about summary refs log tree commit diff
path: root/app/services/activitypub
AgeCommit message (Collapse)Author
2021-01-10Optimize map { ... }.compact calls (#15513)luigi
* Optimize map { ... }.compact using Enumerable#filter_map, supported since Ruby 2.7 * Add poyfill for Enumerable#filter_map
2020-12-18Fix resolving accounts sometimes creating duplicate records for a given AP ↵ThibG
id (#15364) * Fix ResolveAccountService accepting mismatching acct: URI * Set attributes that should be updated regardless of suspension * Fix key fetching * Automatically merge remote accounts with duplicate `uri` * Add tests * Add "tootctl accounts fix-duplicates" Finds duplicate accounts sharing a same ActivityPub `id`, re-fetch them and merge them under the canonical `acct:` URI. Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-11-08Add support for reversible suspensions through ActivityPub (#14989)Eugen Rochko
2020-10-23Fix account processing failing because of large collections (#15027)ThibG
Fixes #15025
2020-10-21Add follower synchronization mechanism (#14510)ThibG
* Add support for followers synchronization on the receiving end Check the `collectionSynchronization` attribute on `Create` and `Announce` activities and synchronize followers from provided collection if possible. * Add tests for followers synchronization on the receiving end * Add support for follower synchronization on the sender's end * Add tests for the sending end * Switch from AS attributes to HTTP header Replace the custom `collectionSynchronization` ActivityStreams attribute by an HTTP header (`X-AS-Collection-Synchronization`) with the same syntax as the `Signature` header and the following fields: - `collectionId` to specify which collection to synchronize - `digest` for the SHA256 hex-digest of the list of followers known on the receiving instance (where “receiving instance” is determined by accounts sharing the same host name for their ActivityPub actor `id`) - `url` of a collection that should be fetched by the instance actor Internally, move away from the webfinger-based `domain` attribute and use account `uri` prefix to group accounts. * Add environment variable to disable followers synchronization Since the whole mechanism relies on some new preconditions that, in some extremely rare cases, might not be met, add an environment variable (DISABLE_FOLLOWERS_SYNCHRONIZATION) to disable the mechanism altogether and avoid followers being incorrectly removed. The current conditions are: 1. all managed accounts' actor `id` and inbox URL have the same URI scheme and netloc. 2. all accounts whose actor `id` or inbox URL share the same URI scheme and netloc as a managed account must be managed by the same Mastodon instance as well. As far as Mastodon is concerned, breaking those preconditions require extensive configuration changes in the reverse proxy and might also cause other issues. Therefore, this environment variable provides a way out for people with highly unusual configurations, and can be safely ignored for the overwhelming majority of Mastodon administrators. * Only set follower synchronization header on non-public statuses This is to avoid unnecessary computations and allow Follow-related activities to be handled by the usual codepath instead of going through the synchronization mechanism (otherwise, any Follow/Undo/Accept activity would trigger the synchronization mechanism even if processing the activity itself would be enough to re-introduce synchronization) * Change how ActivityPub::SynchronizeFollowersService handles follow requests If the remote lists a local follower which we only know has sent a follow request, consider the follow request as accepted instead of sending an Undo. * Integrate review feeback - rename X-AS-Collection-Synchronization to Collection-Synchronization - various minor refactoring and code style changes * Only select required fields when computing followers_hash * Use actor URI rather than webfinger domain in synchronization endpoint * Change hash computation to be a XOR of individual hashes Makes it much easier to be memory-efficient, and avoid sorting discrepancy issues. * Marginally improve followers_hash computation speed * Further improve hash computation performances by using pluck_each
2020-10-08Remove dependency on goldfinger gem (#14919)Eugen Rochko
There are edge cases where requests to certain hosts timeout when using the vanilla HTTP.rb gem, which the goldfinger gem uses. Now that we no longer need to support OStatus servers, webfinger logic is so simple that there is no point encapsulating it in a gem, so we can just use our own Request class. With that, we benefit from more robust timeout code and IPv4/IPv6 resolution. Fix #14091
