From 27e95fd1237d13edafc557531932067d329e9733 Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Wed, 8 Feb 2023 15:10:56 +0100 Subject: [chore/bugfix] Serve + throttle publickey separately from rest of ActivityPub API (#1461) * serve publickey separately from AP, don't throttle it * update nginx cache documentation, cache main-key too * throttle public key, but separately from other endpoints --- internal/api/activitypub.go | 38 ++++++------ internal/api/activitypub/publickey/publickey.go | 48 +++++++++++++++ internal/api/activitypub/publickey/publickeyget.go | 71 ++++++++++++++++++++++ internal/api/activitypub/users/publickeyget.go | 71 ---------------------- internal/api/activitypub/users/user.go | 3 - 5 files changed, 139 insertions(+), 92 deletions(-) create mode 100644 internal/api/activitypub/publickey/publickey.go create mode 100644 internal/api/activitypub/publickey/publickeyget.go delete mode 100644 internal/api/activitypub/users/publickeyget.go (limited to 'internal/api') diff --git a/internal/api/activitypub.go b/internal/api/activitypub.go index df48afb18..72a8f6e26 100644 --- a/internal/api/activitypub.go +++ b/internal/api/activitypub.go @@ -19,11 +19,9 @@ package api import ( - "context" - "net/url" - "github.com/gin-gonic/gin" "github.com/superseriousbusiness/gotosocial/internal/api/activitypub/emoji" + "github.com/superseriousbusiness/gotosocial/internal/api/activitypub/publickey" "github.com/superseriousbusiness/gotosocial/internal/api/activitypub/users" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/middleware" @@ -32,10 +30,10 @@ import ( ) type ActivityPub struct { - emoji *emoji.Module - users *users.Module - - isURIBlocked func(context.Context, *url.URL) (bool, db.Error) + emoji *emoji.Module + users *users.Module + publicKey *publickey.Module + signatureCheckMiddleware gin.HandlerFunc } func (a *ActivityPub) Route(r router.Router, m ...gin.HandlerFunc) { @@ -43,25 +41,29 @@ func (a *ActivityPub) Route(r router.Router, m ...gin.HandlerFunc) { emojiGroup := r.AttachGroup("emoji") usersGroup := r.AttachGroup("users") - // instantiate + attach shared, non-global middlewares to both of these groups - var ( - signatureCheckMiddleware = middleware.SignatureCheck(a.isURIBlocked) - cacheControlMiddleware = middleware.CacheControl("no-store") - ) + // attach shared, non-global middlewares to both of these groups + cacheControlMiddleware := middleware.CacheControl("no-store") emojiGroup.Use(m...) usersGroup.Use(m...) - emojiGroup.Use(signatureCheckMiddleware, cacheControlMiddleware) - usersGroup.Use(signatureCheckMiddleware, cacheControlMiddleware) + emojiGroup.Use(a.signatureCheckMiddleware, cacheControlMiddleware) + usersGroup.Use(a.signatureCheckMiddleware, cacheControlMiddleware) a.emoji.Route(emojiGroup.Handle) a.users.Route(usersGroup.Handle) } +// Public key endpoint requires different middleware + cache policies from other AP endpoints. +func (a *ActivityPub) RoutePublicKey(r router.Router, m ...gin.HandlerFunc) { + publicKeyGroup := r.AttachGroup(publickey.PublicKeyPath) + publicKeyGroup.Use(a.signatureCheckMiddleware, middleware.CacheControl("public,max-age=604800")) + a.publicKey.Route(publicKeyGroup.Handle) +} + func NewActivityPub(db db.DB, p processing.Processor) *ActivityPub { return &ActivityPub{ - emoji: emoji.New(p), - users: users.New(p), - - isURIBlocked: db.IsURIBlocked, + emoji: emoji.New(p), + users: users.New(p), + publicKey: publickey.New(p), + signatureCheckMiddleware: middleware.SignatureCheck(db.IsURIBlocked), } } diff --git a/internal/api/activitypub/publickey/publickey.go b/internal/api/activitypub/publickey/publickey.go new file mode 100644 index 000000000..7b3882628 --- /dev/null +++ b/internal/api/activitypub/publickey/publickey.go @@ -0,0 +1,48 @@ +/* + GoToSocial + Copyright (C) 2021-2023 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package publickey + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/processing" + "github.com/superseriousbusiness/gotosocial/internal/uris" +) + +const ( + // UsernameKey is for account usernames. + UsernameKey = "username" + // PublicKeyPath is a path to a user's public key, for serving bare minimum AP representations. + PublicKeyPath = "users/:" + UsernameKey + "/" + uris.PublicKeyPath +) + +type Module struct { + processor processing.Processor +} + +func New(processor processing.Processor) *Module { + return &Module{ + processor: processor, + } +} + +func (m *Module) Route(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) { + attachHandler(http.MethodGet, "", m.PublicKeyGETHandler) +} diff --git a/internal/api/activitypub/publickey/publickeyget.go b/internal/api/activitypub/publickey/publickeyget.go new file mode 100644 index 000000000..36e1c3569 --- /dev/null +++ b/internal/api/activitypub/publickey/publickeyget.go @@ -0,0 +1,71 @@ +/* + GoToSocial + Copyright (C) 2021-2023 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package