From 88518c5a4fa4fa9d841bb0d1c8add9fa2234530c Mon Sep 17 00:00:00 2001
From: pdp8 <pdp8@pdp8.info>
Date: Wed, 20 Dec 2023 11:20:50 +0100
Subject: follow, announce, delete fixed

---
 server.rb | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

(limited to 'server.rb')

diff --git a/server.rb b/server.rb
index c083cb1..94729cc 100644
--- a/server.rb
+++ b/server.rb
@@ -8,8 +8,6 @@ post '/inbox' do
     p e, @body
     halt 400
   end
-  # deleted actors return 403 => verification error
-  halt 200 if @activity['type'] == 'Delete' and @activity['actor'] == @activity['object']
   verify!
   handle_activity
   200
@@ -104,7 +102,7 @@ helpers do
     if @activity['object']['type'] == 'Follow'
       update_collection FOLLOWING, @activity['object']['object']
     else
-      p "Cannot accept @activity['object']['type']"
+      p "Error: Cannot accept @activity['object']['type']"
       jj @activity
       halt 501
     end
@@ -116,23 +114,22 @@ helpers do
       update_collection FOLLOWERS, @activity['object']['actor'], 'delete'
     when 'Create', 'Announce'
       file, object = find_object @activity['object']['object']
-      FileUtils.rm(file) if file and File.exist? file
+      FileUtils.rm(file) if file and File.exist? file and @activity['actor'] == object['attributedTo']
     else
-      p "Cannot undo @activity['object']['type']"
+      p "Error: Cannot undo @activity['object']['type']"
       jj @activity
       halt 501
     end
   end
 
   def update
-    file, object = find_object(@activity['object']['id'])
-    FileUtils.rm(file) if file and File.exist? file
+    delete
     create
   end
 
   def delete
     file, object = find_object(@activity['object']['id'])
-    FileUtils.rm(file) if file and File.exist? file
+    FileUtils.rm(file) if file and File.exist? file and @activity['actor'] == object['attributedTo']
   end
 
   def move
@@ -141,12 +138,12 @@ helpers do
 
   def handle_activity
     type = @activity['type'].downcase.to_sym
-    save_item @activity, File.join(INBOX[:dir], @activity['type'].downcase, activity_name)
+    # save_item @activity, File.join(INBOX[:dir], @activity['type'].downcase, activity_name)
     if ACTIVITIES.include? type
       send(type)
     else
       unless %w[Add Remove].include? @activity['type']
-        p "Unknown activity #{type}:"
+        p "Error: Unknown activity #{type}:"
         jj @activity
       end
     end
@@ -188,11 +185,13 @@ helpers do
 
   # https://github.com/mastodon/mastodon/blob/main/app/controllers/concerns/signature_verification.rb
   def verify!
+    # deleted actors return 403 => verification error
+    halt 200 if @activity['type'] == 'Delete' and @activity['actor'] == @activity['object']
     # digest
     sha256 = OpenSSL::Digest.new('SHA256')
     digest = "SHA-256=#{sha256.base64digest(@body)}"
     unless digest == request.env['HTTP_DIGEST']
-      p 'invalid digest'
+      p 'Error: Invalid digest'
       p @body
       halt 403
     end
@@ -210,7 +209,7 @@ helpers do
 
     actor = fetch key_id
     unless actor
-      p 'no actor'
+      p 'Error: No actor'
       jj @activity
       halt 403
     end
@@ -231,13 +230,10 @@ helpers do
 
     return if key.verify(OpenSSL::Digest.new('SHA256'), signature, comparison)
 
-    p 'verification failed'
+    p 'Error: Verification failed'
     jj signature_params
     jj request.env.select { |k, _v| k.start_with? 'HTTP_' }.to_h
-    # jj actor['publicKey']
-    # p signature
     puts comparison
-    # jj @activity
     halt 403
   end
 end
-- 
cgit v1.2.3