woem.men/forkey
4
2
Fork 3
Code Issues 34 Pull requests 16 Projects Releases Packages Wiki Activity Actions

Authorized Fetch #15

New issue
Open
opened 2025-01-10 12:07:19 +00:00 by ashten · 1 comment
ashten commented 2025-01-10 12:07:19 +00:00
Owner
Copy link

Summary

Confirm that Auth Fetch exists, and if it doesnt, implement it

Purpose

.

Do you want to implement this feature yourself?

  • Yes, I will implement this by myself and send a pull request
### Summary Confirm that Auth Fetch exists, and if it doesnt, implement it ### Purpose . ### Do you want to implement this feature yourself? - [ ] Yes, I will implement this by myself and send a pull request
sugar commented 2025-01-11 00:26:19 +00:00
Owner
Copy link

There doesn't seem to be an authorized fetch requirement implemented.

In general ActivityPubServerService.inbox and InboxProcessorService.process should help with the implementation, those functions essentially contain a full HTTP signature verification implementation, which should be extracted into separate functions. (I would prefer avoiding code duplication when Misskey already has a fine implementation of all the necessary checks, albeit this may not be trivial with InboxProcessorService.process, as some errors are unrecoverable when processing inbox queue, and some aren't).

The reason why I would want to avoid duplication is mostly to make future merges easier, if we copy and paste an implementation then if there will be any security vulnerabilities with the current implementation, we won't know about them if Misskey fixes them.

Also, authorized fetch requirement should be bypassed for instance actor (as otherwise another Forkey instance won't be able to fetch key used to verify instance.actor's requests).

When authorized fetch is enabled, Cache-Control: private, max-age=0, must-revalidate must be sent to tell nginx cache to not cache responses (as the response depends on sent HTTP signature).

There doesn't seem to be an authorized fetch requirement implemented. In general `ActivityPubServerService.inbox` and `InboxProcessorService.process` should help with the implementation, those functions essentially contain a full HTTP signature verification implementation, which should be extracted into separate functions. (I would prefer avoiding code duplication when Misskey already has a fine implementation of all the necessary checks, albeit this may not be trivial with `InboxProcessorService.process`, as some errors are unrecoverable when processing inbox queue, and some aren't). The reason why I would want to avoid duplication is mostly to make future merges easier, if we copy and paste an implementation then if there will be any security vulnerabilities with the current implementation, we won't know about them if Misskey fixes them. Also, authorized fetch requirement should be bypassed for instance actor (as otherwise another Forkey instance won't be able to fetch key used to verify instance.actor's requests). When authorized fetch is enabled, `Cache-Control: private, max-age=0, must-revalidate` must be sent to tell nginx cache to not cache responses (as the response depends on sent HTTP signature).
ashten added the
feature parity
 label 2025-01-11 21:48:26 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/add-missing-translations
feature/mark-incoming-cwed-post-media-as-sensitive
mute-fix
cherrypick/small-and-center
feature/post-languages
feature/custom-email-template
cherrypick/refresh-polls
cherrypick/listenbrainz
feature/alt-text-achivements
cherrypick/choosable-search-engine
feature/indicate-block-mute
cherrypick/wildcard-antenna-accts
fix/scroll-alt-text
feature/alt-text-badge
feature/friendly-captcha
forkey-rebrand
bug/workflows
feature/approval
feature/meta-mfm
feature/note-editing
No results found.
Labels
Clear labels   
bug

Something is not working

  
customization

Change something to be more suitable for forkey

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
feature parity

Another fork has this feature, and it should be pulled into this fork.

  
help wanted

Need some help

  
high priority

   
invalid

Something is wrong

  
low priority

   
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
customization
duplicate
enhancement
feature parity
help wanted
high priority
invalid
low priority
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: woem.men/forkey#15
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?