publickey + +import ( + "encoding/json" + "errors" + "net/http" + "strings" + + "github.com/gin-gonic/gin" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" + "github.com/superseriousbusiness/gotosocial/internal/gtserror" +) + +// PublicKeyGETHandler should be served at eg https://example.org/users/:username/main-key. +// +// The goal here is to return a MINIMAL activitypub representation of an account +// in the form of a vocab.ActivityStreamsPerson. The account will only contain the id, +// public key, username, and type of the account. +func (m *Module) PublicKeyGETHandler(c *gin.Context) { + // usernames on our instance are always lowercase + requestedUsername := strings.ToLower(c.Param(UsernameKey)) + if requestedUsername == "" { + err := errors.New("no username specified in request") + apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) + return + } + + format, err := apiutil.NegotiateAccept(c, apiutil.HTMLOrActivityPubHeaders...) + if err != nil { + apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) + return + } + + if format == string(apiutil.TextHTML) { + // redirect to the user's profile + c.Redirect(http.StatusSeeOther, "/@"+requestedUsername) + return + } + + resp, errWithCode := m.processor.GetFediUser(apiutil.TransferSignatureContext(c), requestedUsername, c.Request.URL) + if errWithCode != nil { + apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) + return + } + + b, err := json.Marshal(resp) + if err != nil { + apiutil.ErrorHandler(c, gtserror.NewErrorInternalError(err), m.processor.InstanceGetV1) + return + } + + c.Data(http.StatusOK, format, b) +} diff --git a/internal/api/activitypub/users/publickeyget.go b/internal/api/activitypub/users/publickeyget.go deleted file mode 100644 index 27457f107..000000000 --- a/internal/api/activitypub/users/publickeyget.go +++ /dev/null @@ -1,71 +0,0 @@ -/* - GoToSocial - Copyright (C) 2021-2023 GoToSocial Authors admin@gotosocial.org - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. - - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . -*/ - -package users - -import ( - "encoding/json" - "errors" - "net/http" - "strings" - - "github.com/gin-gonic/gin" - apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" - "github.com/superseriousbusiness/gotosocial/internal/gtserror" -) - -// PublicKeyGETHandler should be served at eg https://example.org/users/:username/main-key. -// -// The goal here is to return a MINIMAL activitypub representation of an account -// in the form of a vocab.ActivityStreamsPerson. The account will only contain the id, -// public key, username, and type of the account. -func (m *Module) PublicKeyGETHandler(c *gin.Context) { - // usernames on our instance are always lowercase - requestedUsername := strings.ToLower(c.Param(UsernameKey)) - if requestedUsername == "" { - err := errors.New("no username specified in request") - apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1) - return - } - - format, err := apiutil.NegotiateAccept(c, apiutil.HTMLOrActivityPubHeaders...) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) - return - } - - if format == string(apiutil.TextHTML) { - // redirect to the user's profile - c.Redirect(http.StatusSeeOther, "/@"+requestedUsername) - return - } - - resp, errWithCode := m.processor.GetFediUser(apiutil.TransferSignatureContext(c), requestedUsername, c.Request.URL) - if errWithCode != nil { - apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) - return - } - - b, err := json.Marshal(resp) - if err != nil { - apiutil.ErrorHandler(c, gtserror.NewErrorInternalError(err), m.processor.InstanceGetV1) - return - } - - c.Data(http.StatusOK, format, b) -} diff --git a/internal/api/activitypub/users/user.go b/internal/api/activitypub/users/user.go index 71e47d7e9..257453bcb 100644 --- a/internal/api/activitypub/users/user.go +++ b/internal/api/activitypub/users/user.go @@ -42,8 +42,6 @@ const ( // BasePath is the base path for serving AP 'users' requests, minus the 'users' prefix. BasePath = "/:" + UsernameKey - // PublicKeyPath is a path to a user's public key, for serving bare minimum AP representations. - PublicKeyPath = BasePath + "/" + uris.PublicKeyPath // InboxPath is for serving POST requests to a user's inbox with the given username key. InboxPath = BasePath + "/" + uris.InboxPath // OutboxPath is for serving GET requests to a user's outbox with the given username key. @@ -74,7 +72,6 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H attachHandler(http.MethodGet, FollowersPath, m.FollowersGETHandler) attachHandler(http.MethodGet, FollowingPath, m.FollowingGETHandler) attachHandler(http.MethodGet, StatusPath, m.StatusGETHandler) - attachHandler(http.MethodGet, PublicKeyPath, m.PublicKeyGETHandler) attachHandler(http.MethodGet, StatusRepliesPath, m.StatusRepliesGETHandler) attachHandler(http.MethodGet, OutboxPath, m.OutboxGETHandler) } -- cgit v1.2.3