summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/pleroma/web/plugs/ap_client_api_enabled_plug.ex34
-rw-r--r--lib/pleroma/web/plugs/http_signature_plug.ex12
-rw-r--r--lib/pleroma/web/router.ex19
3 files changed, 61 insertions, 4 deletions
diff --git a/lib/pleroma/web/plugs/ap_client_api_enabled_plug.ex b/lib/pleroma/web/plugs/ap_client_api_enabled_plug.ex
new file mode 100644
index 000000000..6807673f9
--- /dev/null
+++ b/lib/pleroma/web/plugs/ap_client_api_enabled_plug.ex
@@ -0,0 +1,34 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2024 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.Plugs.APClientApiEnabledPlug do
+ import Plug.Conn
+ import Phoenix.Controller, only: [text: 2]
+
+ @config_impl Application.compile_env(:pleroma, [__MODULE__, :config_impl], Pleroma.Config)
+ @enabled_path [:activitypub, :client_api_enabled]
+
+ def init(options \\ []), do: Map.new(options)
+
+ def call(conn, %{allow_server: true}) do
+ if @config_impl.get(@enabled_path, false) do
+ conn
+ else
+ conn
+ |> assign(:user, nil)
+ |> assign(:token, nil)
+ end
+ end
+
+ def call(conn, _) do
+ if @config_impl.get(@enabled_path, false) do
+ conn
+ else
+ conn
+ |> put_status(:forbidden)
+ |> text("C2S not enabled")
+ |> halt()
+ end
+ end
+end
diff --git a/lib/pleroma/web/plugs/http_signature_plug.ex b/lib/pleroma/web/plugs/http_signature_plug.ex
index 67974599a..2e16212ce 100644
--- a/lib/pleroma/web/plugs/http_signature_plug.ex
+++ b/lib/pleroma/web/plugs/http_signature_plug.ex
@@ -19,8 +19,16 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
options
end
- def call(%{assigns: %{valid_signature: true}} = conn, _opts) do
- conn
+ def call(%{assigns: %{valid_signature: true}} = conn, _opts), do: conn
+
+ # skip for C2S requests from authenticated users
+ def call(%{assigns: %{user: %Pleroma.User{}}} = conn, _opts) do
+ if get_format(conn) in ["json", "activity+json"] do
+ # ensure access token is provided for 2FA
+ Pleroma.Web.Plugs.EnsureAuthenticatedPlug.call(conn, %{})
+ else
+ conn
+ end
end
def call(conn, _opts) do
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index 0423ca9e2..d78a6aef4 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -902,22 +902,37 @@ defmodule Pleroma.Web.Router do
# Client to Server (C2S) AP interactions
pipeline :activitypub_client do
plug(:ap_service_actor)
+ plug(Pleroma.Web.Plugs.APClientApiEnabledPlug)
plug(:fetch_session)
plug(:authenticate)
plug(:after_auth)
end
+ # AP interactions used by both S2S and C2S
+ pipeline :activitypub_server_or_client do
+ plug(:ap_service_actor)
+ plug(:fetch_session)
+ plug(:authenticate)
+ plug(Pleroma.Web.Plugs.APClientApiEnabledPlug, allow_server: true)
+ plug(:after_auth)
+ plug(:http_signature)
+ end
+
scope "/", Pleroma.Web.ActivityPub do
pipe_through([:activitypub_client])
get("/api/ap/whoami", ActivityPubController, :whoami)
get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
- get("/users/:nickname/outbox", ActivityPubController, :outbox)
post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
post("/api/ap/upload_media", ActivityPubController, :upload_media)
+ end
+
+ scope "/", Pleroma.Web.ActivityPub do
+ pipe_through([:activitypub_server_or_client])
+
+ get("/users/:nickname/outbox", ActivityPubController, :outbox)
- # The following two are S2S as well, see `ActivityPub.fetch_follow_information_for_user/1`:
get("/users/:nickname/followers", ActivityPubController, :followers)
get("/users/:nickname/following", ActivityPubController, :following)
get("/users/:nickname/collections/featured", ActivityPubController, :pinned)
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-24 22:48:42 +0000