2020-06-29Add customizable thumbnails for audio and video attachments (#14145)Eugen Rochko
- Change audio files to not be stripped of metadata - Automatically extract cover art from audio if it exists - Add `thumbnail` parameter to `POST /api/v1/media`, `POST /api/v2/media` and `PUT /api/v1/media/:id` - Add `icon` to represent it in attachments in ActivityPub - Fix `preview_url` containing URL of missing missing image when there is no thumbnail instead of null - Fix duration of audio not being displayed on public pages until the file is loaded
2020-06-02Add E2EE API (#13820)Eugen Rochko
2020-05-10Refactor monkey-patching of Goldfinger (#12561)Eugen Rochko
2020-03-09Add federation support for the "hide network" preference (#11673)ThibG
* Change ActivityPub follower/following collections to not link first page * Add support for hiding followers and following of remote users * Switch to using a single `hide_collections` column * Address code style remarks
2020-02-24Fix duplicate accounts being created when fetching an account for its key ↵ThibG
only (#13147) Fixes #13136 When a user's canonical acct domain is different from its id's domain (WEB_DOMAIN ≠ LOCAL_DOMAIN), two webfinger queries are required to find the canonical domain from the URI. However, we skip webfinger queries when updating only the key of a remote user, which led to the creation of a duplicate account, using the URI's domain instead of the canonical acct: one.
2020-01-11Clarify keyword arguments with ** (#12769)Daigo 3 Dango
This change is to suppress the warning below on on ruby-2.7.0: - warning: Using the last argument as keyword parameters is deprecated; maybe ** should be added to the call https://www.ruby-lang.org/en/news/2019/12/12/separation-of-positional-and-keyword-arguments-in-ruby-3-0/
2019-11-26Fix empty poll options not being filtered on remote poll update (#12484)ThibG
If a poll contains empty options (which is apparently possible on Pleroma), it is created without them. However, the poll update code doesn't filter empty options, and thus: 1. Clear known votes, as it assumes the set of options has changed 2. Errors out because it tries adding empty options, which fails validation This commit fixes that by filtering them out the same way they are filtered out at poll creation time.
2019-09-29Add voters count support (#11917)ThibG
* Add voters count to polls * Add ActivityPub serialization and parsing of voters count * Add support for voters count in WebUI * Move incrementation of voters count out of redis lock * Reword “voters” to “people”
2019-08-30Add profile directory to web UI (#11688)Eugen Rochko
* Add profile directory to web UI * Add a line of bio to the directory
2019-07-10Refactor fetching of remote resources (#11251)Eugen Rochko
2019-07-09Refactor domain block checks (#11268)Eugen Rochko
2019-07-01Change domain block behaviour to prevent creation of accounts from suspended ↵Eugen Rochko
domains (#11219)
2019-06-22Change domain blocks to automatically support subdomains (#11138)Eugen Rochko
* Change domain blocks to automatically support subdomains If a more authoritative domain is blocked (example.com), then the same block will be applied to a subdomain (foo.example.com) * Match subdomains of existing accounts when blocking/unblocking domains * Improve code style
2019-05-14Record account suspend/silence time and keep track of domain blocks (#10660)ThibG
* Record account suspend/silence time and keep track of domain blocks * Also unblock users who were suspended/silenced before dates were recorded * Add tests * Keep track of suspending date for users suspended through the CLI * Show accurate number of accounts that would be affected by unsuspending an instance * Change migration to set silenced_at and suspended_at * Revert "Also unblock users who were suspended/silenced before dates were recorded" This reverts commit a015c65d2d1e28c7b7cfab8b3f8cd5fb48b8b71c. * Switch from using suspended and silenced to suspended_at and silenced_at * Add post-deployment migration script to remove `suspended` and `silenced` columns * Use Account#silence! and Account#suspend! instead of updating the underlying property * Add silenced_at and suspended_at migration to post-migration * Change account fabricator to translate suspended and silenced attributes * Minor fixes * Make unblocking domains always retroactive
2019-03-30Add ActivityPub representation for identity proofs (#10414)Eugen Rochko
* Add ActivityPub representation for identity proofs * Add tests
2019-03-21Fix processing poll Updates (#10333)ThibG
ActivityPub::ProcessPollService was checking the JSON-LD context although it was passed only the `Question` object embedded in the `Update` activity.
