about summary refs log tree commit diff
path: root/app/services/activitypub
AgeCommit message (Collapse)Author
2019-01-02Revert "Add handler for Move activity (#9629)"Thibaut Girka
This reverts commit 0f938ff29c2e9bf92e3eb9c23be8d4ba3a1b97f7.
2018-12-30Reduce usage of LD signatures (#9659)ThibG
* Do not LDS-sign Follow, Accept, Reject, Undo, Block * Do not use LDS for Create activities of private toots * Minor cleanup * Ignore unsigned activities instead of misattributing them * Use status.distributable? instead of querying visibility directly
2018-12-29Add handler for Move activity (#9629)Eugen Rochko
2018-11-10Fix emoji update date processing (#9255)ThibG
2018-10-26Add locality check to ActivityPub::FetchRemoteAccountService (#9109)Eugen Rochko
* Add locality check to ActivityPub::FetchRemoteAccountService Fix #8643 Because there are a few places where it is called, it is difficult to confirm if they all previously checked it for locality. It's better to make sure within the service. * Remove faux-remote duplicates of local accounts
2018-09-18Redesign forms, verify link ownership with rel="me" (#8703)Eugen Rochko
* Verify link ownership with rel="me" * Add explanation about verification to UI * Perform link verifications * Add click-to-copy widget for verification HTML * Redesign edit profile page * Redesign forms * Improve responsive design of settings pages * Restore landing page sign-up form * Fix typo * Support <link> tags, add spec * Fix links not being verified on first discovery and passive updates
2018-08-26Add CLI task for rotating keys (#8466)Eugen Rochko
* If an Update is signed with known key, skip re-following procedure Because it means the remote actor did *not* lose their database * Add CLI method for rotating keys bin/tootctl accounts rotate [USERNAME] Generates a new RSA key per account and sends out an Update activity signed with the old key. * Key rotation: Space out Update fan-outs every 5 minutes per 1000 accounts * Skip suspended accounts in key rotation
2018-08-23Do not crash if remote custom emoji does not define updated date (fixes ↵ThibG
#8376) (#8377)
2018-08-22Improve federated ID validation (#8372)Eugen Rochko
* Fix URI not being sufficiently validated with prefetched JSON * Add additional id validation to OStatus documents, when possible
2018-07-28Prevent ActivityPub movedTo recursion (#8092)Eugen Rochko
Fix #8051
2018-05-16Raise Mastodon::RaceConditionError if Redis lock failed (#7511)Akihiko Odaki
An explicit error allows user agents to know the error and Sidekiq to retry.
2018-05-14Fix account URI when updating ActivityPub account (#7488)Wiktor
Updates account `uri` field on each call to `update_account` instead of only once during `create_account` to mirror the same behavior in OStatus `ResolveAccountService` class [0]. ActivityPub accounts are identified using `@username` and `@domain` pair instead of URI since #6842. This fixes #7479: a bug when the account identified by `@username` and `@domain` changes its URI. [0]: https://github.com/tootsuite/mastodon/blob/03b69ebc450efc07246bd64204276941b7ede3fc/app/services/resolve_account_service.rb#L121
2018-05-12Fetch boosted statuses on behalf of a follower (fixes #7426) (#7459)ThibG
When an ActivityPub Announce is processed and the boosted toot is not known, fetch it on behalf of one of the booster's followers. This is to allow fetching self-boosts of previously-unknown private toots. If fetching on behalf of a user fails, try fetching it anonymously: the selected follower of a boosting user may be banned by the boosted toot's author.
