+      data =
+        data
+        |> Map.put("bcc", [user.ap_id])
+        |> Map.put("actor", sender.ap_id)
+        |> Kernel.put_in(["object", "bcc"], [user.ap_id])
+
+      conn =
+        conn
+        |> assign(:valid_signature, true)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/inbox", data)
+
+      assert "Sender deactivated" == json_response(conn, 404)
+    end
   end
 
   describe "GET /users/:nickname/outbox" do