Secure mode federation support (WIP)

[Alexis211]

This is a first iteration of my work aiming at adding support for so-called "secure-mode federation" (#35) (see Mastodon documentation). The following features are added:

• In addition to ObjectId::dereference, a new function ObjectId::dereference_signed, which takes an actor as an additionnal argument and signs the GET request with the actor's private key
• For the server side, a new helper function signing_actor (currently only for Actix web) checks whether the request has a valid signature from any actor, and returns that actor so that further checks can be made (e.g. on the actor's identity or on the server where it is hosted).

Open questions:

• Does the proposed API look sensible, does it address well the problem?
• A lot of code is currently duplicated for the dereference_signed code path, how can this be improved?

[Nutomic]

Mastodon itself uses a dedicated system actor to sign such HTTP requests.

Based on this line from the Mastodon docs, a different approach would make sense: Add an optional field signed_fetch_key (or however you want to call it) to FederationConfig. If that field is set, sign all outgoing requests with the given key. Then it wouldnt be necessary to add extra fetch methods or pass additional arguments all over your code. Using a single key for all users is also better for privacy.

By the way have you already tested that this is compatible with Mastodon?

@darrinsmart Maybe you can also have a look.

[Alexis211]

Based on this line from the Mastodon docs, a different approach would make sense: Add an optional field signed_fetch_key (or however you want to call it) to FederationConfig. If that field is set, sign all outgoing requests with the given key. Then it wouldnt be necessary to add extra fetch methods or pass additional arguments all over your code. Using a single key for all users is also better for privacy.

Thanks, it makes sense. I will try implementing that instead.

By the way have you already tested that this is compatible with Mastodon?

I have not. I don't run a Mastodon server, and I don't have time to spawn one to test this feature (I'm doing this PR because I need it for a new activitypub server thing, not for Mastodon compatibility). If you know the address of an existing Mastodon server that has secure mode enabled, I can test outgoing requests to that server.

[Nutomic]

Looks good! Some minor notes and clippy is failing in CI.

If you can test against another platform besides Mastodon thats also good. However I dont have such a server either. I just want to avoid an incompatible implementation in the wild which could make things complicated in the future. How about we leave this PR open until someone can test it? Anyway there wouldnt be many other changes to create conflicts.

[Alexis211]

How about we leave this PR open until someone can test it?

LGTM

[darrinsmart]

Apologies for the late reply - I don't have much spare time at the moment.

It was a very minimal test, but I was able to dereference my Gotosocial account with Alex's change - so looks good from here too!

[Nutomic]

Great, thanks!