feat(activitiypub): enable HTTP signatures on all ActivityPub endpoints (#7035)

- Set the right keyID and use the right signing keys for outgoing requests. - Verify the HTTP signature of all incoming requests, except for the server actor. - Caches keys of incoming requests for users and servers actors. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7035 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: famfo <famfo@famfo.xyz> Co-committed-by: famfo <famfo@famfo.xyz>
2025-06-17 11:59:30 +00:00 · 2025-04-03 15:24:15 +00:00 · 2025-04-03 15:24:15 +00:00 · 77b0275572
commit 77b0275572
parent ba5b157f7e
22 changed files with 681 additions and 122 deletions
--- a/models/forgefed/federationhost.go
+++ b/models/forgefed/federationhost.go
@ -4,6 +4,7 @@
 package forgefed

 import (
+	"database/sql"
 	"fmt"
 	"strings"
 	"time"
@ -15,12 +16,14 @@ import (
 // FederationHost data type
 // swagger:model
 type FederationHost struct {
-	ID             int64              `xorm:"pk autoincr"`
-	HostFqdn       string             `xorm:"host_fqdn UNIQUE INDEX VARCHAR(255) NOT NULL"`
-	NodeInfo       NodeInfo           `xorm:"extends NOT NULL"`
-	LatestActivity time.Time          `xorm:"NOT NULL"`
-	Created        timeutil.TimeStamp `xorm:"created"`
-	Updated        timeutil.TimeStamp `xorm:"updated"`
+	ID             int64                  `xorm:"pk autoincr"`
+	HostFqdn       string                 `xorm:"host_fqdn UNIQUE INDEX VARCHAR(255) NOT NULL"`
+	NodeInfo       NodeInfo               `xorm:"extends NOT NULL"`
+	LatestActivity time.Time              `xorm:"NOT NULL"`
+	Created        timeutil.TimeStamp     `xorm:"created"`
+	Updated        timeutil.TimeStamp     `xorm:"updated"`
+	KeyID          sql.NullString         `xorm:"key_id UNIQUE"`
+	PublicKey      sql.Null[sql.RawBytes] `xorm:"BLOB"`
 }

 // Factory function for FederationHost. Created struct is asserted to be valid.
--- a/models/forgefed/federationhost_repository.go
+++ b/models/forgefed/federationhost_repository.go
@ -30,9 +30,9 @@ func GetFederationHost(ctx context.Context, ID int64) (*FederationHost, error) {
 	return host, nil
 }

-func FindFederationHostByFqdn(ctx context.Context, fqdn string) (*FederationHost, error) {
+func findFederationHostFromDB(ctx context.Context, searchKey, searchValue string) (*FederationHost, error) {
 	host := new(FederationHost)
-	has, err := db.GetEngine(ctx).Where("host_fqdn=?", strings.ToLower(fqdn)).Get(host)
+	has, err := db.GetEngine(ctx).Where(searchKey, searchValue).Get(host)
 	if err != nil {
 		return nil, err
 	} else if !has {
@ -44,6 +44,14 @@ func FindFederationHostByFqdn(ctx context.Context, fqdn string) (*FederationHost
 	return host, nil
 }

+func FindFederationHostByFqdn(ctx context.Context, fqdn string) (*FederationHost, error) {
+	return findFederationHostFromDB(ctx, "host_fqdn=?", strings.ToLower(fqdn))
+}
+
+func FindFederationHostByKeyID(ctx context.Context, keyID string) (*FederationHost, error) {
+	return findFederationHostFromDB(ctx, "key_id=?", keyID)
+}
+
 func CreateFederationHost(ctx context.Context, host *FederationHost) error {
 	if res, err := validation.IsValid(host); !res {
 		return err