merge: try to honour user blocks on AP requests - #248 (!456)

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/456

packages/backend/src/server/ActivityPubServerService.ts

@@ -31,6 +31,7 @@ import type { MiNote } from '@/models/Note.js';
 import { QueryService } from '@/core/QueryService.js';
 import { UtilityService } from '@/core/UtilityService.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
+import { UserBlockingService } from '@/core/UserBlockingService.js';
 import { bindThis } from '@/decorators.js';
 import { IActivity } from '@/core/activitypub/type.js';
 import { isPureRenote } from '@/misc/is-pure-renote.js';
@@ -78,6 +79,7 @@ export class ActivityPubServerService {
 		private metaService: MetaService,
 		private utilityService: UtilityService,
 		private userEntityService: UserEntityService,
+		private userBlockingService: UserBlockingService,
 		private instanceActorService: InstanceActorService,
 		private apRendererService: ApRendererService,
 		private apDbResolverService: ApDbResolverService,
@@ -206,6 +208,17 @@ export class ActivityPubServerService {
 			return true;
 		}
 
+		if (userId) {
+			/* this check is not really effective, because most requests we
+				 get are signed by the remote instance user, not the user
+				 who's requesting the information 😭 */
+			const blocked = await this.userBlockingService.checkBlocked(userId, authUser.user.id);
+			if (blocked) {
+				reply.code(401);
+				return true;
+			}
+		}
+
 		let httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
 
 		if (!httpSignatureValidated) {
@@ -706,6 +719,8 @@ export class ActivityPubServerService {
 				return;
 			}
 
+			if (await this.shouldRefuseGetRequest(request, reply, note.userId)) return;
+
 			// リモートだったらリダイレクト
 			if (note.userHost != null) {
 				if (note.uri == null || this.utilityService.isSelfHost(note.userHost)) {
@@ -739,6 +754,8 @@ export class ActivityPubServerService {
 				return;
 			}
 
+			if (await this.shouldRefuseGetRequest(request, reply, note.userId)) return;
+
 			if (!this.config.checkActivityPubGetSignature) reply.header('Cache-Control', 'public, max-age=180');
 			this.setResponseType(request, reply);
 			return (this.apRendererService.addContext(await this.packActivity(note)));
@@ -861,6 +878,8 @@ export class ActivityPubServerService {
 				return;
 			}
 
+			if (await this.shouldRefuseGetRequest(request, reply, note.userId)) return;
+
 			if (!this.config.checkActivityPubGetSignature) reply.header('Cache-Control', 'public, max-age=180');
 			this.setResponseType(request, reply);
 			return (this.apRendererService.addContext(await this.apRendererService.renderLike(reaction, note)));
@@ -868,7 +887,7 @@ export class ActivityPubServerService {
 
 		// follow
 		fastify.get<{ Params: { follower: string; followee: string; } }>('/follows/:follower/:followee', async (request, reply) => {
-			if (await this.shouldRefuseGetRequest(request, reply)) return;
+			if (await this.shouldRefuseGetRequest(request, reply, request.params.follwer)) return;
 
 			// This may be used before the follow is completed, so we do not
 			// check if the following exists.
@@ -910,6 +929,8 @@ export class ActivityPubServerService {
 				return;
 			}
 
+			if (await this.shouldRefuseGetRequest(request, reply, followRequest.followerId)) return;
+
 			const [follower, followee] = await Promise.all([
 				this.usersRepository.findOneBy({
 					id: followRequest.followerId,

packages/frontend/src/components/MkNotes.vue

@@ -55,8 +55,6 @@ import { i18n } from '@/i18n.js';
 import { infoImageUrl } from '@/instance.js';
 import { defaultStore } from '@/store.js';
 
-console.log(defaultStore.state.noteDesign, defaultStore.state.noteDesign === 'sharkey');
-
 const props = defineProps<{
 	pagination: Paging;
 	noGap?: boolean;

packages/frontend/src/pages/favorites.vue

@@ -16,9 +16,14 @@ SPDX-License-Identifier: AGPL-3.0-only
 			</template>
 
 			<template #default="{ items }">
-				<MkDateSeparatedList v-slot="{ item }" :items="items" :direction="'down'" :noGap="false" :ad="false">
+				<MkDateSeparatedList v-if="defaultStore.state.noteDesign === 'misskey'"
+					v-slot="{ item }" :items="items" :direction="'down'" :noGap="false" :ad="false">
 					<MkNote :key="item.id" :note="item.note" :class="$style.note"/>
 				</MkDateSeparatedList>
+				<MkDateSeparatedList v-if="defaultStore.state.noteDesign === 'sharkey'"
+					v-slot="{ item }" :items="items" :direction="'down'" :noGap="false" :ad="false">
+					<SkNote :key="item.id" :note="item.note" :class="$style.note"/>
+				</MkDateSeparatedList>
 			</template>
 		</MkPagination>
 	</MkSpacer>
@@ -28,10 +33,12 @@ SPDX-License-Identifier: AGPL-3.0-only
 <script lang="ts" setup>
 import MkPagination from '@/components/MkPagination.vue';
 import MkNote from '@/components/MkNote.vue';
+import SkNote from '@/components/SkNote.vue';
 import MkDateSeparatedList from '@/components/MkDateSeparatedList.vue';
 import { i18n } from '@/i18n.js';
 import { definePageMetadata } from '@/scripts/page-metadata.js';
 import { infoImageUrl } from '@/instance.js';
+import { defaultStore } from '@/store.js';
 
 const pagination = {
 	endpoint: 'i/favorites' as const,