merge: look inside url when checking activity origin - #512 (!521)

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/521 Closes #512 Approved-by: Marie <marie@kaifa.ch> Approved-by: fEmber <acomputerdog@gmail.com>
2024-05-31 10:37:54 +00:00 · 2024-05-31 10:37:54 +00:00 · 11aac8253d
commit 11aac8253d
parent 4f346ebe0c c05cc63e24
2 changed files with 66 additions and 7 deletions
--- a/packages/backend/src/core/activitypub/misc/check-against-url.ts
+++ b/packages/backend/src/core/activitypub/misc/check-against-url.ts
@ -4,16 +4,24 @@
 */
 import type { IObject } from '../type.js';

+function getHrefFrom(one: IObject|string): string | undefined {
+	if (typeof(one) === 'string') return one;
+	return one.href;
+}
+
 export function assertActivityMatchesUrls(activity: IObject, urls: string[]) {
 	const idOk = activity.id !== undefined && urls.includes(activity.id);
+	if (idOk) return;

-	// technically `activity.url` could be an `ApObject = IObject |
-	// string | (IObject | string)[]`, but if it's a complicated thing
-	// and the `activity.id` doesn't match, I think we're fine
-	// rejecting the activity
-	const urlOk = typeof(activity.url) === 'string' && urls.includes(activity.url);
+	const url = activity.url;
+	if (url) {
+		// `activity.url` can be an `ApObject = IObject | string | (IObject
+		// | string)[]`, we have to look inside it
+		const activityUrls = Array.isArray(url) ? url.map(getHrefFrom) : [getHrefFrom(url)];
+		const goodUrl = activityUrls.find(u => u && urls.includes(u));

-	if (!idOk && !urlOk) {
-		throw new Error(`bad Activity: neither id(${activity?.id}) nor url(${activity?.url}) match location(${urls})`);
+		if (goodUrl) return;
 	}
+
+	throw new Error(`bad Activity: neither id(${activity?.id}) nor url(${JSON.stringify(activity?.url)}) match location(${urls})`);
 }