2019-03-12Fix poll update handler calling method was that was not available (#10246)Eugen Rochko
* Fix poll update handler calling method was that was not available Fix regression from #10209 * Refactor VoteService * Refactor ActivityPub::DistributePollUpdateWorker and optimize it * Fix typo * Fix typo
2019-03-11Support pushing and receiving updates to poll tallies (#10209)ThibG
* Process incoming poll tallies update * Send Update on poll vote * Do not send Updates for a poll more often than once every 3 minutes * Include voters in people to notify of results update * Schedule closing poll worker on poll creation * Add new notification type for ending polls * Add front-end support for ended poll notifications * Fix UpdatePollSerializer * Fix Updates not being triggered by local votes * Fix tests failure * Fix web push notifications for closing polls * Minor cleanup * Notify voters of both remote and local polls when those close * Fix delivery of poll updates to mentioned accounts and voters
2019-03-07Handle StaleObjectError when retrieving polls (#10208)ThibG
2019-03-05Do not error out on unsalvageable errors in FetchRepliesService (#10175)ThibG
* Do not error out on unsalvageable errors in FetchRepliesService Fixes #10152 * Fix FetchRepliesWorker erroring out on deleted statuses
2019-03-05Fix last_fetched_at not being set on polls (#10170)Eugen Rochko
2019-03-04Fix another typo in ActivityPub::FetchRemotePollService (#10146)Eugen Rochko
2019-03-04Fix typo in ActivityPub::FetchRemotePollService (#10145)Eugen Rochko
2019-03-04Fix remote poll expiration time (#10144)Eugen Rochko
2019-03-04Make sure the poll is created before storing its id (#10142)ThibG
* Make sure the poll is created before storing its id * Fix updating poll results * Support fetching Question activities from the search bar
2019-03-03Add polls (#10111)Eugen Rochko
* Add polls Fix #1629 * Add tests * Fixes * Change API for creating polls * Use name instead of content for votes * Remove poll validation for remote polls * Add polls to public pages * When updating the poll, update options just in case they were changed * Fix public pages showing both poll and other media
2019-02-28Improved remote thread fetching (#10106)ThibG
* Fetch up to 5 replies when discovering a new remote status This is used for resolving threads downwards. The originating server must add a “replies” attributes with such replies for it to be useful. * Add some tests for ActivityPub::FetchRepliesWorker * Add specs for ActivityPub::FetchRepliesService * Serialize up to 5 public self-replies for ActivityPub notes * Add specs for ActivityPub::NoteSerializer * Move exponential backoff logic to a worker concern * Fetch first page of paginated collections when fetching thread replies * Add specs for paginated collections in replies * Move Note replies serialization to a first CollectionPage The collection isn't actually paginable yet as it has no id nor a `next` field. This may come in another PR. * Use pluck(:uri) instead of map(&:uri) to improve performances * Fix fetching replies when they are in a CollectionPage
2019-02-13Filter incoming Create activities by relation to local activity (#10005)Eugen Rochko
Reject those from accounts with no local followers, from relays that are not enabled, which do not address local accounts and are not replies to accounts that do have local followers
2019-02-06Fix Tombstone.delete_all ArgumentError (#9978)abcang
2019-01-18Add tombstones for remote statuses (#9830)ThibG
* Add Tombstone model to remember object deletion * Do not recreate a status if it has been deleted * Record Tombstone for remote deleted items Also, only record deleted items from same-host actors * Clear an user's tombstones when their key change
2019-01-07Improvements to signature verification (#9667)ThibG
