mirrors/barkey
1
0
Fork 0
mirror of https://codeberg.org/yeentown/barkey.git synced 2025-07-07 12:36:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

log source URL when failing resolution for a response with missing AP ID

Browse source
This commit is contained in:
Hazelnoot 2025-05-04 10:49:32 -04:00
parent 291faeb00f
commit a78ca52bf6
3 changed files with 11 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
packages/backend/src/core/activitypub/ApResolverService.ts
View file

@ -187,7 +187,7 @@ export class Resolver {
} }
// This ensures the input has a string ID, protecting against type confusion and rejecting anonymous objects. // This ensures the input has a string ID, protecting against type confusion and rejecting anonymous objects.
const id = getApId(value); const id = getApId(value, sentFromUri);
// Check if we can use the provided object as-is. // Check if we can use the provided object as-is.
// Our security requires that the object ID matches the host authority that sent it, otherwise it can't be trusted. // Our security requires that the object ID matches the host authority that sent it, otherwise it can't be trusted.
@ -329,7 +329,7 @@ export class Resolver {
// The object ID is already validated to match the final URL's authority by signedGet / getActivityJson. // The object ID is already validated to match the final URL's authority by signedGet / getActivityJson.
// We only need to validate that it also matches the original URL's authority, in case of redirects. // We only need to validate that it also matches the original URL's authority, in case of redirects.
const objectId = getApId(object); const objectId = getApId(object, value);
// We allow some limited cross-domain redirects, which means the host may have changed during fetch. // We allow some limited cross-domain redirects, which means the host may have changed during fetch.
// Additional checks are needed to validate the scope of cross-domain redirects. // Additional checks are needed to validate the scope of cross-domain redirects.

2
packages/backend/src/core/activitypub/ApUtilityService.ts
View file

@ -24,7 +24,7 @@ export class ApUtilityService {
public assertIdMatchesUrlAuthority(object: IObject, url: string): void { public assertIdMatchesUrlAuthority(object: IObject, url: string): void {
// This throws if the ID is missing or invalid, but that's ok. // This throws if the ID is missing or invalid, but that's ok.
// Anonymous objects are impossible to verify, so we don't allow fetching them. // Anonymous objects are impossible to verify, so we don't allow fetching them.
const id = getApId(object); const id = getApId(object, url);
// Make sure the object ID matches the final URL (which is where it actually exists). // Make sure the object ID matches the final URL (which is where it actually exists).
// The caller (ApResolverService) will verify the ID against the original / entry URL, which ensures that all three match. // The caller (ApResolverService) will verify the ID against the original / entry URL, which ensures that all three match.

13
packages/backend/src/core/activitypub/type.ts
View file

@ -75,14 +75,17 @@ export function getOneApId(value: ApObject): string {
/** /**
* Get ActivityStreams Object id * Get ActivityStreams Object id
*/ */
export function getApId(source: string | IObject | [string | IObject]): string { export function getApId(value: string | IObject | [string | IObject], sourceForLogs?: string): string {
const value = getNullableApId(source); const id = getNullableApId(value);
if (value == null) { if (id == null) {
throw new IdentifiableError('ad2dc287-75c1-44c4-839d-3d2e64576675', `invalid AP object ${value}: missing or invalid id`); const message = sourceForLogs
? `invalid AP object ${value} (sent from ${sourceForLogs}): missing id`
: `invalid AP object ${value}: missing id`;
throw new IdentifiableError('ad2dc287-75c1-44c4-839d-3d2e64576675', message);
} }
return value; return id;
} }
/** /**