merge: feat: implement attachLdSignatureForRelays to control signing of Relayed activities (#599) (!579)

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/579

Closes #599

Approved-by: dakkar <dakkar@thenautilus.net>
Approved-by: Marie <marie@kaifa.ch>
This commit is contained in:
dakkar 2024-08-06 10:40:14 +00:00
commit 9de422280f
6 changed files with 36 additions and 6 deletions

View file

@ -198,8 +198,13 @@ proxyRemoteFiles: true
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4 # https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
#videoThumbnailGenerator: https://example.com #videoThumbnailGenerator: https://example.com
# Sign to ActivityPub GET request (default: true) # Sign outgoing ActivityPub GET request (default: true)
signToActivityPubGet: true signToActivityPubGet: true
# Sign outgoing ActivityPub Activities (default: true)
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
attachLdSignatureForRelays: true
# check that inbound ActivityPub GET requests are signed ("authorized fetch") # check that inbound ActivityPub GET requests are signed ("authorized fetch")
checkActivityPubGetSignature: false checkActivityPubGetSignature: false

View file

@ -270,8 +270,13 @@ proxyRemoteFiles: true
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4 # https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
#videoThumbnailGenerator: https://example.com #videoThumbnailGenerator: https://example.com
# Sign to ActivityPub GET request (default: true) # Sign outgoing ActivityPub GET request (default: true)
signToActivityPubGet: true signToActivityPubGet: true
# Sign outgoing ActivityPub Activities (default: true)
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
attachLdSignatureForRelays: true
# check that inbound ActivityPub GET requests are signed ("authorized fetch") # check that inbound ActivityPub GET requests are signed ("authorized fetch")
checkActivityPubGetSignature: false checkActivityPubGetSignature: false

View file

@ -285,8 +285,13 @@ proxyRemoteFiles: true
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4 # https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
#videoThumbnailGenerator: https://example.com #videoThumbnailGenerator: https://example.com
# Sign to ActivityPub GET request (default: true) # Sign outgoing ActivityPub GET request (default: true)
signToActivityPubGet: true signToActivityPubGet: true
# Sign outgoing ActivityPub Activities (default: true)
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
attachLdSignatureForRelays: true
# check that inbound ActivityPub GET requests are signed ("authorized fetch") # check that inbound ActivityPub GET requests are signed ("authorized fetch")
checkActivityPubGetSignature: false checkActivityPubGetSignature: false

View file

@ -208,8 +208,13 @@ id: "aidx"
# Media Proxy # Media Proxy
#mediaProxy: https://example.com/proxy #mediaProxy: https://example.com/proxy
# Sign to ActivityPub GET request (default: true) # Sign outgoing ActivityPub GET request (default: true)
signToActivityPubGet: true signToActivityPubGet: true
# Sign outgoing ActivityPub Activities (default: true)
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
attachLdSignatureForRelays: true
# check that inbound ActivityPub GET requests are signed ("authorized fetch") # check that inbound ActivityPub GET requests are signed ("authorized fetch")
checkActivityPubGetSignature: false checkActivityPubGetSignature: false

View file

@ -96,6 +96,7 @@ type Source = {
customMOTD?: string[]; customMOTD?: string[];
signToActivityPubGet?: boolean; signToActivityPubGet?: boolean;
attachLdSignatureForRelays?: boolean;
checkActivityPubGetSignature?: boolean; checkActivityPubGetSignature?: boolean;
perChannelMaxNoteCacheCount?: number; perChannelMaxNoteCacheCount?: number;
@ -162,6 +163,7 @@ export type Config = {
proxyRemoteFiles: boolean | undefined; proxyRemoteFiles: boolean | undefined;
customMOTD: string[] | undefined; customMOTD: string[] | undefined;
signToActivityPubGet: boolean; signToActivityPubGet: boolean;
attachLdSignatureForRelays: boolean;
checkActivityPubGetSignature: boolean | undefined; checkActivityPubGetSignature: boolean | undefined;
version: string; version: string;
@ -299,6 +301,7 @@ export function loadConfig(): Config {
proxyRemoteFiles: config.proxyRemoteFiles, proxyRemoteFiles: config.proxyRemoteFiles,
customMOTD: config.customMOTD, customMOTD: config.customMOTD,
signToActivityPubGet: config.signToActivityPubGet ?? true, signToActivityPubGet: config.signToActivityPubGet ?? true,
attachLdSignatureForRelays: config.attachLdSignatureForRelays ?? true,
checkActivityPubGetSignature: config.checkActivityPubGetSignature, checkActivityPubGetSignature: config.checkActivityPubGetSignature,
mediaProxy: externalMediaProxy ?? internalMediaProxy, mediaProxy: externalMediaProxy ?? internalMediaProxy,
externalMediaProxyEnabled: externalMediaProxy !== null && externalMediaProxy !== internalMediaProxy, externalMediaProxyEnabled: externalMediaProxy !== null && externalMediaProxy !== internalMediaProxy,

View file

@ -793,6 +793,13 @@ export class ApRendererService {
@bindThis @bindThis
public async attachLdSignature(activity: any, user: { id: MiUser['id']; host: null; }): Promise<IActivity> { public async attachLdSignature(activity: any, user: { id: MiUser['id']; host: null; }): Promise<IActivity> {
// Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
// When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
// This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
if (!this.config.attachLdSignatureForRelays) {
return activity;
}
const keypair = await this.userKeypairService.getUserKeypair(user.id); const keypair = await this.userKeypairService.getUserKeypair(user.id);
const jsonLd = this.jsonLdService.use(); const jsonLd = this.jsonLdService.use();