2 files changed, 25 insertions, 4 deletions

diff --git a/lib/pleroma/web/plugs/http_signature_plug.ex b/lib/pleroma/web/plugs/http_signature_plug.ex
index 67974599a..2e16212ce 100644
--- a/lib/pleroma/web/plugs/http_signature_plug.ex
+++ b/lib/pleroma/web/plugs/http_signature_plug.ex
@@ -19,8 +19,16 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
     options
   end
 
-  def call(%{assigns: %{valid_signature: true}} = conn, _opts) do
-    conn
+  def call(%{assigns: %{valid_signature: true}} = conn, _opts), do: conn
+
+  # skip for C2S requests from authenticated users
+  def call(%{assigns: %{user: %Pleroma.User{}}} = conn, _opts) do
+    if get_format(conn) in ["json", "activity+json"] do
+      # ensure access token is provided for 2FA
+      Pleroma.Web.Plugs.EnsureAuthenticatedPlug.call(conn, %{})
+    else
+      conn
+    end
   end
 
   def call(conn, _opts) do
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index 0423ca9e2..ad8529a30 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -907,17 +907,30 @@ defmodule Pleroma.Web.Router do
     plug(:after_auth)
   end
 
+  # AP interactions used by both S2S and C2S
+  pipeline :activitypub_server_or_client do
+    plug(:ap_service_actor)
+    plug(:fetch_session)
+    plug(:authenticate)
+    plug(:after_auth)
+    plug(:http_signature)
+  end
+
   scope "/", Pleroma.Web.ActivityPub do
     pipe_through([:activitypub_client])
 
     get("/api/ap/whoami", ActivityPubController, :whoami)
     get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
 
-    get("/users/:nickname/outbox", ActivityPubController, :outbox)
     post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
     post("/api/ap/upload_media", ActivityPubController, :upload_media)
+  end
+
+  scope "/", Pleroma.Web.ActivityPub do
+    pipe_through([:activitypub_server_or_client])
+
+    get("/users/:nickname/outbox", ActivityPubController, :outbox)
 
-    # The following two are S2S as well, see `ActivityPub.fetch_follow_information_for_user/1`:
     get("/users/:nickname/followers", ActivityPubController, :followers)
     get("/users/:nickname/following", ActivityPubController, :following)
     get("/users/:nickname/collections/featured", ActivityPubController, :pinned)