2018-05-08Take the first recognized actor_type. (#7410)Surinna Curtis
2018-05-07Bot nameplates (#7391)Eugen Rochko
* Store actor type in database * Add bot nameplate to web UI, add setting to preferences, API, AP Fix #7365 * Fix code style issues
2018-05-05Fix handling of malformed ActivityPub payloads when URIs are nil (#7370)Eugen Rochko
* Fix handling of malformed ActivityPub payloads when URIs are nil * Gracefully handle JSON-LD canonicalization failures
2018-05-02Guard against nil URLs in Request class (#7284)Eugen Rochko
Fix #7265
2018-05-02Support Actors/Statuses with multiple types (#7305)Surinna Curtis
* Add equals_or_includes_any? helper in JsonLdHelper * Support arrays in JSON-LD type fields for actors/tags/objects. * Spec for resolving accounts with extension types * Style tweaks for codeclimate
2018-04-14Add bio fields (#6645)Eugen Rochko
* Add bio fields - Fix #3211 - Fix #232 - Fix #121 * Display bio fields in web UI * Fix output of links and missing fields * Federate bio fields over ActivityPub as PropertyValue * Improve how the fields are stored, add to Edit profile form * Add rel=me to links in fields Fix #121
2018-04-13Ensure SynchronizeFeaturedCollectionWorker is unique and clean up (#7043)Eugen Rochko
* Ensure SynchronizeFeaturedCollectionWorker is unique and clean up Fix #7041 * Fix code style issue
2018-04-03Fix nil account issue in ProcessAccountService (#7019)Nolan Lawson
2018-04-02Support all ActivityPub actor types (#6997)Eugen Rochko
Fix #6973
2018-04-01[WIP] Enable custom emoji on account pages and in the sidebar (#6124)David Underwood
Federate custom emojis with accounts
2018-03-20Use username/domain to match existing accounts in ActivityPub (#6842)Eugen Rochko
See also: #6837, #6667
2018-03-04Federate pinned statuses over ActivityPub (#6610)Eugen Rochko
* Federate pinned statuses over ActivityPub * Display pinned toots in web UI Fix #6117 * Fix migration * Fix tests * Update outbox_serializer.rb * Update remove_serializer.rb * Update add_serializer.rb * Update fetch_featured_collection_service.rb
2018-01-15Allow attributedTo in a status to be an embedded object (#6238)puckipedia
2018-01-08Fix bad URL schemes being accepted (#6219)Eugen Rochko
* Fix actors accepting invalid URI schemes or different host between URI and URL * Fix statuses accepting invalid URI scheme or different host to actor * Adjust tests to new requirements * Improve readability of mismatching_origin?/invalid_origin? methods
2018-01-03Update moved-to property when it's removed too (#6160)Eugen Rochko
* Fix #6140 - Update moved-to property when it's removed too * Remove trailing whitespace
2017-12-06Using double splat operator (#5859)Yamagishi Kazutoshi
2017-11-30Add semi-support for Video/Image objects in ActivityPub (#5848)Eugen Rochko
* Add semi-support for Video/Image objects in ActivityPub Video and Image objects will create corresponding status records with manually crafted text contents (title + URL) * Extract html-url-finding logic into JsonLdHelper * Fallback to id when url missing, extract supported object types
2017-11-19Fix NoMethodError at ActivityPub::FetchRemoteStatusService (#5753)abcang
2017-11-18Profile redirect notes (#5746)Eugen Rochko
* Serialize moved accounts into REST and ActivityPub APIs * Parse federated moved accounts from ActivityPub * Add note about moved accounts to public profiles * Add moved account message to web UI * Fix code style issues
2017-10-30Update remote ActivityPub users when fetching their toots (#5545)ThibG
2017-10-08Fix #5272 - Order of checks in ActivityPub handler (#5276)Eugen Rochko
2017-10-08Set snowflake IDs for backdated statuses (#5260)Eugen Rochko
- Rename Mastodon::TimestampIds into Mastodon::Snowflake for clarity - Skip for statuses coming from inbox, aka delivered in real-time - Skip for statuses that claim to be from the future
2017-10-04Check Webfinger-returned author URI even when not redirected (#5213)ThibG
The whole point of verified_webfinger? is to check the WebFinger-discoverable URI maps back to the known author URI. This was not actually verified if the first Webfinger request was not a redirection.
