normalize AP IDs during verification

This commit is contained in:
Hazelnoot 2024-11-23 19:42:10 -05:00
parent b0420c948c
commit 1fb1875ac3
2 changed files with 42 additions and 35 deletions

View file

@ -2,26 +2,29 @@
* SPDX-FileCopyrightText: dakkar and sharkey-project * SPDX-FileCopyrightText: dakkar and sharkey-project
* SPDX-License-Identifier: AGPL-3.0-only * SPDX-License-Identifier: AGPL-3.0-only
*/ */
import type { IObject } from '../type.js'; import type { IObject } from '../type.js';
function getHrefFrom(one: IObject|string): string | undefined { function getHrefsFrom(one: IObject | string | undefined | (IObject | string | undefined)[]): (string | undefined)[] {
if (typeof(one) === 'string') return one; if (Array.isArray(one)) {
return one.href; return one.flatMap(h => getHrefsFrom(h));
}
return [
typeof(one) === 'object' ? one.href : one,
];
} }
export function assertActivityMatchesUrls(activity: IObject, urls: string[]) { export function assertActivityMatchesUrls(activity: IObject, urls: string[]) {
const idOk = activity.id !== undefined && urls.includes(activity.id); const expectedUrls = new Set(urls
if (idOk) return; .filter(u => URL.canParse(u))
.map(u => new URL(u).href),
);
const url = activity.url; const actualUrls = [activity.id, ...getHrefsFrom(activity.url)]
if (url) { .filter(u => u && URL.canParse(u))
// `activity.url` can be an `ApObject = IObject | string | (IObject .map(u => new URL(u as string).href);
// | string)[]`, we have to look inside it
const activityUrls = Array.isArray(url) ? url.map(getHrefFrom) : [getHrefFrom(url)];
const goodUrl = activityUrls.find(u => u && urls.includes(u));
if (goodUrl) return; if (!actualUrls.some(u => expectedUrls.has(u))) {
throw new Error(`bad Activity: neither id(${activity.id}) nor url(${JSON.stringify(activity.url)}) match location(${urls})`);
} }
throw new Error(`bad Activity: neither id(${activity?.id}) nor url(${JSON.stringify(activity?.url)}) match location(${urls})`);
} }

View file

@ -3,49 +3,53 @@
* SPDX-License-Identifier: AGPL-3.0-only * SPDX-License-Identifier: AGPL-3.0-only
*/ */
import type { IObject } from '@/core/activitypub/type.js';
import { describe, expect, test } from '@jest/globals'; import { describe, expect, test } from '@jest/globals';
import type { IObject } from '@/core/activitypub/type.js';
import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js'; import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js';
function assertOne(activity: IObject) { function assertOne(activity: IObject, good = 'http://good') {
// return a function so we can use `.toThrow` // return a function so we can use `.toThrow`
return () => assertActivityMatchesUrls(activity, ['good']); return () => assertActivityMatchesUrls(activity, [good]);
} }
describe('assertActivityMatchesUrls', () => { describe('assertActivityMatchesUrls', () => {
it('should throw when no ids are URLs', () => {
expect(assertOne({ type: 'Test', id: 'bad' }, 'bad')).toThrow(/bad Activity/);
});
test('id', () => { test('id', () => {
expect(assertOne({ type: 'Test', id: 'bad' })).toThrow(/bad Activity/); expect(assertOne({ type: 'Test', id: 'http://bad' })).toThrow(/bad Activity/);
expect(assertOne({ type: 'Test', id: 'good' })).not.toThrow(); expect(assertOne({ type: 'Test', id: 'http://good' })).not.toThrow();
}); });
test('simple url', () => { test('simple url', () => {
expect(assertOne({ type: 'Test', url: 'bad' })).toThrow(/bad Activity/); expect(assertOne({ type: 'Test', url: 'http://bad' })).toThrow(/bad Activity/);
expect(assertOne({ type: 'Test', url: 'good' })).not.toThrow(); expect(assertOne({ type: 'Test', url: 'http://good' })).not.toThrow();
}); });
test('array of urls', () => { test('array of urls', () => {
expect(assertOne({ type: 'Test', url: ['bad'] })).toThrow(/bad Activity/); expect(assertOne({ type: 'Test', url: ['http://bad'] })).toThrow(/bad Activity/);
expect(assertOne({ type: 'Test', url: ['bad', 'other'] })).toThrow(/bad Activity/); expect(assertOne({ type: 'Test', url: ['http://bad', 'http://other'] })).toThrow(/bad Activity/);
expect(assertOne({ type: 'Test', url: ['good'] })).not.toThrow(); expect(assertOne({ type: 'Test', url: ['http://good'] })).not.toThrow();
expect(assertOne({ type: 'Test', url: ['bad', 'good'] })).not.toThrow(); expect(assertOne({ type: 'Test', url: ['http://bad', 'http://good'] })).not.toThrow();
}); });
test('array of objects', () => { test('array of objects', () => {
expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'bad' }] })).toThrow(/bad Activity/); expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://bad' }] })).toThrow(/bad Activity/);
expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'bad' }, { type: 'Test', href: 'other' }] })).toThrow(/bad Activity/); expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://bad' }, { type: 'Test', href: 'http://other' }] })).toThrow(/bad Activity/);
expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'good' }] })).not.toThrow(); expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://good' }] })).not.toThrow();
expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'bad' }, { type: 'Test', href: 'good' }] })).not.toThrow(); expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://bad' }, { type: 'Test', href: 'http://good' }] })).not.toThrow();
}); });
test('mixed array', () => { test('mixed array', () => {
expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'bad' }, 'other'] })).toThrow(/bad Activity/); expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://bad' }, 'http://other'] })).toThrow(/bad Activity/);
expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'bad' }, 'good'] })).not.toThrow(); expect(assertOne({ type: 'Test', url: [{ type: 'Test', href: 'http://bad' }, 'http://good'] })).not.toThrow();
expect(assertOne({ type: 'Test', url: ['bad', { type: 'Test', href: 'good' }] })).not.toThrow(); expect(assertOne({ type: 'Test', url: ['http://bad', { type: 'Test', href: 'http://good' }] })).not.toThrow();
}); });
test('id and url', () => { test('id and url', () => {
expect(assertOne({ type: 'Test', id: 'other', url: 'bad' })).toThrow(/bad Activity/); expect(assertOne({ type: 'Test', id: 'http://other', url: 'http://bad' })).toThrow(/bad Activity/);
expect(assertOne({ type: 'Test', id: 'bad', url: 'good' })).not.toThrow(); expect(assertOne({ type: 'Test', id: 'http://bad', url: 'http://good' })).not.toThrow();
expect(assertOne({ type: 'Test', id: 'good', url: 'bad' })).not.toThrow(); expect(assertOne({ type: 'Test', id: 'http://good', url: 'http://bad' })).not.toThrow();
}); });
}); });