2 files changed, 44 insertions, 15 deletions

diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index fc7972eaf..d23c54933 100644
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -165,9 +165,29 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     end
   end
 
+  def handle_user_activity(user, %{"type" => "Create"} = params) do
+    object =
+      params["object"]
+      |> Map.merge(Map.take(params, ["to", "cc"]))
+      |> Map.put("attributedTo", user.ap_id())
+      |> Transmogrifier.fix_object()
+
+    ActivityPub.create(%{
+      to: params["to"],
+      actor: user,
+      context: object["context"],
+      object: object,
+      additional: Map.take(params, ["cc"])
+    })
+  end
+
+  def handle_user_activity(_, _) do
+    {:error, "Unhandled activity type"}
+  end
+
   def update_outbox(
         %{assigns: %{user: user}} = conn,
-        %{"nickname" => nickname, "type" => "Create"} = params
+        %{"nickname" => nickname} = params
       ) do
     if nickname == user.nickname do
       actor = user.ap_id()
@@ -178,24 +198,16 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
         |> Map.put("actor", actor)
         |> Transmogrifier.fix_addressing()
 
-      object =
-        params["object"]
-        |> Map.merge(Map.take(params, ["to", "cc"]))
-        |> Map.put("attributedTo", actor)
-        |> Transmogrifier.fix_object()
-
-      with {:ok, %Activity{} = activity} <-
-             ActivityPub.create(%{
-               to: params["to"],
-               actor: user,
-               context: object["context"],
-               object: object,
-               additional: Map.take(params, ["cc"])
-             }) do
+      with {:ok, %Activity{} = activity} <- handle_user_activity(user, params) do
         conn
         |> put_status(:created)
         |> put_resp_header("location", activity.data["id"])
         |> json(activity.data)
+      else
+        {:error, message} ->
+          conn
+          |> put_status(:bad_request)
+          |> json(message)
       end
     else
       conn
diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs
index cb95e0e09..77dc96617 100644
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@@ -192,6 +192,23 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       result = json_response(conn, 201)
       assert Activity.get_by_ap_id(result["id"])
     end
+
+    test "it rejects an incoming activity with bogus type", %{conn: conn} do
+      data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
+      user = insert(:user)
+
+      data =
+        data
+        |> Map.put("type", "BadType")
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/outbox", data)
+
+      assert json_response(conn, 400)
+    end
   end
 
   describe "/users/:nickname/followers" do