Return a 400 from a bad delivery attempt to the inbox

This stops the backend from generating 500 errors from these events.
This commit is contained in:
Mark Felder 2023-12-19 13:53:10 -05:00
parent 99b07c817e
commit f43f33e307
3 changed files with 25 additions and 2 deletions

View file

@ -0,0 +1 @@
Invalid activities delivered to the inbox will be rejected with a 400 Bad Request

View file

@ -273,12 +273,17 @@ def outbox(conn, %{"nickname" => nickname}) do
end
def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do
with %User{} = recipient <- User.get_cached_by_nickname(nickname),
{:ok, %User{} = actor} <- User.get_or_fetch_by_ap_id(params["actor"]),
with %User{is_active: true} = recipient <- User.get_cached_by_nickname(nickname),
{:ok, %User{is_active: true} = actor} <- User.get_or_fetch_by_ap_id(params["actor"]),
true <- Utils.recipient_in_message(recipient, actor, params),
params <- Utils.maybe_splice_recipient(recipient.ap_id, params) do
Federator.incoming_ap_doc(params)
json(conn, "ok")
else
_ ->
conn
|> put_status(:bad_request)
|> json("Invalid request.")
end
end

View file

@ -895,6 +895,23 @@ test "it inserts an incoming activity into the database", %{conn: conn, data: da
assert Activity.get_by_ap_id(data["id"])
end
test "it rejects an invalid incoming activity", %{conn: conn, data: data} do
user = insert(:user, is_active: false)
data =
data
|> Map.put("bcc", [user.ap_id])
|> Kernel.put_in(["object", "bcc"], [user.ap_id])
conn =
conn
|> assign(:valid_signature, true)
|> put_req_header("content-type", "application/activity+json")
|> post("/users/#{user.nickname}/inbox", data)
assert "Invalid request." == json_response(conn, 400)
end
test "it accepts messages with to as string instead of array", %{conn: conn, data: data} do
user = insert(:user)