fix(api/activitypub): simplify signature requirements (#10189)

Some ActivityPub implementations, for example Mastodon, fetch the outbox when initially populating a user. Mastodon specifically uses the instance to sign the request for this. Further, some implementations sign moderation reports using the instance when delivering them to an actor inbox to protect the privacy of the reporting person to the remote instance. --- ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10189 Reviewed-by: jerger <jerger@noreply.codeberg.org> Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: famfo <famfo@famfo.xyz> Co-committed-by: famfo <famfo@famfo.xyz>
2026-05-12 22:10:25 +00:00 · 2025-12-03 16:18:15 +01:00 · 2025-12-03 16:18:15 +01:00 · 420621d2d4
commit 420621d2d4
parent d3f4c4c5e7
2 changed files with 11 additions and 49 deletions
--- a/routers/api/v1/activitypub/reqsignature.go
+++ b/routers/api/v1/activitypub/reqsignature.go
@ -14,7 +14,7 @@ import (
 	"github.com/42wim/httpsig"
 )

-func verifyHTTPUserOrInstanceSignature(ctx app_context.APIContext) (authenticated bool, err error) {
+func verifyHTTPSignature(ctx app_context.APIContext) (authenticated bool, err error) {
 	if !setting.Federation.SignatureEnforced {
 		return true, nil
 	}
@ -43,49 +43,11 @@ func verifyHTTPUserOrInstanceSignature(ctx app_context.APIContext) (authenticate
 	return true, nil
 }

-func verifyHTTPUserSignature(ctx app_context.APIContext) (authenticated bool, err error) {
-	if !setting.Federation.SignatureEnforced {
-		return true, nil
-	}
-
-	r := ctx.Req
-
-	// 1. Figure out what key we need to verify
-	v, err := httpsig.NewVerifier(r)
-	if err != nil {
-		return false, err
-	}
-
-	signatureAlgorithm := httpsig.Algorithm(setting.Federation.SignatureAlgorithms[0])
-	pubKey, err := federation.FindOrCreateFederatedUserKey(ctx, v.KeyId())
-	if err != nil {
-		return false, err
-	}
-
-	err = v.Verify(pubKey, signatureAlgorithm)
-	if err != nil {
-		return false, err
-	}
-	return true, nil
-}
-
 // ReqHTTPSignature function
-func ReqHTTPUserOrInstanceSignature() func(ctx *app_context.APIContext) {
+func ReqHTTPSignature() func(ctx *app_context.APIContext) {
 	return func(ctx *app_context.APIContext) {
-		if authenticated, err := verifyHTTPUserOrInstanceSignature(*ctx); err != nil {
-			log.Warn("verifyHttpSignatures failed: %v", err)
-			ctx.Error(http.StatusBadRequest, "reqSignature", "request signature verification failed")
-		} else if !authenticated {
-			ctx.Error(http.StatusForbidden, "reqSignature", "request signature verification failed")
-		}
-	}
-}
-
-// ReqHTTPUserSignature function
-func ReqHTTPUserSignature() func(ctx *app_context.APIContext) {
-	return func(ctx *app_context.APIContext) {
-		if authenticated, err := verifyHTTPUserSignature(*ctx); err != nil {
-			log.Warn("verifyHttpSignatures failed: %v", err)
+		if authenticated, err := verifyHTTPSignature(*ctx); err != nil {
+			log.Warn("verifyHttpSignature failed: %v", err)
 			ctx.Error(http.StatusBadRequest, "reqSignature", "request signature verification failed")
 		} else if !authenticated {
 			ctx.Error(http.StatusForbidden, "reqSignature", "request signature verification failed")
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -878,29 +878,29 @@ func Routes() *web.Route {
 			m.Get("/nodeinfo", misc.NodeInfo)
 			m.Group("/activitypub", func() {
 				m.Group("/user-id/{user-id}", func() {
-					m.Get("", activitypub.ReqHTTPUserOrInstanceSignature(), activitypub.Person)
+					m.Get("", activitypub.ReqHTTPSignature(), activitypub.Person)
 					m.Post("/inbox",
-						activitypub.ReqHTTPUserSignature(),
+						activitypub.ReqHTTPSignature(),
 						bind(ap.Activity{}),
 						activitypub.PersonInbox)
 					m.Group("/activities/{activity-id}", func() {
 						m.Get("", activitypub.PersonActivityNote)
 						m.Get("/activity", activitypub.PersonActivity)
 					})
-					m.Get("/outbox", activitypub.ReqHTTPUserSignature(), activitypub.PersonFeed)
+					m.Get("/outbox", activitypub.ReqHTTPSignature(), activitypub.PersonFeed)
 				}, context.UserIDAssignmentAPI(), checkTokenPublicOnly())
 				m.Group("/actor", func() {
 					m.Get("", activitypub.Actor)
-					m.Post("/inbox", activitypub.ReqHTTPUserOrInstanceSignature(), activitypub.ActorInbox)
+					m.Post("/inbox", activitypub.ReqHTTPSignature(), activitypub.ActorInbox)
 					m.Get("/outbox", activitypub.ActorOutbox)
 				})
 				m.Group("/repository-id/{repository-id}", func() {
-					m.Get("", activitypub.ReqHTTPUserSignature(), activitypub.Repository)
+					m.Get("", activitypub.ReqHTTPSignature(), activitypub.Repository)
 					m.Post("/inbox",
 						bind(ap.Activity{}),
-						activitypub.ReqHTTPUserSignature(),
+						activitypub.ReqHTTPSignature(),
 						activitypub.RepositoryInbox)
-					m.Get("/outbox", activitypub.ReqHTTPUserSignature(), activitypub.RepositoryOutbox)
+					m.Get("/outbox", activitypub.ReqHTTPSignature(), activitypub.RepositoryOutbox)
 				}, context.RepositoryIDAssignmentAPI())
 			}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
 		}