2017-10-04Validate id of ActivityPub representations (#5114)Akihiko Odaki
Additionally, ActivityPub::FetchRemoteStatusService no longer parses activities. OStatus::Activity::Creation no longer delegates to ActivityPub because the provided ActivityPub representations are not signed while OStatus representations are.
2017-10-04Fix possible acct: uri usurpation in ActivityPub account discovery (#5208)Eugen Rochko
Signed-off-by: Eugen Rochko <eugen@zeonfederated.com>
2017-09-26Fix #5059 - Stop processing payload if it's from local account (#5100)Eugen Rochko
2017-09-19Fix incomplete account records being read (#4998)Eugen Rochko
* Fix incomplete account records being read - Put account processing into redis lock - Do not save until record is complete * Fix spaces
2017-09-14Fix refollowing (#4931)ThibG
* Make RefollowWorker ActivityPub-only to avoid potential identifier mismatches * Don't call RefollowWorker on new accounts
2017-09-13Fix #4917 - Add missing suspend checks (#4921)Eugen Rochko
2017-09-12[WiP] Whenever a remote keypair changes, unfollow them and re-subscribe to ↵ThibG
… (#4907) * Whenever a remote keypair changes, unfollow them and re-subscribe to them In Mastodon (it could be different for other OStatus or AP-enabled software), a keypair change is indicative of whole user (or instance) data loss. In this situation, the “new” user might be different, and almost certainly has an empty followers list. In this case, Mastodon instances will disagree on follower lists, leading to unreliable delivery and “shadow followers”, that is users believed by a remote instance to be followers, without the affected user knowing. Drawbacks of this change are: 1. If an user legitimately changes public key for some reason without losing data (not possible in Mastodon at the moment), they will have their remote followers unsubscribed/re-subscribed needlessly. 2. Depending of the number of remote followers, this may generate quite some traffic. 3. If the user change is an attempt at usurpation, the remote followers will unknowingly follow the usurper. Note that this is *not* a change of behavior, Mastodon already behaves like that, although delivery might be unreliable, and the usurper would not have known the former user's followers. * Rename ResubscribeWorker to RefollowWorker * Process followers in batches
2017-09-09Add missing reject_media check before avatar download via ActivityPub (#4862)Eugen Rochko
2017-09-08Fetch statuses/following/followers numbers from ActivityPub collections (#4840)Eugen Rochko
2017-09-04Fix some ActivityPub JSON bugs (#4796)Eugen Rochko
- Fix assumption that `url` is always a string. Handle it if it's an array of strings, array of objects, object, or string, both for accounts and for objects - `sharedInbox` is actually supposed to be under `endpoints`, handle both cases and adjust the serializer
2017-09-02Rename "locked" to "manuallyApprovesFollowers" in ActivityPub (#4779)Eugen Rochko
See: <https://www.w3.org/wiki/Activity_Streams_extensions#as:manuallyApprovesFollowers>
2017-09-02Define missing JSON-LD properties (#4767)Eugen Rochko
Using _: property names is discouraged, as in the future, canonicalization may throw an error when encountering that instead of discarding it silently like it does now. We are defining some ActivityStreams properties which we expect to land in ActivityStreams eventually, to ensure that future versions of Mastodon will remain compatible with this even once that happens. Those would be `locked`, `sensitive` and `Hashtag` We are defining a custom context inline for some properties which we do not expect to land in any other context. `atomUri`, `inReplyToAtomUri` and `conversation` are part of the custom defined OStatus context.
2017-08-31Don't process ActivityPub payload if signature is invalid (#4752)unarist
* Don't process ActivityPub payload if signature is invalid * Fix style issue
2017-08-26Add handling of Linked Data Signatures in payloads (#4687)Eugen Rochko
* Add handling of Linked Data Signatures in payloads * Add a way to sign JSON, fix canonicalization of signature options * Fix signatureValue encoding, send out signed JSON when distributing * Add missing security context