mirror of
https://activitypub.software/TransFem-org/Sharkey
synced 2024-11-29 01:13:02 +00:00
merge: feat: implement attachLdSignatureForRelays
to control signing of Relayed activities (#599) (!579)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/579 Closes #599 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Marie <marie@kaifa.ch>
This commit is contained in:
commit
9de422280f
6 changed files with 36 additions and 6 deletions
|
@ -198,8 +198,13 @@ proxyRemoteFiles: true
|
||||||
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
||||||
#videoThumbnailGenerator: https://example.com
|
#videoThumbnailGenerator: https://example.com
|
||||||
|
|
||||||
# Sign to ActivityPub GET request (default: true)
|
# Sign outgoing ActivityPub GET request (default: true)
|
||||||
signToActivityPubGet: true
|
signToActivityPubGet: true
|
||||||
|
# Sign outgoing ActivityPub Activities (default: true)
|
||||||
|
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
|
||||||
|
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
|
||||||
|
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
|
||||||
|
attachLdSignatureForRelays: true
|
||||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||||
checkActivityPubGetSignature: false
|
checkActivityPubGetSignature: false
|
||||||
|
|
||||||
|
|
|
@ -270,8 +270,13 @@ proxyRemoteFiles: true
|
||||||
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
||||||
#videoThumbnailGenerator: https://example.com
|
#videoThumbnailGenerator: https://example.com
|
||||||
|
|
||||||
# Sign to ActivityPub GET request (default: true)
|
# Sign outgoing ActivityPub GET request (default: true)
|
||||||
signToActivityPubGet: true
|
signToActivityPubGet: true
|
||||||
|
# Sign outgoing ActivityPub Activities (default: true)
|
||||||
|
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
|
||||||
|
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
|
||||||
|
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
|
||||||
|
attachLdSignatureForRelays: true
|
||||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||||
checkActivityPubGetSignature: false
|
checkActivityPubGetSignature: false
|
||||||
|
|
||||||
|
|
|
@ -285,8 +285,13 @@ proxyRemoteFiles: true
|
||||||
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4
|
||||||
#videoThumbnailGenerator: https://example.com
|
#videoThumbnailGenerator: https://example.com
|
||||||
|
|
||||||
# Sign to ActivityPub GET request (default: true)
|
# Sign outgoing ActivityPub GET request (default: true)
|
||||||
signToActivityPubGet: true
|
signToActivityPubGet: true
|
||||||
|
# Sign outgoing ActivityPub Activities (default: true)
|
||||||
|
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
|
||||||
|
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
|
||||||
|
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
|
||||||
|
attachLdSignatureForRelays: true
|
||||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||||
checkActivityPubGetSignature: false
|
checkActivityPubGetSignature: false
|
||||||
|
|
||||||
|
|
|
@ -208,8 +208,13 @@ id: "aidx"
|
||||||
# Media Proxy
|
# Media Proxy
|
||||||
#mediaProxy: https://example.com/proxy
|
#mediaProxy: https://example.com/proxy
|
||||||
|
|
||||||
# Sign to ActivityPub GET request (default: true)
|
# Sign outgoing ActivityPub GET request (default: true)
|
||||||
signToActivityPubGet: true
|
signToActivityPubGet: true
|
||||||
|
# Sign outgoing ActivityPub Activities (default: true)
|
||||||
|
# Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
|
||||||
|
# When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
|
||||||
|
# This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
|
||||||
|
attachLdSignatureForRelays: true
|
||||||
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
# check that inbound ActivityPub GET requests are signed ("authorized fetch")
|
||||||
checkActivityPubGetSignature: false
|
checkActivityPubGetSignature: false
|
||||||
|
|
||||||
|
|
|
@ -96,6 +96,7 @@ type Source = {
|
||||||
customMOTD?: string[];
|
customMOTD?: string[];
|
||||||
|
|
||||||
signToActivityPubGet?: boolean;
|
signToActivityPubGet?: boolean;
|
||||||
|
attachLdSignatureForRelays?: boolean;
|
||||||
checkActivityPubGetSignature?: boolean;
|
checkActivityPubGetSignature?: boolean;
|
||||||
|
|
||||||
perChannelMaxNoteCacheCount?: number;
|
perChannelMaxNoteCacheCount?: number;
|
||||||
|
@ -162,6 +163,7 @@ export type Config = {
|
||||||
proxyRemoteFiles: boolean | undefined;
|
proxyRemoteFiles: boolean | undefined;
|
||||||
customMOTD: string[] | undefined;
|
customMOTD: string[] | undefined;
|
||||||
signToActivityPubGet: boolean;
|
signToActivityPubGet: boolean;
|
||||||
|
attachLdSignatureForRelays: boolean;
|
||||||
checkActivityPubGetSignature: boolean | undefined;
|
checkActivityPubGetSignature: boolean | undefined;
|
||||||
|
|
||||||
version: string;
|
version: string;
|
||||||
|
@ -299,6 +301,7 @@ export function loadConfig(): Config {
|
||||||
proxyRemoteFiles: config.proxyRemoteFiles,
|
proxyRemoteFiles: config.proxyRemoteFiles,
|
||||||
customMOTD: config.customMOTD,
|
customMOTD: config.customMOTD,
|
||||||
signToActivityPubGet: config.signToActivityPubGet ?? true,
|
signToActivityPubGet: config.signToActivityPubGet ?? true,
|
||||||
|
attachLdSignatureForRelays: config.attachLdSignatureForRelays ?? true,
|
||||||
checkActivityPubGetSignature: config.checkActivityPubGetSignature,
|
checkActivityPubGetSignature: config.checkActivityPubGetSignature,
|
||||||
mediaProxy: externalMediaProxy ?? internalMediaProxy,
|
mediaProxy: externalMediaProxy ?? internalMediaProxy,
|
||||||
externalMediaProxyEnabled: externalMediaProxy !== null && externalMediaProxy !== internalMediaProxy,
|
externalMediaProxyEnabled: externalMediaProxy !== null && externalMediaProxy !== internalMediaProxy,
|
||||||
|
|
|
@ -793,6 +793,13 @@ export class ApRendererService {
|
||||||
|
|
||||||
@bindThis
|
@bindThis
|
||||||
public async attachLdSignature(activity: any, user: { id: MiUser['id']; host: null; }): Promise<IActivity> {
|
public async attachLdSignature(activity: any, user: { id: MiUser['id']; host: null; }): Promise<IActivity> {
|
||||||
|
// Linked Data signatures are cryptographic signatures attached to each activity to provide proof of authenticity.
|
||||||
|
// When using authorized fetch, this is often undesired as any signed activity can be forwarded to a blocked instance by relays and other instances.
|
||||||
|
// This setting allows admins to disable LD signatures for increased privacy, at the expense of fewer relayed activities and additional inbound fetch (GET) requests.
|
||||||
|
if (!this.config.attachLdSignatureForRelays) {
|
||||||
|
return activity;
|
||||||
|
}
|
||||||
|
|
||||||
const keypair = await this.userKeypairService.getUserKeypair(user.id);
|
const keypair = await this.userKeypairService.getUserKeypair(user.id);
|
||||||
|
|
||||||
const jsonLd = this.jsonLdService.use();
|
const jsonLd = this.jsonLdService.use();
|
||||||
|
|
Loading…
Reference in a new issue