search

bookwyrm-social / bookwyrm

Social reading and reviewing, decentralized with ActivityPub
http://joinbookwyrm.com/
Other
2.25k stars 263 forks source link

Remote ActivityPub actors with fragment identifiers (IRI) are not supported #2801

Closed imitko closed 1 year ago

imitko commented 1 year ago

A remote fediverse actor with URL fragment identifier can be searched and even asked to follow but BookWyrm reject 'Accept' and other incoming activities with http/401, note the remote proven to communicate with Mastodon and Pixelfed based instances (for example).

An example actor could be tried is http://fediverse.demo.openlinksw.com/dataspace/person/demo#this identifier @demo@fediverse.demo.openlinksw.com

The problem boils down to following code in signature verification:

bookwyrm/views/inbox.py

134         key_actor = urldefrag(signature.key_id).url
135         if key_actor != activity.get("actor"):  # <<< [1]
136             raise ValueError("Wrong actor created signature.")
137     
138         remote_user = activitypub.resolve_remote_id(key_actor, model=models.User) # <<< [2]
139         if not remote_user:
140             return False
  1. The keyId is not mandatory to be a same path as actor, it is common to be in same document, but actor is not a document URL.
  2. Person/Organization etc. objects are not documents, therefore these can have fragment identifiers.

Expected flow: Resolve the document based on keyId, look at publicKey/owner relation and compare with actor, if so use publicKeyPem to construct crypto key for verification, perhaps can cache the keyId publicKey/id from user profile and look for it.

Version is main branch on Github but fails with old versions as well.

hughrun commented 1 year ago

@WesleyAC I think this might be related to our GoToSocial problem. I'm going to take a look at this today.