mirrors/barkey
1
0
Fork 0
mirror of https://codeberg.org/yeentown/barkey.git synced 2025-08-21 10:33:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

allow unsigned fetch for all system users

Browse source
This commit is contained in:
Hazelnoot 2025-03-16 10:49:16 -04:00
parent 97da78b46c
commit bb3d710927
3 changed files with 11 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
packages/backend/migration/1740162088574-add_unsignedFetch.js
View file

@ -12,8 +12,8 @@ export class AddUnsignedFetch1740162088574 {
await queryRunner.query(`CREATE TYPE "public"."user_allowunsignedfetch_enum" AS ENUM('never', 'always', 'essential', 'staff')`); await queryRunner.query(`CREATE TYPE "public"."user_allowunsignedfetch_enum" AS ENUM('never', 'always', 'essential', 'staff')`);
await queryRunner.query(`ALTER TABLE "user" ADD "allowUnsignedFetch" "public"."user_allowunsignedfetch_enum" NOT NULL DEFAULT 'staff'`); await queryRunner.query(`ALTER TABLE "user" ADD "allowUnsignedFetch" "public"."user_allowunsignedfetch_enum" NOT NULL DEFAULT 'staff'`);
// Special one-time migration: allow unauthorized fetch for instance actor // Special one-time migration: allow unauthorized fetch for system accounts
await queryRunner.query(`UPDATE "user" SET "allowUnsignedFetch" = 'always' WHERE "username" = 'instance.actor' AND "host" IS null`); await queryRunner.query(`UPDATE "user" SET "allowUnsignedFetch" = 'always' WHERE "username" LIKE '%.%' AND "host" IS null`);
// Special one-time migration: convert legacy config "" to meta setting "" // Special one-time migration: convert legacy config "" to meta setting ""
const config = await loadConfig(); const config = await loadConfig();

10
packages/backend/src/core/CreateSystemUserService.ts
View file

@ -29,7 +29,7 @@ export class CreateSystemUserService {
} }
@bindThis @bindThis
public async createSystemUser(username: string, data?: Partial<MiUser>): Promise<MiUser> { public async createSystemUser(username: string): Promise<MiUser> {
const password = randomUUID(); const password = randomUUID();
// Generate hash of password // Generate hash of password
@ -63,7 +63,13 @@ export class CreateSystemUserService {
isExplorable: false, isExplorable: false,
approved: true, approved: true,
isBot: true, isBot: true,
...(data ?? {}), /* we always allow requests about our instance actor, because when
a remote instance needs to check our signature on a request we
sent, it will need to fetch information about the user that
signed it (which is our instance actor), and if we try to check
their signature on *that* request, we'll fetch *their* instance
actor... leading to an infinite recursion */
allowUnsignedFetch: 'always',
}).then(x => transactionalEntityManager.findOneByOrFail(MiUser, x.identifiers[0])); }).then(x => transactionalEntityManager.findOneByOrFail(MiUser, x.identifiers[0]));
await transactionalEntityManager.insert(MiUserKeypair, { await transactionalEntityManager.insert(MiUserKeypair, {

10
packages/backend/src/core/InstanceActorService.ts
View file

@ -49,15 +49,7 @@ export class InstanceActorService {
this.cache.set(user); this.cache.set(user);
return user; return user;
} else { } else {
const created = await this.createSystemUserService.createSystemUser(ACTOR_USERNAME, { const created = await this.createSystemUserService.createSystemUser(ACTOR_USERNAME) as MiLocalUser;
/* we always allow requests about our instance actor, because when
a remote instance needs to check our signature on a request we
sent, it will need to fetch information about the user that
signed it (which is our instance actor), and if we try to check
their signature on *that* request, we'll fetch *their* instance
actor... leading to an infinite recursion */
allowUnsignedFetch: 'always',
}) as MiLocalUser;
this.cache.set(created); this.cache.set(created);
return created; return created;
} }