refactor(federation): ♻️ Allow ActivityPub bridge requests to omit all signature headers, including x-signed-by

2026-03-13 05:49:16 +01:00 · 2024-11-24 16:40:23 +01:00 · 2024-11-24 16:40:23 +01:00 · b55237cdc8
commit b55237cdc8
parent 80b5184d6a
2 changed files with 39 additions and 6 deletions
--- a/api/users/:uuid/inbox/index.ts
+++ b/api/users/:uuid/inbox/index.ts
@ -25,7 +25,11 @@ export const schemas = {
    header: z.object({
        "x-signature": z.string().optional(),
        "x-nonce": z.string().optional(),
-        "x-signed-by": z.string().url().or(z.string().startsWith("instance ")),
+        "x-signed-by": z
+            .string()
+            .url()
+            .or(z.string().startsWith("instance "))
+            .optional(),
        authorization: z.string().optional(),
    }),
    body: z.any(),
@ -111,6 +115,32 @@ export default apiRoute((app) =>
        const logger = getLogger(["federation", "inbox"]);
        const body: Entity = await context.req.valid("json");

+        if (authorization) {
+            const processor = new InboxProcessor(
+                context,
+                body,
+                null,
+                {
+                    signature,
+                    nonce,
+                    authorization,
+                },
+                logger,
+            );
+
+            return await processor.process();
+        }
+
+        // If not potentially from bridge, check for required headers
+        if (!(signature && nonce && signedBy)) {
+            return context.json(
+                {
+                    error: "Missing required headers: x-signature, x-nonce, or x-signed-by",
+                },
+                400,
+            );
+        }
+
        const sender = await User.resolve(signedBy);

        if (!(sender || signedBy.startsWith("instance "))) {