* Refactor signature verification a bit * Rescue signature verification if recorded public key is invalid Fixes #8822 * Always re-fetch AP signing key when HTTP Signature verification fails But when the account is not marked as stale, avoid fetching collections and media, and avoid webfinger round-trip. * Apply stoplight to key/account update as well as initial key retrieval
2018-12-30Reduce usage of LD signatures (#9659)ThibG
* Do not LDS-sign Follow, Accept, Reject, Undo, Block * Do not use LDS for Create activities of private toots * Minor cleanup * Ignore unsigned activities instead of misattributing them * Use status.distributable? instead of querying visibility directly
2018-12-29Add handler for Move activity (#9629)Eugen Rochko
2018-11-10Fix emoji update date processing (#9255)ThibG
2018-10-26Add locality check to ActivityPub::FetchRemoteAccountService (#9109)Eugen Rochko
* Add locality check to ActivityPub::FetchRemoteAccountService Fix #8643 Because there are a few places where it is called, it is difficult to confirm if they all previously checked it for locality. It's better to make sure within the service. * Remove faux-remote duplicates of local accounts
2018-09-18Redesign forms, verify link ownership with rel="me" (#8703)Eugen Rochko
* Verify link ownership with rel="me" * Add explanation about verification to UI * Perform link verifications * Add click-to-copy widget for verification HTML * Redesign edit profile page * Redesign forms * Improve responsive design of settings pages * Restore landing page sign-up form * Fix typo * Support <link> tags, add spec * Fix links not being verified on first discovery and passive updates
2018-08-26Add CLI task for rotating keys (#8466)Eugen Rochko
* If an Update is signed with known key, skip re-following procedure Because it means the remote actor did *not* lose their database * Add CLI method for rotating keys bin/tootctl accounts rotate [USERNAME] Generates a new RSA key per account and sends out an Update activity signed with the old key. * Key rotation: Space out Update fan-outs every 5 minutes per 1000 accounts * Skip suspended accounts in key rotation
2018-08-23Do not crash if remote custom emoji does not define updated date (fixes ↵ThibG
#8376) (#8377)
2018-08-22Improve federated ID validation (#8372)Eugen Rochko
* Fix URI not being sufficiently validated with prefetched JSON * Add additional id validation to OStatus documents, when possible
2018-07-28Prevent ActivityPub movedTo recursion (#8092)Eugen Rochko
Fix #8051
2018-05-16Raise Mastodon::RaceConditionError if Redis lock failed (#7511)Akihiko Odaki
An explicit error allows user agents to know the error and Sidekiq to retry.
2018-05-14Fix account URI when updating ActivityPub account (#7488)Wiktor
Updates account `uri` field on each call to `update_account` instead of only once during `create_account` to mirror the same behavior in OStatus `ResolveAccountService` class [0]. ActivityPub accounts are identified using `@username` and `@domain` pair instead of URI since #6842. This fixes #7479: a bug when the account identified by `@username` and `@domain` changes its URI. [0]: https://github.com/tootsuite/mastodon/blob/03b69ebc450efc07246bd64204276941b7ede3fc/app/services/resolve_account_service.rb#L121
2018-05-12Fetch boosted statuses on behalf of a follower (fixes #7426) (#7459)ThibG
When an ActivityPub Announce is processed and the boosted toot is not known, fetch it on behalf of one of the booster's followers. This is to allow fetching self-boosts of previously-unknown private toots. If fetching on behalf of a user fails, try fetching it anonymously: the selected follower of a boosting user may be banned by the boosted toot's author.
2018-05-08Take the first recognized actor_type. (#7410)Surinna Curtis